Table of contents

Predefined roles and permissions

The permissions and predefined roles that are available depend on the services that are installed on top of Cloud Pak for Data. When you add a user or group, you must specify the role that they have.

Jump to the appropriate section for more information:

Predefined roles

A role defines the permissions that a user or group has.

A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.

You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles.

The roles that are available depend on the services that are installed on top of Cloud Pak for Data:

Administrator
The role is created by the Cloud Pak for Data control plane.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access governance artifacts Governance artifacts Watson™ Knowledge Catalog
Administer platform Platform administration Cloud Pak for Data control plane
Create deployment spaces Deployments
  • Watson Knowledge Catalog
  • Watson Studio
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Create service instances Service instances Cloud Pak for Data control plane
Manage asset discovery Data curation Watson Knowledge Catalog
Manage catalogs Catalogs
  • Watson Knowledge Catalog
  • Watson Studio
Manage data protection rules Governance artifacts Watson Knowledge Catalog
Manage data quality Data curation Watson Knowledge Catalog
Manage data transformation Data integration DataStage®
Manage governance categories Governance artifacts Watson Knowledge Catalog
Manage information assets Catalogs Watson Knowledge Catalog
Manage metadata Data curation Watson Knowledge Catalog
Manage workflows Workflows Watson Knowledge Catalog
Business Analyst
The role is created by Watson Knowledge Catalog or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs Watson Knowledge Catalog
Access data quality Data curation Watson Knowledge Catalog
Create deployment spaces Deployments Watson Knowledge Catalog
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
View information assets Catalogs Watson Knowledge Catalog
Data Engineer
The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs Watson Knowledge Catalog
Access data quality Data curation Watson Knowledge Catalog
Access governance artifacts Governance artifacts Watson Knowledge Catalog
Create deployment spaces Deployments Watson Knowledge Catalog
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Create service instances Service instances Cloud Pak for Data control plane
Manage asset discovery Data curation Watson Knowledge Catalog
Manage data protection rules Governance artifacts Watson Knowledge Catalog
Manage data quality Data curation Watson Knowledge Catalog
Manage data transformation Data integration DataStage
Manage information assets Catalogs Watson Knowledge Catalog
Manage metadata Data curation Watson Knowledge Catalog
Data Quality Analyst
The role is created by Watson Knowledge Catalog or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs Watson Knowledge Catalog
Access governance artifacts Governance artifacts Watson Knowledge Catalog
Create deployment spaces Deployments Watson Knowledge Catalog
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Manage asset discovery Data curation Watson Knowledge Catalog
Manage data protection rules Governance artifacts Watson Knowledge Catalog
Manage data quality Data curation Watson Knowledge Catalog
Manage information assets Catalogs Watson Knowledge Catalog
Manage metadata Data curation Watson Knowledge Catalog
Data Scientist
The role is created by Watson Knowledge Catalog or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs
  • Watson Knowledge Catalog
  • Watson Studio
Create deployment spaces Deployments
  • Watson Knowledge Catalog
  • Watson Studio
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Data Steward
The role is created by Watson Knowledge Catalog or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs Watson Knowledge Catalog
Access data quality Data curation Watson Knowledge Catalog
Access governance artifacts Governance artifacts Watson Knowledge Catalog
Create deployment spaces Deployments Watson Knowledge Catalog
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Manage asset discovery Data curation Watson Knowledge Catalog
Manage data protection rules Governance artifacts Watson Knowledge Catalog
Manage information assets Catalogs Watson Knowledge Catalog
Manage metadata Data curation Watson Knowledge Catalog
Developer
The role is created by Watson Knowledge Catalog or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Access catalogs Catalogs
  • Watson Knowledge Catalog
  • Watson Studio
Create deployment spaces Deployments
  • Watson Knowledge Catalog
  • Watson Studio
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
Create service instances Service instances Cloud Pak for Data control plane, but pulled in by:
  • Watson Knowledge Catalog
  • Watson Studio
User
The role is created by the Cloud Pak for Data control plane.

