IBM Cloud Docs
IAM roles and actions

IAM roles and actions

It is important to understand how to effectively assign access for users to work with products and take specific account management actions within your account to follow the principle of least privilege and minimize the number of policies that you have to manage. The following tables provide information about the access roles and the actions mapped to each by the IBM Cloud® services.

The following tables provide data from the individual IAM-enabled services that are available from the IBM Cloud catalog as well as the account management services that enable you to assign others the ability to work with users, access groups, support cases, and more in the account. If you don't see a platform roles or service roles table, then that means that particular service doesn't use those types of roles.

Each service has custom actions that they define and map to platform and service roles that you can use to assign access by creating an IAM access policy. If you are trying to assign access and an existing role doesn't fit your needs, you can create a custom role that combines any number of actions that are available for a given service.

For more information about assigning access for each service, check out the documentation for the service that you're using.

Statum KPI

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-amberoon-xaas-statumkpi for the service name.

Table 1. Platform roles - Statum KPI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 1. Service roles - Statum KPI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 1. Service actions - Statum KPI
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-amberoon-xaas-statumkpi.dashboard.view Administrator, Editor, Operator

ViziVault Platform

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-anontech-xaas-vizivault for the service name.

Table 2. Platform roles - ViziVault Platform
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 2. Service roles - ViziVault Platform
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 2. Service actions - ViziVault Platform
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-anontech-xaas-vizivault.dashboard.view Administrator, Editor, Operator

Cognitive View

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-cognitiveview-xaas-cognitiveview for the service name.

Table 3. Platform roles - Cognitive View
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 3. Service roles - Cognitive View
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 3. Service actions - Cognitive View
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-cognitiveview-xaas-cognitiveview.dashboard.view Administrator, Editor, Operator

SimpleCloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-summusrender-xaas-simplecl0ud for the service name.

Table 4. Platform roles - SimpleCloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 4. Service roles - SimpleCloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 4. Service actions - SimpleCloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-summusrender-xaas-simplecl0ud.dashboard.view Administrator, Editor, Operator

VPC+ DRaaS (VPC+ Disaster Recovery as a Service)

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-wanclds-draas-vpcplus for the service name.

Table 5. Platform roles - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 5. Service roles - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 5. Service actions - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-wanclds-draas-vpcplus.dashboard.view Administrator, Editor, Operator

Watson OpenScale

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use aiopenscale for the service name.

Table 6. Platform roles - Watson OpenScale
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 6. Service roles - Watson OpenScale
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 6. Service actions - Watson OpenScale
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
aiopenscale.dashboard.view View OpenScale Administrator, Editor, Operator, Viewer
aiopenscale.dashboard.edit Edit OpenScale Administrator, Editor, Writer
aiopenscale.dashboard.administer Administer OpenScale Administrator
aiopenscale.kms.read KMS Read Reader

API Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use api-gateway for the service name.

Table 7. Platform roles - API Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Table 7. Service roles - API Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 7. Service actions - API Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
api-gateway.dashboard.view Administrator, Editor, Operator
api-gateway.api.view Manager, Reader, Writer
api-gateway.api.create Manager, Writer
api-gateway.api.edit Manager, Writer
api-gateway.api.delete Manager, Writer
api-gateway.api.share Manager

API Connect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use apiconnect for the service name.

Table 8. Platform roles - API Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 8. Service roles - API Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
API Developer As an API Developer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Api Administrator As an Api Administrator, you can perform all platform actions except for managing the account and assigning access policies.
Community Manager As a Community Manager, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 8. Service actions - API Connect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
apiconnect.instance.admin apiconnect.instance.admin Administrator
apiconnect.admin.manage Enables API Connect administrators to create provider orgs, manage gateways, and adjust other settings for the environment. Administrator, Api Administrator, Editor, Manager
apiconnect.instance.view apiconnect.instance.view API Developer, Administrator, Api Administrator, Community Manager, Editor, Manager, Operator, Reader, Viewer, Writer
apiconnect.instance.manage-community apiconnect.instance.manage-community Community Manager, Operator
apiconnect.instance.api-admin apiconnect.instance.api-admin Api Administrator, Editor, Manager
apiconnect.instance.develop apiconnect.instance.develop API Developer, Writer

App ID

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use appid for the service name.

