Predefined roles and permissions
The permissions and predefined roles that are available depend on the services that are installed on top of Cloud Pak for Data. When you add a user or group, you must specify the role that they have.
Jump to the appropriate section for more information:
Predefined roles
A role defines the permissions that a user or group has.
A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.
You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles.
The roles that are available depend on the services that are installed on top of Cloud Pak for Data:
- Administrator
- The role is created by the Cloud Pak for Data control plane.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access governance artifacts Governance artifacts Watson™ Knowledge Catalog Administer platform Platform administration Cloud Pak for Data control plane Create deployment spaces Deployments - DataStage®
- Watson Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane Manage asset discovery Data curation Watson Knowledge Catalog Manage catalogs Catalogs - DataStage
- Watson Knowledge Catalog
- Watson Studio
Manage data protection rules Governance artifacts Watson Knowledge Catalog Manage data quality Data curation Watson Knowledge Catalog Manage governance categories Governance artifacts Watson Knowledge Catalog Manage information assets Catalogs Watson Knowledge Catalog Manage metadata Data curation Watson Knowledge Catalog Manage service instances Service instances Cloud Pak for Data control plane, but pulled in by: - DataStage
Manage workflows Workflows Watson Knowledge Catalog - Business Analyst
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs Watson Knowledge Catalog Access data quality Data curation Watson Knowledge Catalog Create deployment spaces Deployments Watson Knowledge Catalog Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
View information assets Catalogs Watson Knowledge Catalog - Data Engineer
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs Watson Knowledge Catalog Access data quality Data curation Watson Knowledge Catalog Access governance artifacts Governance artifacts Watson Knowledge Catalog Create deployment spaces Deployments Watson Knowledge Catalog Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane Manage asset discovery Data curation Watson Knowledge Catalog Manage data protection rules Governance artifacts Watson Knowledge Catalog Manage data quality Data curation Watson Knowledge Catalog Manage information assets Catalogs Watson Knowledge Catalog Manage metadata Data curation Watson Knowledge Catalog - Data Quality Analyst
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs Watson Knowledge Catalog Access governance artifacts Governance artifacts Watson Knowledge Catalog Create deployment spaces Deployments Watson Knowledge Catalog Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
Manage asset discovery Data curation Watson Knowledge Catalog Manage data protection rules Governance artifacts Watson Knowledge Catalog Manage data quality Data curation Watson Knowledge Catalog Manage information assets Catalogs Watson Knowledge Catalog Manage metadata Data curation Watson Knowledge Catalog - Data Scientist
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs - DataStage
- Watson Knowledge Catalog
- Watson Studio
Access governance artifacts Governance artifacts Watson Knowledge Catalog Create deployment spaces Deployments - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
- Data Steward
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs Watson Knowledge Catalog Access data quality Data curation Watson Knowledge Catalog Access governance artifacts Governance artifacts Watson Knowledge Catalog Create deployment spaces Deployments Watson Knowledge Catalog Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
Manage asset discovery Data curation Watson Knowledge Catalog Manage data protection rules Governance artifacts Watson Knowledge Catalog Manage information assets Catalogs Watson Knowledge Catalog Manage metadata Data curation Watson Knowledge Catalog - Developer
- The role is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create deployment spaces Deployments - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane, but pulled in by: - DataStage
- Watson Knowledge Catalog
- Watson Studio
- Reporting administrator
- The role is created by Watson Knowledge Catalog
- User
- The role is created by the Cloud Pak for Data control plane.
By default, no permissions are associated with this role.
However, some services contribute permissions to this role. The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Create deployment spaces Deployments - DataStage
- Watson Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- Watson Knowledge Catalog
- Watson Studio
If you do not install any services that contribute permissions to this role, users who are assigned the User role can:- Sign in to Cloud Pak for Data
- Access any services or assets that do not require explicit permissions
In addition, the users who own or manage assets and services instances can give these users access to the assets or service instances.
