Example IAM access groups

The example access groups provide a basic configuration for a data fabric implementation that includes watsonx.ai Studio, watsonx.ai Runtime, IBM Knowledge Catalog, Data Virtualization, DataStage, and IBM Match 360 services. You can modify the examples to grant the necessary permissions for your provisioned services.

After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.

  • You can assign ViewerEditor or Admin roles to user groups when you add collaborators to projects and spaces.
  • If a member of the group leaves, the IBM Cloud account administrator can remove the user from the group rather than looking at all of the assets the user has access to.

Access groups overview

The example IAM access groups, their purpose, and typical tasks are:

IBM Cloud IAM access groups for Cloud Pak for Data as a Service
Access group Purpose Typical tasks
Account-Administrator Created by the account Owner to delegate full account administration to one or more people. Members of the Account-Administrator group have full control over the account and services except for account ownership. • Provision service instances in Cloud Pak for Data as a Service
• Provision secondary services, for example, Cloud Object Storage
• Create IAM access groups and invite users to groups.
• Assign individual permissions to users.
CPD-Administrator Similar to the Account-Administrator group but with less scope. Members manage Cloud Pak for Data as a Service and related services but cannot provision services. • Manage users and groups including permissions but cannot manage other aspects of the IBM Cloud account.
• Manage data governance artifacts.
• Manage catalogs, categories, and projects.
• Join any project as an administrator and view all active projects in the account.
CPD-Cat-Proj Provides appropriate access to Cloud Object Storage for users to create projects and catalogs when Storage Delegation is disabled. Create projects, deployment spaces, and catalogs.
CPD-COS-Admin Provides appropriate access to Cloud Object Storage for users who create projects and catalogs. Not needed if Storage Delegation is enabled. Create projects and catalogs.
CPD-Common-User Provides permissions common to all users and contains all users as Members. You can assign CPD-Common-User to all users and then also assign the appropriate IBM Cloud Pak for Data access group to each user, such as, CPD-Data-Scientist, CPD-Data-Engineer, and CPD-Data-Steward. • View, but not modify, available service instances and assets
• Become collaborator in projects or catalogs.
• Create projects, deployment spaces, and catalogs if member of CPD-Cat-Proj group.
• Allows access to the Support Center to log help tickets.
CPD-Data-Scientist Provides permissions for users working in IBM Knowledge Catalog. Finds assets in catalogs.
CPD-Data-Engineer Provides permissions for users working in IBM Knowledge Catalog. Integrates data.
CPD-Data-Steward Provides permissions for users working in IBM Knowledge Catalog. • Create, review, and approve governance artifacts.
• Curate data
CPD-Data-Virtualization Provide access to Data Virtualization. Work with views and virtualized data.
CPD-DataGovernance-Admin Provide enhanced access for data governance. • Manage data governance artifacts.
• Manage catalogs, categories, and projects.
• Join any project as an administrator and view all active projects in the account.
CPD-DataStage Required basic access for all DataStage users. View DataStage pipelines on the dashboard.
CPD-Machine-Learning Provide access to watsonx.ai Runtime. • Create deployment spaces
• Create and view watsonx.ai Runtime instances
CPD-Match360 Provide manager permissions for IBM Match 360 with Watson Create, edit, and manage access to Match 360 features such as Matching, Models, Configurator, and Pair Analysis
Public Access Default group that includes all users and all service IDs. All group members, including unauthenticated users, are given public access to any resources that are defined in the policies for the group.

Role assignments for the example access groups

The suggested Service and Platform role assignments for the example access groups are:

Service roles and Platform roles for example IBM Cloud IAM access groups
Access group Service names Service roles Platform role Data Virtualization role[1]
Account-Administrator • All Identity and Access enabled services
• All Account Management services
• Manager
• Not applicable
•Administrator
• Editor
Not applicable
CPD-Administrator IBM Cloud Pak for Data Manager Administrator Not applicable
CPD-Cat-Proj Cloud Object Storage Manager Administrator Not applicable
CPD-COS-Admin Cloud Object Storage Manager Administrator Not applicable
CPD-Common-User • All Identity and Access enabled services
• Support Center
• Reader
• Not applicable
• Viewer
• Editor
Not applicable
CPD-Data-Scientist IBM Cloud Pak for Data CloudPak Data Scientist Editor Data Virtualization User (assign to each user)
CPD-Data-Engineer IBM Cloud Pak for Data CloudPak Data Engineer Editor Data Virtualization Engineer (assign to each user)
CPD-Data-Steward IBM Cloud Pak for Data CloudPak Data Steward Editor Data Virtualization Steward (assign to each user)
CPD-Data-virtualization Data Virtualization Not applicable Editor Data Virtualization Manager (assign to each user)
CPD-DataGovernance-Admin IBM Cloud Pak for Data • Manager
• Reporting Administrator
Administrator N/A
CPD-DataStage DataStage Reader Editor N/A
CPD-Machine-Learning • watsonx.ai Runtime
• Cloud Object Storage
• Writer
• Manager
•Administrator
•Administrator
N/A
CPD-Match360 Match 360 Manager Administrator N/A

Roles for collaborating in Cloud Pak for Data as a Service workspaces

Access control extends beyond the IAM access groups to the workspaces within Cloud Pak for Data as a Service. Workspaces include Projects, Catalogs, Categories, and Deployment spaces. to work in Cloud Pak for Data as a Service, users must create workspaces or be assigned collaborator roles to the workspaces. Collaborator roles provide levels of access such as Viewer, Editor, or Administrator. See the following topics for information about collaborator roles for each type of workspace:

Learn more

Parent topic: Working with IAM access groups


  1. The Data Virtualization roles are assigned directly to individual users within the Data Virtualization application. These roles are not assigned in IBM Cloud IAM. Data Virtualization does not support access groups. See Managing roles for users in Data Virtualization. ↩︎