Giving users access to IBM Master Data Management
To give other users access to your IBM Master Data Management service instance, you must add them as collaborators in your IBM Cloud Pak for Data as a Service project, and then assign them to the appropriate service access levels to control their permissions.
- Required permissions
- You must have one of the following account management roles to manage access: Account owner, Editor, or Administrator.
Only the Cloud Pak for Data account owner or administrator who created the service is granted access to the IBM Master Data Management service by default.
To enable users to access the service, you must define each user's individual access policy or add them to the appropriate access group. For example, to configure and set up a master data configuration asset, users must have an access policy that gives them the Data Engineer service access role.
From within your Cloud Pak for Data as a Service account, you can:
- Add users
- Add collaborators
- Add service IDs
- Change collaborator permissions
- Remove a collaborator
For more information about completing these tasks, see Project collaborators.
Jump to the appropriate section for more information:
- Creating users and groups
- IBM Master Data Management service access and permissions
- Setting up access groups
- Assigning access
Creating IBM Cloud users and groups for the IBM Master Data Management service
Before you can assign users and groups to IBM Master Data Management access roles, you must first define the users and groups in IBM Cloud IAM.
- Required permissions
- You must have one of the following account management roles to manage access: Account owner, Editor, or Administrator.
-
Create users and, optionally, assign them to access groups. Access groups can help you to manage access and role assignments.
By assigning users to one or more access groups, you are granting them the permissions they need to work with IBM Master Data Management. You can assign users to more than one access group to provide the appropriate access.
For information about creating users and access groups, see Managing users and access.
-
Set up IBM Master Data Management access control from the service's Access control management page. For more information, see the following sections of this topic.
-
Create custom roles for the IBM Master Data Management service.
Custom roles can combine any number of permissions (also called actions) for a specific service. At least one service-level action must be added to create a new role.
For information about creating custom roles, see Creating custom user access roles in IBM Cloud IAM.
-
Assign the custom roles that you have created to users and access groups. You can assign more than one role to each user or group, as required.
IBM Master Data Management service access and permissions
Access policies and access groups determine which actions users have permission to perform within IBM Master Data Management. A Cloud Pak for Data administrator can assign access to users, enabling them to use the features of IBM Master Data Management.
To access IBM Master Data Management, a Cloud Pak for Data user must be assigned one of the following IBM Master Data Management service access roles, either through an access policy or an access group:
| Service access | Entity maintenance tasks | Model tasks | Matching tasks | Jobs tasks | Configuration tasks | Pair review tasks |
|---|---|---|---|---|---|---|
| Data Engineer | read, write, manage | read, write, manage | read, write, manage | read, write, manage | read, write, manage | none |
| DataSteward | read, write | read | read, write | read | none | read, write |
| Publisher User | read, write, manage | read, write, manage | none | read, write | none | none |
| Entity Viewer | read | read | read | read | none | none |
- Data Engineer (required to set up your master data instance)
- Data Engineer users have full rights to configure a IBM Master Data Management service instance, onboard data sources, customize data types, tune and customize the matching algorithm, run matching, view or create jobs, create pair review requests, and view or edit entities and records in the master data workspace. Data Engineer users can create and set up a master data configuration asset. Data engineers can also view and manage governed data.
- DataSteward
- Data Steward users can onboard data sources, view data type definitions, view ongoing jobs, complete pair review tasks, and view or edit entities and records in the master data workspace.
- Publisher User
- The Publisher User role is used primarily to publish data from an IBM InfoSphere Master Data Management instance, through the MDM Publisher tool, into IBM Master Data Management. Publisher User members can onboard data sources, customize data types, and view or create jobs. Publisher users can also view and manage governed data.
- Entity Viewer
- Entity Viewer users have read-only permission in an IBM Master Data Management instance. They can view master data, the model, the results of matching, and ongoing jobs.
There are other service access roles within the IBM Master Data Management category that you can select. All available roles are included within one or more the four main roles: Data Engineer, DataSteward, Publisher User, and Entity Viewer.
Setting up access groups
You can create access groups to make it simpler to administer user access to IBM Master Data Management. By assigning users to an access group, you can control the permissions that each member of the group has within the service.
Depending on how you plan to use IBM Master Data Management and how many distinct users you plan to invite as collaborators, you might want to create access groups that correspond to each of the four main service access roles described in the previous section.
For information about setting up access groups on IBM Cloud, see Working with IAM access groups.
Assigning access to IBM Master Data Management
You can invite one or multiple users to use the service in a single invitation. If you invite multiple users at once, the same access is assigned to each user. However, you can also invite users to your account with no access, and assign them access later.
- Go to Administration > Access (IAM). Then, select Users in the IBM Cloud console.
- Click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Expand the Assign users additional access section.
- Select IAM services, and then select IBM Master Data Management as the type of access.
- Select all user groups that apply. To view what actions are mapped to each group, click the number next to the role name.
- Click Add to save the access assignment to the invitation.
- After you add all the necessary access assignments, click Invite.
Managing access for existing users and access groups
You might want to assign additional access to a user, or an access group, or edit the existing access to ensure that all members of your account have the correct level of access.
To assign access, see Step 2: Assign roles to users and access groups.
To edit an existing policy:
- Click the entry in the role column.
- Select that you want to add or deselect those that you want to remove from the policy.
- Save your changes.
You can also remove access by deleting an access policy.