Roles assigned to the admin
user
admin
):
admin
user:Role | Services that assign the role |
---|---|
Business Analyst | Watson Knowledge Catalog |
Data Engineer |
|
Data Quality Analyst | Watson Knowledge Catalog |
Data Scientist |
|
Data Steward | Watson Knowledge Catalog |
Developer |
|
admin
user. For details, see Disabling the default admin user.Permissions
A permission describes the actions that a user can take.
The permissions are grouped into the following categories:
- Catalogs
- The category is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
A catalog is a collaborative workspace for sharing assets across your organization.
By default, only the creator and collaborators can see and access a catalog. Each catalog has its own internal access controls. However, all users have access to the platform assets catalog.
The category includes the following permissions:
Permission Description Actions Access advanced governance Available only when Watson Knowledge Catalog is installed. This permission must be combined with other permissions.
When the permissions are combined, users can complete advanced governance tasks.
Advanced governance tasks require additional permissions. - Import metadata
This task requires both the Access advanced governance permission and the Manage metadata permission.
- Configure information asset lineage reports
This task requires both the Access advanced governance permission and the Manage information assets permission.
- Create custom information asset display profiles
This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission.
- Define custom attributes for information assets
This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission.
Access advanced mapping Available only when Watson Knowledge Catalog is installed. Users with this permission can create mappings that track the flow of data outside of the catalog.
- Create extension mappings
- Import extension mappings
- Import extended data sources
Access catalogs Users with this permission can be added as collaborators to catalogs. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the catalog. There are no explicit actions associated with this permission. Create catalogs Available only when Watson Knowledge Catalog is installed. Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog.
- Create catalogs
Manage catalogs Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog. Users with this permission can also see a list of all catalogs on the Catalogs page in the Administration section in the navigation. By default, only collaborators can see their catalogs.
- Create catalogs
- View list of all catalogs
- Reconfigure the default catalog
Manage information assets Available only when Watson Knowledge Catalog is installed. Users with this permission can create artifact relationships and view information about assets in the default catalog. Users have full access to the Information assets page.
- Browse and view information assets
- View data lineage reports
- View business lineage reports
- Add information assets
- Edit information assets
- Delete information assets
- Manage lineage reports
View information assets Available only when Watson Knowledge Catalog is installed. Users with this permission can browse and view information assets, explore asset and artifact relationships, and see lineage reports from the Information assets page. Users have read-only access to the page.
- Browse and view information assets
- Explore asset and artifact relationships
- View data lineage reports
- View business lineage reports
- Import metadata
- Data curation
- The category is created by Watson Knowledge
Catalog.
Data curation is the process of managing metadata, discovering assets, and analyzing data quality.
The category includes the following permissions:
Permission Description Actions Access data quality Users with this permission can be added as collaborators to data quality projects. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the data quality project. There are no explicit actions associated with this permission. Manage asset discovery Users with this permission can run discovery jobs to understand the quality and content of tables and files in data sources. Users with this permission can access the Data discovery page
- Run data asset discovery when creating or editing a connection
- Create and run quick scan asset discovery jobs
- Create and run automated asset discovery jobs
- Rerun discovery jobs
- Delete asset discovery jobs
Manage data quality Users with this permission can run data quality analysis and manage data quality rules. Users with this permission can access the Data quality page and the Automation rules page.
- Create data quality rules
- Edit data quality rules
- Delete data quality rules
- Create automation rules
- Edit automation rules
- Delete automation rules
- Configure data quality analysis settings
- Run data quality analysis
Manage metadata Requires the Access advanced governance permission. Users with this permission can enhance catalog assets by adding metadata, such as glossary terms and document requirements. Users with these permissions can access the Metadata import page.
- Manage metadata repository
- Manage metadata interchange servers
- Configure metadata import settings
- Deployments
- The category is created by DataStage,
Watson Knowledge
Catalog, or Watson Studio.
A deployment space is a collaborative workspace for managing model deployments.
