IBM Cloud Docs
Managing users

Managing users

Access to IBM® Db2® as a Service service instances for users in your account is controlled by Identity and access management (IAM) on IBM Cloud and database access is provided by standard access controls provided by the database.

For more information about IAM, see What is IBM Cloud Identity and Access Management?.

User types

Database users

These are the users that are used to access the database. Traditionally, these are the OS users in a typical Db2 deployment, although, in the cloud, a user registry is used. Db2 understands these users as native to the database. The database privileges for the users can be granted or revoked as can roles that are created by the user.

Database users are not granted any service-level functions. For example, a database administrator who has access to the data does not have the ability to change the configuration of the system outside of the database privileges that they were given.

IAM users

IAM is only integrated with high-level service access, which governs privileges and operations available in the IBM Db2 SaaS console and database. Access to the database by these IAM users is provided by allowing an IAM user or service ID access to a specific Db2 user, as mentioned earlier.

Roles and access

Users can use JDBC or any Db2 client to connect to their database. There are two ways that users can access the database:

  • Use their database user name and password associated with their account
  • Use the IAM token (or APIKey, which gets the token) that is mapped to the associated database user

IAM authentication is performed as the authentication mechanism. Permissions are not controlled by IAM. Permissions are controlled by database level privileges of the associated user.

Console access

Console access is controlled by IAM. An IAM user can be assigned access by the IAM interface to all Db2 service instances, all Db2 service instances in a resource group, or a specific service instance. Within these parameters, IAM users can be assigned platform and service-level access.

Roles and console permissions
Role User mgmt SQL editor/tables Monitoring info Settings (includes scale, backup, DR, etc.) Info panels
IAM - Platform - Viewer No No (unless mapped to Db2 user) Yes No Yes
IAM - Platform - Operator No No (unless mapped to Db2 user) Yes Yes Yes
IAM - Platform - Editor No No (unless mapped to Db2 user) Yes Yes Yes
IAM - Platform - Administrator Yes No (unless mapped to Db2 user) Yes Yes Yes
Non-IAM, but authenticate with JDBC Only "Change password" Yes No No Yes

Service action mapping

Service action access is also controlled by IAM Roles. An IAM user can be assigned access by the IAM interface to all Db2 service instances, all Db2 service instances in a resource group, or a specific service instance. Within these parameters, IAM users can be assigned or revoked access from specific service actions.

Roles and service actions
Role Manage-users Scale Clone Restore DR Settings Backup Monitor View settings
IAM - Platform - Viewer No No No No No No No Yes Yes
IAM - Platform - Operator No Yes No Yes Yes Yes Yes Yes Yes
IAM - Platform - Editor No Yes Yes Yes Yes Yes Yes Yes Yes
IAM - Platform - Administrator Yes Yes Yes Yes Yes Yes Yes Yes Yes

For more information about user management, see Database user management