Granting permissions to users
With an IBM Cloud account, you have administrative privileges for your account, which enables you to perform all operations on IBM Analytics Engine service instances. However, when you onboard other users to your account, you need to manage their permissions so that they have the required privileges to use IBM Analytics Engine service instances under your account.
Access to IBM Analytics Engine service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the IBM Analytics Engine service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance. Permitted actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
-
Access policies enable access to be granted at different levels. You can see which access policies are set for you in the IBM Cloud® catalog console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
-
Roles define the actions that a user or service ID can run. There are different types of roles in the IBM Cloud:
- Resource group roles. When you create an IBM Analytics Engine service instance, you assign the service to a resource group. This resource group helps you to organize your account resources for access control. Users with resource group roles can create or delete service instances.
- Service access roles. Users with service access roles can be assigned varying levels of permission for calling the service's API.
Access to IBM Analytics Engine resources requires certain access permissions at the resource group level and the service level. A user is given the desired level of access to a service instance only after the required roles at these levels were granted.
IBM Cloud platform roles
Platform management roles enable users to perform tasks on service resources at the platform level (in your resource group), for example, create or delete instances, and assign other users access to a service instance.
Use the following table to identify the platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:
| Platform actions | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|
| Provision a service instance. |  |
|
||
| Delete a service instance. | |
|
IBM Cloud service roles
Use the following table to identify the service roles that you can grant a user to run any of the following service actions:
| Actions | Manager | Writer | Reader |
|---|---|---|---|
| Invoke the instance management REST API to view instance details | |
|
|
| Invoke the instance management REST API to set instance home | |
|
|
| Invoke application management REST API to submit a Spark application | |
|
|
| Invoke application management REST API to stop a submitted application | |
|
|
| Invoke application management REST API to view all submitted Spark applications | |
|
|
| Invoke application management REST API to view a specific Spark application, by using the application ID | |
|
|
| Invoke application management REST API to retrieve the state of a Spark application | |
|
|
| Invoke instance management REST API to enable or disable logging | |
|
|
| Invoke instance management REST API to view logging configuration | |
|
|
| Invoke instance management REST API to start or stop Spark history server | |
|
|
| Invoke instance management REST API to view Spark history server state | |
|
|
| View Spark History UI | |
|
|
| Invoke Spark History REST API | |
|
|
To onboard new users to your account:
-
Log on to the IBM Cloud dashboard.
-
Click Manage -> Access (IAM) from the Manage menu on the IBM Cloud console.
-
On the Manage access and users page, click Invite users.
-
Enter the email addresses of the users you want to invite.
-
Expand the Add users to access groups section and add the users to an access group. You can create access groups from here if needed.
-
Assign those users access to your IBM Analytics Engine service instance by expanding the section Assign users additional access and selecting IAM services.
- Select Analytics Engine from the list of access types.
- Select Services based on attributes and choose the Analytics Engine service instance that you want to grant access to in your resource group and at your location.
- Select the level of access you want to enable by choosing the appropriate roles.