Cloud Pak roles and permissions

Roles that are assigned within IBM Cloud Pak® for Integration define the various tasks that are required to configure and use Cloud Pak for Integration. Product roles are assigned within Keycloak and organized into groups of roles under Keycloak clients.

These Keycloak clients represent the following:

The Cloud Pak for Integration installation as a whole
Specific deployed instances
The Keycloak realm itself
The account management console

A Cloud Pak for Integration user is assigned permissions in Keycloak using role-based access control. When assigning a role to a user or a group in Keycloak, select Filter by clients to show roles associated with clients. You can search for specific roles and clients.

Client roles for the Cloud Pak installation

For each installation of Cloud Pak for Integration, there is a corresponding Keycloak client that represents the installation as a whole. This client contains roles that have permissions across the installation (not restricted to specific instance deployments).

The client for the Cloud Pak for Integration installation is named integration-<namespace>-xxxxx, where namespace is the namespace in which Cloud Pak for Integration operators are installed. Omit the namespace value if Cloud Pak for Integration is installed in All namespaces on the cluster mode.

The following roles in the Cloud Pak for Integration client apply to all instances:

admin - Gives admin permissions in all instances. Allows the creation, editing, and deletion of every instance type. Allows management of versions and upgrade for all Cloud Pak components. Does not give access control permissions.
viewer - Gives permissions to view all instances in the Platform UI

Whlle two client roles (admin and viewer) apply to all instances, other roles in the Cloud Pak for Integration client allow access to all instances of a specific instance type within the Cloud Pak for Integration installation. Unless otherwise specified, the Platform UI allows users with these roles to either administer or view the specific instance type.