By default, no permissions are associated with this role.

However, some services contribute permissions to this role. The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission Category Services that contribute the permission
Create deployment spaces Deployments
  • Watson Knowledge Catalog
  • Watson Studio
Create projects Projects
  • Watson Knowledge Catalog
  • Watson Studio
If you do not install any services that contribute permissions to this role, users who are assigned the User role can:
  • Sign in to Cloud Pak for Data
  • Access any services or assets that do not require explicit permissions

In addition, the users who own or manage assets and services instances can give these users access to the assets or service instances.

Roles assigned to the admin user

When you install Cloud Pak for Data, the following roles are automatically assigned to the default user (admin):
Depending on the services that you install, the following roles are automatically assigned to the admin user:
Role Services that assign the role
Business Analyst Watson Knowledge Catalog
Data Engineer
  • DataStage
  • Watson Knowledge Catalog
Data Quality Analyst Watson Knowledge Catalog
Data Scientist
  • Watson Knowledge Catalog
  • Watson Studio
Data Steward Watson Knowledge Catalog
Developer
  • Watson Knowledge Catalog
  • Watson Studio
Best practice: For a more secure environment, remove the default admin user. For details, see Disabling the default admin user.

Permissions

A permission describes the actions that a user can take.

The permissions are grouped into the following categories:

Catalogs
The category is created by Watson Knowledge Catalog or Watson Studio.

A catalog is a collaborative workspace for sharing assets across your organization.

By default, only the creator and collaborators can see and access a catalog. Each catalog has its own internal access controls. However, all users have access to the platform assets catalog.

The category includes the following permissions:

Permission Description Actions
Access advanced governance Available only when Watson Knowledge Catalog is installed.

This permission must be combined with other permissions.

When the permissions are combined, users can complete advanced governance tasks.

Advanced governance tasks require additional permissions.
  • Import metadata

    This task requires both the Access advanced governance permission and the Manage metadata permission.

  • Configure information asset lineage reports

    This task requires both the Access advanced governance permission and the Manage information assets permission.

  • Create custom information asset display profiles

    This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission.

  • Define custom attributes for information assets

    This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission.

Access advanced mapping Available only when Watson Knowledge Catalog is installed.

Users with this permission can create mappings that track the flow of data outside of the catalog.

  • Create extension mappings
  • Import extension mappings
  • Import extended data sources
Access catalogs Users with this permission can be added as collaborators to catalogs. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the catalog. There are no explicit actions associated with this permission.
Create catalogs Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog
  • Create catalogs
Manage catalogs Users with this permission can see a list of all catalogs on the Catalog management page. By default, only collaborators can see their catalogs.

Users with this permission can join any catalog as an administrator so that they can delete unused catalogs and ensure that active catalogs have at least one owner

  • Create catalogs
  • View list of all catalogs
  • Join any catalog as an Admin
  • Reconfigure the default catalog
Manage information assets Available only when Watson Knowledge Catalog is installed.

Users with this permission can create artifact relationships and view information about assets in the default catalog. Users have full access to the Information assets page.

  • Browse and view information assets
  • View data lineage reports
  • View business lineage reports
  • Add information assets
  • Edit information assets
  • Delete information assets
  • Manage lineage reports
View information assets Available only when Watson Knowledge Catalog is installed.

Users with this permission can browse and view information assets, explore asset and artifact relationships, and see lineage reports from the Information assets page. Users have read-only access to the page.

  • Browse and view information assets
  • Explore asset and artifact relationships
  • View data lineage reports
  • View business lineage reports
Data curation
The category is created by Watson Knowledge Catalog.

Data curation is the process of managing metadata, discovering assets, and analyzing data quality.

The category includes the following permissions:

Permission Description Actions
Access data quality Users with this permission can be added as collaborators to data quality projects. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the data quality project. There are no explicit actions associated with this permission.
Manage asset discovery Users with this permission can run discovery jobs to understand the quality and content of tables and files in data sources.

