Table of contents

Predefined roles and permissions

The permissions and predefined roles that are available depend on the services that are installed on top of Cloud Pak for Data. When you add a user or group, you must specify the role that they have.

Jump to the appropriate section for more information:

Predefined roles

A role defines the permissions that a user or group has.

You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles.

Definitions for each permission are provided in Permissions.

Role Permissions Services that contribute permissions Service that creates the role
Administrator
  • Administer platform
  • Create service instances
 Cloud Pak for Data control plane Cloud Pak for Data control plane
  • Integrate and transform data
 DataStage® Edition
  • Analyze data quality
  • Discover assets
  • Import metadata
  • Manage catalogs
  • Access governance artifacts
  • Manage governance categories
  • Manage governance workflows
  • Manage information assets
  • Manage data protection rules
 Watson™ Knowledge Catalog
Business Analyst
  • Access catalogs
  • Access information assets view
  • View data quality
 Watson Knowledge Catalog Watson Knowledge Catalog
Data Engineer
  • Create service instances
 Cloud Pak for Data control plane DataStage Edition or Watson Knowledge Catalog
  • Integrate and transform data
 DataStage Edition
  • Access catalogs
  • Discover assets
  • Import metadata
  • Access governance artifacts
  • Manage information assets
  • View data quality
 Watson Knowledge Catalog
Data Quality Analyst
  • Access catalogs
  • Analyze data quality
  • Discover assets
  • Import metadata
  • Access governance artifacts
  • Manage information assets
 Watson Knowledge Catalog Watson Knowledge Catalog
Data Scientist
  • Access catalogs
 Watson Knowledge Catalog Watson Knowledge Catalog
Data Steward
  • Access catalogs
  • Discover assets
  • Import metadata
  • Access governance artifacts
  • Manage information assets
  • View data quality
  • Manage data protection rules
 Watson Knowledge Catalog Watson Knowledge Catalog
Developer
  • Create service instances
 Cloud Pak for Data control plane Watson Knowledge Catalog
  • Access catalogs
 Watson Knowledge Catalog
User
  • Access assigned services
 Cloud Pak for Data control plane Cloud Pak for Data control plane

When you install the following services, the following permissions are added to the platform. However, the permissions are not automatically added to a role. If you want to use these permissions, you must add them to a role.

Service Permissions not associated with a role by default
Cloud Pak for Data control plane
  • Configure authentication
  • Configure platform
  • Manage and monitor platform
  • Manage groups
  • Manage users
Watson Knowledge Catalog
  • Access advanced governance capabilities
  • Access advanced mapping capabilities
The default user (admin) is automatically assigned the following roles when the roles are added to the platform:
  • Administrator
  • Business Analyst
  • Data Engineer
  • Data Quality Analyst
  • Data Scientist
  • Data Steward
  • Developer

Permissions

The following table describes the actions that are associated with each permission.

Category Permission Description Service that contributes the permission
Cloud Pak for Data administration Administer platform
Users with this permission can:
  • Manage access to the web client
  • Configure connection to an LDAP server
  • Enable email notifications
  • Gather diagnostics information
  • Integrate the web client with Hadoop clusters

    Requires Execution Engine for Apache Hadoop.

  • Integrate the web client with custom JDBC data sources
  • View the services that are running on the platform
The following actions are not listed in the web client, but are also included in the Administer platform permission:
  • Add, edit, and remove roles
  • Add, edit, and remove groups
  • Add and remove users from groups
  • Manage the roles that are associated with a group
  • Monitor resource use for the platform
  • Set quotas for resource use
  • Manage workloads on the platform
  • Customize the platform
  • Manage environments and jobs in all analytics projects

    Requires the common core services.

Users with this permission have elevated privileges and can grant or revoke all permissions, including permissions in the Cloud Pak for Data administration category.

 Cloud Pak for Data control plane
Configure authentication
Users with this permission can:
  • Configure connection to an LDAP server
  • Add, edit, and remove new user roles
 Cloud Pak for Data control plane
Configure platform
Users with this permission can:
  • Enable email notifications
The following actions are not listed in the web client, but are also included in the Configure platform permission:
  • Integrate the web client with Hadoop clusters

    Requires Execution Engine for Apache Hadoop.