Instance type	Roles
(Applies to all instances)	`admin` - Gives admin permissions in all instances. Allows the creation, editing, and deletion of every instance type. Allows management of versions and upgrade for all Cloud Pak components. Does not give access control permissions. `viewer` - Gives permissions to view all instances in the Platform UI
Integration dashboard	`dashboard-admin` - Gives admin permissions in all Integration dashboard instances. This role provides full access, which includes creating, editing, and deleting runtimes, configurations, and BAR files. `dashboard-viewer` - Gives permissions to view all integration dashboard instances, including read-only access in the integration dashboards.
Integration design	`designerauthoring-admin` - Gives admin permissions in all Integration design instances. This role, which provides full access, is required for performing any action.
Kafka cluster	`eventstreams-admin` - Gives admin permissions in all Kafka cluster instances. This includes the ability to perform all actions in the UIs. `eventstreams-viewer` - Gives permissions to view all Kafka cluster instances in the Platform UI. Does not include access to the Kafka clusters.
Kafka topic	`kafkatopic-admin` - Gives admin permissions (create, edit, and delete) for all Kafka topics in the Platform UI. `kafkatopic-viewer` - Gives viewer permissions for all Kafka topics in the Platform UI.
Kafka user	`kafkauser-admin` - Gives admin permissions (create, edit, and delete) for all Kafka users in the Platform UI. `kafkauser-viewer` - Gives viewer permissions for all Kafka users in the Platform UI
Kafka Connect runtime	`kafkaconnect-admin` - Gives admin permissions (create, edit, and delete) for all Kafka Connect runtimes and Kafka connectors in the Platform UI. `kafkaconnect-viewer` - Gives viewer permissions for all Kafka Connect runtimes and Kafka connectors in the Platform UI.
Kafka connector	`kafkaconnector-admin` - Gives admin permissions (create, edit, and delete) for all Kafka connectors in the Platform UI. `kafkaconnector-viewer` - Gives viewer permissions for all Kafka connectors in the Platform UI.
Queue manager	`queuemanager-webadmin` - Gives MQWebAdmin permissions to perform all administrative operations in all Queue manager UI consoles. Does not include access to the messaging REST API or the REST API for MFT. `queuemanager-webadminro` - Gives MQWebAdminRO (read-only) permissions in all Queue manager UI consoles. Users can view IBM MQ objects such as queues and channels. They can browse messages on queues. Does not include access to the messaging REST API or the REST API for MFT. `queuemanager-webuser` - Gives MQWebUser permissions in all Queue manager UI consoles. A user that is assigned this role can perform only operations that the user ID is granted to perform on specific IBM MQ resources when they use the IBM MQ Console and REST API. `queuemanager-resource-admin` - Gives admin permissions to manage all Queue manager instances so that you can create, edit, and delete them in the Platform UI. Does not include access to the Queue manager UI consoles. `queuemanager-resource-viewer` - Gives permissions to view all Queue manager instances in the Platform UI. Does not include access to the Queue manager UI consoles.
Event Manager	`eventendpointmanagement-admin` - Gives administrator and author permissions in all Event Manager instances. This role allows access to the Event Endpoint Management UIs, and the ability to add and publish event endpoints to the catalog for others to reuse. `eventendpointmanagement-viewer` - Gives viewer permissions in all Event Manager instances. This role allows access to the Event Endpoint Management UIs, and the catalog of published event endpoints.
Assembly	`integrationassembly-admin` - Gives admin permissions for all Assembly instances so that you can create, edit, and delete them in the Platform UI. `integrationassembly-viewer` - Gives permissions to view all Assembly instances in the Platform UI.
Messaging server	`messagingserver-admin` - Gives admin permissions to manage all Messaging server, queue, channel and user instances. This allows creation, editing, and deletion in the Platform UI. `messagingserver-viewer` - Gives view permissions for all Messaging server, queue, channel and user instances. This allows viewing in the Platform UI. `messaginguser-admin` - Gives admin permissions to manage all Messaging user instances. This allows creation, editing, and deletion in the Platform UI. `messaginguser-viewer` - Gives view permissions for all Messaging user instances. This allows viewing in the Platform UI. `messagingqueue-admin` - Gives admin permissions to manage all Messaging queue instances. This allows creation, editing, and deletion in the Platform UI. `messagingqueue-viewer` - Gives view permissions for all Messaging queue instances. This allows viewing in the Platform UI. `messagingchannel-admin` - Gives admin permissions to manage all Messaging channel instances. This allows creation, editing, and deletion in the Platform UI. `messagingchannel-viewer` - Gives view permissions for all Messaging channel instances. This allows viewing in the Platform UI.
Integration runtime	`integrationruntime-admin` - Gives admin permissions to manage all Integration runtime instances. This allows creation, editing, and deletion in the Platform UI. `integrationruntime-viewer` - Gives view permissions for all Integration runtime instances. This allows viewing in the Platform UI.
API	`declarativeapi-admin` - Gives admin permissions to manage all API instances. This allows creation, editing, and deletion in the Platform UI. `declarativeapi-viewer` - Gives view permissions for all API instances. This allows viewing in the Platform UI.
API Product	`declarativeproduct-admin` - Gives admin permissions to manage all API Product instances. This allows creation, editing, and deletion in the Platform UI. `declarativeproduct-viewer` - Gives view permissions for all API Product instances. This allows viewing in the Platform UI.
Bindings	`binding-admin` - Gives admin permissions to manage all Bindings. This allows creation, editing, and deletion in the Platform UI. `binding-viewer` - Gives view permissions for all Bindings. This allows viewing in the Platform UI.
Event Gateway	`eventgateway-admin` - Gives admin permissions to manage all Event Gateway instances so that you can create, edit, and delete them in the Platform UI. `eventgateway-viewer` - Gives permissions to view all Event Gateway instances in the Platform UI.
Event Processing	`eventprocessing-admin` - Gives admin permissions for all Event Processing instances. `eventprocessing-viewer` - Gives permissions to view all Event Processing instances in the Platform UI. Does not include access to the Event Processing UIs.
Policy	`policy-admin` - Gives admin permissions to manage all Policy instances so that you can create, edit, and delete them in the Platform UI. `policy-viewer` - Gives permissions to view all Policy instances in the Platform UI.
Policy binding	`policybinding-admin` - Gives admin permissions to manage all Policy Binding instances. This allows creation, editing, and deletion in the Platform UI. `policybinding-viewer` - Gives view permissions for all Policy Binding instances. This allows viewing in the Platform UI.
High speed transfer server	`aspera-admin` - Gives admin permissions to manage all High speed transfer server instances. This allows creation, editing, and deletion in the Platform UI. `aspera-viewer` - Gives view permissions for all High speed transfer server instances. This allows viewing in the Platform UI.
Enterprise gateway	`datapower-admin` - Gives admin permissions to manage all Enterprise gateway instances. This allows creation, editing, and deletion in the Platform UI. `datapower-viewer` - Gives view permissions for all Enterprise gateway instances. This allows viewing in the Platform UI.
App Connect configurations	`configuration-admin` - Gives admin permissions for all Configuration resources in the canvas. This allows creation, editing, and deletion in the canvas. `configuration-viewer` - Gives view permissions for all Configuration resources in the canvas. This allows viewing in the canvas.
Secret	`secret-admin` - Gives admin permissions for all Secret resources in the canvas. This allows creation, editing, and deletion in the canvas. `secret-viewer` - Gives view permissions for all Secret resources in the canvas. This allows viewing in the canvas.
ConfigMap	`configmap-admin` - Gives admin permissions for all ConfigMap resources in the canvas. This allows creation, editing, and deletion in the canvas. `configmap-viewer` - Gives view permissions for all ConfigMap resources in the canvas. This allows viewing in the canvas.