By default, only the creator and collaborators can see and access a deployment space. Each deployment space has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Create deployment spaces Users with this permission can create deployment spaces. By default, the user who creates a deployment space is the administrator for the deployment space. - Create deployment spaces
Manage deployment spaces Users with this permission can see a list of all deployment spaces and view deployment activity for all spaces on the Deployments page. By default, only the creator and collaborators can see their deployment spaces. Users with this permission can join any deployment space as an administrator so that they can delete unused deployment spaces and ensure that active deployment spaces have at least one owner.
- Create deployment spaces
- View list of all deployment spaces
- Join any deployment space as an Admin
- View deployment activity across all spaces
Monitor deployment activities Users with this permission can see all active jobs and deployments across all spaces from the Activity tab on the Deployments page. By default, only collaborators can see a deployment space. - View list of all deployment spaces
- View deployment activity across all spaces
- Governance artifacts
- The category is created by Watson Knowledge
Catalog.
A governance artifact is an object used to govern the data that is in a catalog. Governance artifacts include business terms, rules, policies, data classes, reference data, and classifications.
A governance category is a collaborative workspace for organizing governance artifacts. By default, only the creator and collaborators can see and access a category. Each category has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Access governance artifacts Users with this permission can be added as collaborators to governance categories. By default, users with this permission have view access to all categories. However, they can be added as a collaborator and assigned a role that gives them additional permissions and responsibilities to complete assigned tasks in workflows for the category. There are no explicit actions associated with this permission. Manage data protection rules Users with this permission can create and manage data protection rules. - Create data protection rules
- Edit data protections rules
- Delete data protection rules
Manage governance categories Users with this permission can create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers. - Create top-level categories
Manage glossary Users with this permission can import and export governance artifacts in a ZIP file, and create and manage custom attribute definitions. They can also create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers. - Import and export governance artifacts in a ZIP file
- Create and manage custom attribute definitions
- Create top-level categories
- Platform administration
- The category is created by the Cloud Pak for Data control plane.
Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.
The category includes the following permissions:
Permission Description Actions Administer platform This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions.
See the actions listed in the following permissions: Manage configurations Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page.
Some actions require specific services to be installed.
- Configure connection to SMTP server
- Configure integration with IBM Guardium appliances
- Configure connections to Hadoop clusters
- Customize branding
- Enable and disable home page cards
- Enable and disable default support links
- Add and delete custom support links
- Enable and disable guided tours
- Import JDBC drivers
Manage platform health Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page.
- Monitor workloads and resource use
- Stop any runtime environment
- View pod status, details, and logs
- Restart pods
- View platform quotas and service quotas
- View event history and alerts
- Set and edit platform resource quotas
- Set and edit individual service resource quotas
- Create and run diagnostics jobs
- Delete diagnostics jobs
Manage reporting Users with this permission can configure the reporting for Watson Knowledge Catalog data, start the reporting and edit it. - Set up reporting for Watson Knowledge Catalog data
View platform health Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page.
- Monitor workloads and resource use
- View pod status, details, and logs
- View platform quotas and service quotas
- View event history and alerts
- Projects
- The category is created by DataStage,
Watson Knowledge
Catalog or Watson Studio.
A project is a collaborative workspace for working with data and other assets. By default, only the creator and collaborators can see and access a project. Each project has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Create projects Users with this permission can create projects. By default, the user who creates a project is the administrator for the project. - Create projects
Manage projects Users with this permission can see all active runtimes on the Active runtimes page. By default, only the creator and collaborators can see their projects. - Create projects
- View all active runtimes across all projects
Monitor project workloads Users with this permission can see all active runtimes for all projects from the Active runtimes page. By default, only project collaborators can see the runtimes that are associated with a project. Users with this permission can see all jobs for all projects from the Jobs page. By default, only project collaborators can see the jobs that are associated with a project.
- View all active runtimes across all projects
- See jobs across all projects
- Service instances
- The category is created by the Cloud Pak for Data control plane.