Users with this permission can access the Data discovery page

  • Run data asset discovery when creating or editing a connection
  • Create and run quick scan asset discovery jobs
  • Create and run automated asset discovery jobs
  • Rerun discovery jobs
  • Delete asset discovery jobs
Manage data quality Users with this permission can run data quality analysis and manage data quality rules.

Users with this permission can access the Data quality page and the Automation rules page.

  • Create data quality rules
  • Edit data quality rules
  • Delete data quality rules
  • Create automation rules
  • Edit automation rules
  • Delete automation rules
  • Configure data quality analysis settings
  • Run data quality analysis
Manage metadata Requires the Access advanced governance permission.

Users with this permission can enhance catalog assets by adding metadata, such as glossary terms and document requirements. Users with these permissions can access the Metadata import page.

  • Manage metadata repository
  • Manage metadata interchange servers
  • Configure metadata import settings
Data integration
The category is created by DataStage.

Data integration is the process of transforming data to provide enriched and tailored information for your enterprise.

The category includes the following permissions:

Permission Description Actions
Manage data transformation Users with this permission can design and run data flows to move and transform data.
  • Create transformation jobs
  • Edit transformation jobs
  • Delete transformation jobs
  • Load and run transformation jobs
Deployments
The category is created by Watson Knowledge Catalog or Watson Studio.

A deployment space is a collaborative workspace for managing model deployments.

By default, only the creator and collaborators can see and access a deployment space. Each deployment space has its own internal access controls.

The category includes the following permissions:

Permission Description Actions
Create deployment spaces Users with this permission can create deployment spaces. By default, the user who creates a deployment space is the administrator for the deployment space.
  • Create deployment spaces
Manage deployment spaces Users with this permission can see a list of all deployment spaces and view deployment activity for all spaces on the Deployments page. By default, only the creator and collaborators can see their deployment spaces.

Users with this permission can join any deployment space as an administrator so that they can delete unused deployment spaces and ensure that active deployment spaces have at least one owner.

  • Create deployment spaces
  • View list of all deployment spaces
  • Join any deployment space as an Admin
  • View deployment activity across all spaces
Monitor deployment activities Users with this permission can see all active jobs and deployments across all spaces from the Activity tab on the Deployments page. By default, only collaborators can see a deployment space.
  • View list of all deployment spaces
  • View deployment activity across all spaces
Governance artifacts
The category is created by Watson Knowledge Catalog.

A governance artifact is an object used to govern the data that is in a catalog. Governance artifacts include business terms, rules, policies, data classes, reference data, and classifications.

A governance category is a collaborative workspace for organizing governance artifacts. By default, only the creator and collaborators can see and access a category. Each category has its own internal access controls.

The category includes the following permissions:

Permission Description Actions
Access governance artifacts Users with this permission can be added as collaborators to governance categories. By default, users with this permission have view access to all categories. However, they can be added as a collaborator and assigned a role that gives them additional permissions and responsibilities to complete assigned tasks in workflows for the category. There are no explicit actions associated with this permission.
Manage data protection rules Users with this permission can create and manage data protection rules.
  • Create data protection rules
  • Edit data protections rules
  • Delete data protection rules
Manage governance categories Users with this permission can create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers.
  • Create top-level categories
Platform administration
The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.

The category includes the following permissions:

Permission Description Actions
Administer platform This permission offers the most comprehensive set of actions for managing and monitoring the platform.

Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions.

See the actions listed in the following permissions:
Manage configurations Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources.

Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page.

Some actions require specific services to be installed.

  • Configure connection to SMTP server
  • Configure integration with IBM Guardium appliances
  • Configure connections to Hadoop clusters
  • Customize branding
  • Enable and disable home page cards
  • Enable and disable default support links
  • Add and delete custom support links
  • Enable and disable guided tours
  • Import JDBC drivers
Manage platform health Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur.

Users with this permission can access the Monitoring page and the Diagnostics page.