Client roles for specific instances

When an instance that uses Keycloak is created, a corresponding Keycloak client is also created. Each client contains roles that are applicable to that specific instance.

The following is a list of instances that have corresponding Keycloak clients, and the roles that are associated with the client for that instance.

Instance	Roles
Integration dashboard	`dashboard-admin` - Gives admin permissions for a specific Integration dashboard instance. This role provides full access, which includes permission to create, edit, and delete runtimes, configurations in the same namespace, and BAR files. `dashboard-viewer` - Gives permissions only to view a specific Integration dashboard instance
Integration design	`designerauthoring-admin` - Gives admin permissions in a specific Integration design instance. This role, which provides full access, is required for performing any action.
Queue manager	`queuemanager-webadmin` - Gives MQWebAdmin permissions to perform all administrative operations in a specific Queue manager UI console. This role does not include access to the messaging REST API or the REST API for MFT. `queuemanager-webadminro` - Gives MQWebAdminRO (read-only) permissions in a specific Queue manager UI console. Users can view IBM MQ objects such as queues and channels. They can browse messages on queues. Does not include access to the messaging REST API or the REST API for MFT. `queuemanager-webuser` - Gives MQWebUser permissions in a specific Queue manager UI console. A user that is assigned this role can perform only operations that the user ID is granted to perform on specific IBM MQ resources when they use the IBM MQ Console and REST API.
Event manager	`eem-author` - Gives author permissions for a specific Event Manager instance. This role gives access to the Event Endpoint Management UI, as well as the ability to add and publish event endpoints to the catalog for others to reuse. `eem-viewer` - Gives viewer permissions in a specific Event Manager instance. This role allows access to the Event Endpoint Management UI, as well as the catalog of published event endpoints. `eem-admin` - Gives admin permission for a specific Event Manager instance. This role allows access to the Event Endpoint Management UI, as well as the ability to read, update (but not create), and delete resources.
Kafka cluster	`eventstreams-admin` - Gives admin permissions for all Kafka resources on a specific Kafka cluster, which includes the ability to perform all actions in the Kafka cluster UI
Automation assets	`assets-admin` - Gives permissions to read, create, update, and delete catalogs, assets, and remotes, and to mark assets as approved `assets-editor` - Gives permissions to read, create, update, and delete catalogs, assets, and remotes `assets-viewer` - Gives permissions to read catalogs, assets, and remotes

Identifying roles for specific instances in the Keycloak UI

You can determine which roles correspond to a particular instance in the Keycloak access control console.