  • Manage environments and jobs in all analytics projects

    Requires the common core services.

 Cloud Pak for Data control plane
Manage and monitor platform Users with this permission can:
  • View the services that are running on the platform
  • Monitor resource use for the platform
  • Set quotas for resource use
  • Manage workloads on the platform
  • Gather diagnostics information.
Cloud Pak for Data control plane
Manage groups
Users with this permission can:
  • Add, edit, and remove groups
  • Add and remove from groups
  • Manage the roles that are associated with a group
 Cloud Pak for Data control plane
Manage users
Users with this permission can:
  • Add, edit, and remove new user profiles
 Cloud Pak for Data control plane
Create service instances
Users with this permission can:
  • Create an instance of a service
 Cloud Pak for Data control plane
Data governance Access advanced governance capabilities
Users with this permission, in combination with other required permissions, can:
  • Import metadata

    Also requires the Import metadata permission.

  • Define custom attributes

    Also requires the Manage information assets and Administer platform permissions.

  • View operational data lineage

    Also requires the Access information assets permission.

 Watson Knowledge Catalog
Access advanced mapping capabilities
Users with this permission, in combination with other required permissions, can:
  • Create and import extension mappings and import extended data sources by using the Information Governance Catalog user interface
 Watson Knowledge Catalog
Access catalogs
Users with this permission can:
  • Become a collaborator in a catalog
  • View assets in the catalogs they have access to
  • Complete other actions in the catalog, depending on your role in the catalog
  • Create or join analytics projects
  • Watson Knowledge Catalog
  • Common core services
Access information assets view
Users with this permission can:
  • Browse and search for information assets
  • View data lineage and business lineage
  • View relationship graphs
 Watson Knowledge Catalog
Analyze data quality
Users with this permission can:
  • Create, edit, and delete data quality rules
  • Configure and run reports to analyze data quality
 Watson Knowledge Catalog
Discover assets
Users with this permission can:
  • Create connections for discovery
  • Discover assets by running a quick scan or automated discovery
 Watson Knowledge Catalog
Import metadata
Users with this permission can:
  • Import metadata by using InfoSphere Metadata Integration Bridges and InfoSphere Information Server connectors
 Watson Knowledge Catalog
Manage information assets
Users with this permission can:
  • Add, edit, and delete information assets
  • Manage data lineage and business lineage
  • Configure how information assets are displayed
 Watson Knowledge Catalog
View data quality
Users with this permission can:
  • View data quality rules
  • View data quality reports
 Watson Knowledge Catalog
Access governance artifacts
Users with this permission can:
  • Become a collaborator in a category
  • View categories they can access
  • View published governance artifacts in categories they can access
  • Complete other actions in the category, depending on their roles in the category or parent categories:
    • Add, edit, delete, import, or export categories
    • Manage collaborators in categories
    • View draft governance artifacts
    • Add, edit, delete, import, or export governance artifacts
 Watson Knowledge Catalog
Manage data protection rules
Users with this permission can:
  • Create, edit, and delete data protection rules
 Watson Knowledge Catalog
Data governance administration Manage catalogs
Users with this permission can:
  • Create, edit, and delete catalogs
  • Add collaborators to the catalogs they create
  • Add assets to the catalogs they create
  • Watson Knowledge Catalog
  • Common core services
Manage governance categories

Users with this permission can:

  • Create top-level categories
  • Perform all tasks listed under Access governance artifacts
 Watson Knowledge Catalog
Manage governance workflows
Users with this permission can:
  • Create, edit, and delete governance workflows
  • Assign workflow tasks to users
 Watson Knowledge Catalog
Data integration Integrate and transform data
Users with this permission can:
  • Create, edit, and delete transformation jobs
  • Load and run transformation jobs
 DataStage Edition
Knowledge work Access assigned services
Users with this permission can:
  • Use services that are available to all users
  • Use services to which they have explicit access
 Cloud Pak for Data control plane