A service instance is a specific deployment of a service. Some services can be deployed more than once.
Some service instances have their own access controls.
The category includes the following permissions:
Permission Description Actions Create service instances Users with this permission can create service instances and storage volumes. The types of service instances depend on the services that are installed.
- Create service instances
Manage service instances Users with this permission can manage access to any service instance or delete any service instance from the Instances page. - Create service instances
- View all service instances
- Add users to any service instance
- Assign an instance role to instance users
- Remove users from a service instance
- Delete any service instance
- User administration
- The category is created by the Cloud Pak for Data control plane.
Permissions in this category enable an administrator to manage users, groups, and roles.
The permissions in this category apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.
The category includes the following permissions:
Permission Description Actions Add vault Users with this permission can: - Add integrations to external vaults.
- Add references to secrets in the external vaults to which they have access.
Add vault Manage platform roles Users with this permission can modify platform roles or create custom roles. Roles determine the permissions that a user or user group has. Users with this permission can access the Roles tab on the Access control page.
This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces.
- Create platform roles
- Edit platform roles
- Delete platform roles
Manage secrets and vaults Users with this permission can: - See a list of all of the external vaults that users are connected to (but not the details of the vaults).
- See a list of the secrets in each vault (but not the details of the secrets).
- Remove references to secrets from any vault.
- Remove integrations to any external vault.
- Remove secrets from the internal vault.
Manage secrets and vaults Manage user groups Users with this permission can create and edit user groups. User groups make it easy to manage the roles (and permissions) of users with similar access requirements. Users with this permission can access the User groups tab on the Access control page.
- Create user groups
- Edit user groups
- Delete user groups
- Assign roles to user groups
- Remove roles from user groups
Manage users Users with this permission can onboard users to the platform, edit user profiles, and assign platform roles to users. Users with this permission can access the Users tab on the Access control page.
- Add users
- Edit user profiles
- Assign roles to users
- Remove roles from users
- Remove users
Share secrets Users with this permission can: - Share secrets that they own (but not secrets that are shared with them).
- Remove access to secrets that they shared.
Share secrets - Vaults
- The category is created when you enable the
vaults interface. Note: The permissions are not associated with any roles by default.
Secrets are sensitive data, such as credentials or API keys. A vault is a secure place to store and manage secrets.
Users can add secrets to the internal vault or connect to an external vault to use existing secrets. By default, only the user who added the secret can use the secret.
The category includes the following permissions:
Permission Description Actions Add vaults Users with this permission can connect to external vaults and add secrets from their connected vaults. - Add a connection to external vaults
- Add secrets from their connected vaults
Manage vaults and secrets Users with this permission can see a list of all of the external vaults that users connected to and the list of secrets in each vault. However, users with this permission cannot see detailed information about the vaults or access the secrets in the vaults. Users with this permission can remove secrets from any vault and remove connections to any external vault.
- View list of all connected vaults
- View list of all secrets in each vault
- Remove external vaults
- Remove secrets added from an external vault
- Delete secrets from the internal vault
Share secrets Users with this permission can give other users access to secrets that they add. Users with this permission cannot share secrets that are shared with them. - Share owned secrets
- Revoke access to shared secrets
- Workflows
- The category is created by Watson Knowledge
Catalog.
A workflow defines the sequence of steps that must be completed and the decisions that must be made to support a specific business process.
Users can use the predefined governance workflows from Watson Knowledge Catalog or create custom process definitions.
The category includes the following permissions:
Permission Description Actions Manage workflows Users with this permission can import custom process definitions and edit workflow configurations from the Workflow management page. Users with this permission can also monitor active workflow tasks to ensure that work is completed in a timely manner.
- Create workflow types
- Edit workflow types
- Delete workflow types
- Upload workflow templates
- Create workflow configurations
- Edit workflow configurations
- Delete workflow configurations
- Assign workflow tasks to users
- Monitor the status of workflow tasks