To get a list of clients with their associated roles, locate the "Assign roles" pane and enter a particular instance name or role name in the search box. For example, if you have an Integration dashboard instance called cp4i-ace-dashboard, you can search for that string to get the client roles that apply only to that instance. The following screenshot provides example search results. The same client is listed multiple times; each corresponding role is listed on a separate line.

Assign roles pane with a list of Integration dashboard instances and their corresponding roles (dashboard-admin and dashboard-viewer) — Figure 1. Searching client roles for an instance

The next screenshot is a zoomed-out example view of the "Assign roles" pane, adding more detail of how all the clients and roles for a particular user are represented, and how to navigate them.

The first (highlighted) string in the Name column is the client name corresponding to a particular instance. This is usually written in the format <kind>-<namespace>-<kubernetes_resource_name>-<uniqueID>. For example, the entries for dash-ace-dashboard-ns-cp4i-ace-dashboard-da0aa correspond to the roles for the Integration dashboard instance named cp4i-ace-dashboard in the ace-dashboard-ns namespace.
After the client name (still in the Name column) is the role that applies only to that instance. As already described, the same instance may be listed multiple times, with that each corresponding role listed on a separate line.
For the instance dash-ace-dashboard-ns-cp4i-ace-dashboard-da0aa:
- Ignore the uma_protection role.
- There are two user roles for this client, dashboard-admin, and dashboard-viewer. These roles give the permissions already described in the "Client roles for specific instances" section.
- Assigning any of the roles for this client gives permissions for only that Integration dashboard instance.
The screenshot also shows a Keycloak client with the name integration-b88d7. This Keycloak client represents the Cloud Pak for Integration installation as a whole. It has roles (dashboard-admin, and dashboard-viewer) that apply to all Integration dashboard instances. Because those roles are associated with the Cloud Pak for Integration installation client, assigning those role gives associated permissions for all Integration dashboard instances, rather than a particular instance.

Assign roles pane that includes three clients with permissions across the Cloud Pak for Integration installation (admin and viewer roles) — Figure 2. Clients and roles in the Keycloak Access control UI

Realm management client roles

In Keycloak, a realm is a space where you manage objects, including users, applications, roles, and groups. The realm-management client represents the Keycloak realm and can be used to assign identity and access management roles.

An admin user is assigned roles from the realm-management client. The following user functions are listed with their corresponding roles.

User function	Role
Keycloak user and group management	`manage-users` `query-users` `query-groups`
Identity provider management	`manage-identity-providers` `view-identity-providers`
User federation management	`manage-realm` `view-realm`
Advanced configuration	`realm-admin`
Realm management administrators	These administrators are created automatically: Integration administrator - Enables administration of all instances and enables user, group and permissions management within Keycloak. For more information, see Getting the initial administrator password. Keycloak administrator - Enables advanced access to Keycloak. For more information, see Keycloak configuration.

Account client roles

The account client represents a user's own account and their ability to access the Keycloak account console. In the console, they can perform actions such as changing their own password and viewing their personal information.

Individual account client roles

Individual users are assigned roles from the account client by default:

view-profile - View their own profile within Keycloak
manage-account - Change their Keycloak password

Assigning roles to users in the Keycloak UI

From the IBM Cloud Pak Platform UI home page, click the Navigation Menu icon at the top left corner, then click Administration > Access control. The "Welcome to cloudpak" realm page opens.
Click the navigation menu icon, and from the navigation pane, click Users.
Enter the username in the search box.
From the list of users, click a username to open the "User details" page.
Click the Role mapping tab.
Click Assign role.
Click to open the dropdown menu and click Filter by clients.
Select the roles that you want for this user and click Assign.