  • Monitor workloads and resource use
  • Stop any runtime environment
  • View pod status, details, and logs
  • Restart pods
  • View platform quotas and service quotas
  • View event history and alerts
  • Set and edit platform resource quotas
  • Set and edit individual service resource quotas
  • Create and run diagnostics jobs
  • Delete diagnostics jobs
View platform health Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform.

Users with this permission have read-only access to the Monitoring page.

  • Monitor workloads and resource use
  • View pod status, details, and logs
  • View platform quotas and service quotas
  • View event history and alerts
Projects
The category is created by Watson Knowledge Catalog or Watson Studio.

A project is a collaborative workspace for working with data and other assets. By default, only the creator and collaborators can see and access a project. Each project has its own internal access controls.

The category includes the following permissions:

Permission Description Actions
Create projects Users with this permission can create projects. By default, the user who creates a project is the administrator for the project.
  • Create projects
Manage projects Users with this permission can see a list of all projects and all active runtimes on the All projects page. By default, only the creator and collaborators can see their projects.

Users with this permission can join any project as an administrator so that they can delete unused projects and ensure that active projects have at least one owner.

Important: The description in the web client is inaccurate. It includes information about the Active runtimes page and states that the user with this permission can view all active runtimes across all projects.
If you want to enable a user to manage projects and see the Active runtimes page, assign the following permissions to the user:
  • Manage projects
  • Monitor project workloads
  • Create projects
  • View list of all projects
  • Join any project as an Admin
Monitor project workloads Users with this permission can see all active runtimes for all projects from the Active runtimes page. By default, only project collaborators can see the runtimes that are associated with a project.

Users with this permission can see all jobs for all projects from the Jobs page. By default, only project collaborators can see the jobs that are associated with a project.

  • View all active runtimes across all projects
  • See jobs across all projects
Service instances
The category is created by the Cloud Pak for Data control plane.

A service instance is a specific deployment of a service. Some services can be deployed more than once.

Some service instances have their own access controls.

The category includes the following permissions:

Permission Description Actions
Create service instances Users with this permission can create service instances and storage volumes.

The types of service instances depend on the services that are installed.

  • Create service instances
Manage service instances Users with this permission can manage access to any service instance or delete any service instance from the Instances page.
  • Create service instances
  • View all service instances
  • Add users to any service instance
  • Assign an instance role to instance users
  • Remove users from a service instance
  • Delete any service instance
User administration
The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to manage users, groups, and roles.

The permissions in this category apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.

The category includes the following permissions:

Permission Description Actions
Manage platform roles Users with this permission can modify platform roles or create custom roles. Roles determine the permissions that a user or user group has.

Users with this permission can access the Roles tab on the Access control page.

This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces.

  • Create platform roles
  • Edit platform roles
  • Delete platform roles
Manage user groups Users with this permission can create and edit user groups. User groups make it easy to manage the roles (and permissions) of users with similar access requirements.

Users with this permission can access the User groups tab on the Access control page.

  • Create user groups
  • Edit user groups
  • Delete user groups
  • Assign roles to user groups
  • Remove roles from user groups
Manage users Users with this permission can onboard users to the platform, edit user profiles, and assign platform roles to users.

Users with this permission can access the Users tab on the Access control page.

  • Add users
  • Edit user profiles
  • Assign roles to users
  • Remove roles from users
  • Remove users
Workflows
The category is created by Watson Knowledge Catalog.

A workflow defines the sequence of steps that must be completed and the decisions that must be made to support a specific business process.

Users can use the predefined governance workflows from Watson Knowledge Catalog or create custom process definitions.

The category includes the following permissions:

Permission Description Actions
Manage workflows Users with this permission can import custom process definitions and edit workflow configurations from the Workflow management page.

Users with this permission can also monitor active workflow tasks to ensure that work is completed in a timely manner.

  • Create workflow types
  • Edit workflow types
  • Delete workflow types
  • Upload workflow templates
  • Create workflow configurations
  • Edit workflow configurations
  • Delete workflow configurations
  • Assign workflow tasks to users
  • Monitor the status of workflow tasks