Table 9. Service roles - App ID
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 9. Service actions - App ID
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
appid.mgmt.set.sender.details.cd Set the sender details for emails sent to Cloud Directory users. Manager, Writer
appid.mgmt.get.sender.details.cd View the sender details for the emails sent to Cloud Directory users. Manager, Reader, Writer
appid.mgmt.set.redirect.uris Add or update post-authentication redirect URIs. Manager, Writer
appid.mgmt.get.redirect.uris View the post-authentication redirect URIs that are currently configured. Manager, Reader, Writer
appid.mgmt.set.idps Configure the identity provider options that a user has at sign in. Manager, Writer
appid.mgmt.get.idps View the current identity provider options that a user has when they sign in. Manager, Reader, Writer
appid.mgmt.get.recent.activities View recent authentication activity for an application. Manager, Reader, Writer
appid.mgmt.get.ui.config View the current Login Widget configuration including the color and logo. Manager, Reader, Writer
appid.mgmt.set.ui.config Configure the appearance of the Login Widget including the color and logo. Manager, Writer
appid.mgmt.get.user.profile.config Get user information from your app configuration. Manager, Reader, Writer
appid.mgmt.set.user.profile.config Update a user profile with the information from your app. Manager, Writer
appid.mgmt.get.cd.users View Cloud Directory users and their data. Manager, Reader, Writer
appid.mgmt.add.cd.user Create a Cloud Directory user Manager, Writer
appid.mgmt.set.cd.user Update a Cloud Directory user's information. Manager, Writer
appid.mgmt.delete.cd.user Delete a user from Cloud Directory. Manager, Writer
appid.mgmt.get.email.template Get your current email template configuration. Manager, Reader, Writer
appid.mgmt.update.email.template Update your email template configuration Manager, Writer
appid.mgmt.delete.email.template Delete an email template configuration. Manager, Writer
appid.mgmt.get.saml.metadata Get the metadata that is used to link your SAML provider. Manager, Reader, Writer
appid.mgmt.resend.notification.cd Resend an email to a Cloud Directory user. Manager, Writer
appid.mgmt.get.tokens.configuration View the current configuration of your tokens. Manager, Reader, Writer
appid.mgmt.set.tokens.configuration Configure the access, identity, and refresh tokens. Manager, Writer
appid.mgmt.cd.sign.up Start the sign up process for a new Cloud Directory user. Manager, Writer
appid.mgmt.cd.sign.up.result View the result of a new user sign up. Manager, Writer
appid.mgmt.cd.forgot.password Start the forgot password email flow for a Cloud Directory user. Manager, Writer
appid.mgmt.cd.forgot.password.result View whether the forgot password email was successfully sent. Manager, Writer
appid.mgmt.cd.change.password Start the change password email flow for a Cloud Directory user. Manager, Writer
appid.mgmt.get.cd.actions.urls View the action URLs that are configured for Cloud Directory. Manager, Reader, Writer
appid.mgmt.get.cd.action.url Get a single action URI that is configured for Cloud Directory. Manager, Reader, Writer
appid.mgmt.update.cd.action.url Update an action URI that is configured for Cloud Directory. Manager, Writer
appid.mgmt.del.cd.action.url Delete an action URI that is configured for Cloud Directory. Manager, Writer
appid.mgmt.get.cd.password.policy View the Cloud Directory password policy configuration in regex form Manager, Reader, Writer
appid.mgmt.update.cd.password.policy Update a Cloud Directory password policy in regex. Manager, Writer
appid.mgmt.delete.profile Delete a user profile from App ID. Manager, Writer
appid.mgmt.get.profile View a user profile. Manager, Reader, Writer
appid.mgmt.update.profile Update a user's profile. Manager, Writer
appid.mgmt.get.profiles Search all of your user profiles and get a count of any anonymous users. Manager, Reader, Writer
appid.mgmt.revoke.refresh.token Revoke a user's refresh token. Manager, Writer
appid.mgmt.nominate.user Create a profile for a future user. Manager, Writer
appid.mgmt.update.cd.get.email.dispatcher View the email provider configuration. Manager, Reader, Writer
appid.mgmt.update.cd.set.email.dispatcher Configure or update an email provider. Manager, Writer
appid.mgmt.update.cd.post.email.dispatcher.test Test the email provider configuration. Manager, Writer
appid.mgmt.add.application Register a new application with App ID. Manager, Writer
appid.mgmt.delete.application Delete an application that is registered with App ID Manager, Writer
appid.mgmt.update.application Update an application that is registered with App ID. Manager, Writer
appid.mgmt.get.applications View all of the apps that are registered with your instance of App ID. Manager, Reader, Writer
appid.mgmt.get.application View a specific application that is registered with App ID. Manager, Reader, Writer
appid.mgmt.export.cd.users Export Cloud Directory users and their information as a JSON object. Manager
appid.mgmt.import.cd.users Import the Cloud Directory users and their information that was exported from another instance of the service. Manager
appid.mgmt.get.capture.runtime.activity Get the auditing status of the tenant as a JSON object. Manager, Reader, Writer
appid.mgmt.update.capture.runtime.activity Update the auditing status. Manager, Writer
appid.mgmt.get.mfa.channels Get a list of all of the configured MFA channels. Manager, Reader, Writer
appid.mgmt.get.mfa.channel Get an MFA channel. Manager, Reader, Writer
appid.mgmt.update.mfa.channel Update an MFA channel. Manager, Writer
appid.mgmt.update.mfa.config Update an MFA configuration. Manager, Writer
appid.mgmt.get.mfa.config View the current MFA configuration. Manager, Reader, Writer
appid.mgmt.get.advanced.password.management View the current advanced password policy configuration. Manager, Reader, Writer
appid.mgmt.set.advanced.password.management Configure advanced password policies. Manager, Writer
appid.mgmt.get.sso.config Get the Cloud Directory SSO configuration. Manager, Reader, Writer
appid.mgmt.update.sso.config Update the Cloud Directory SSO configuration. Manager, Writer
appid.mgmt.post.sso.logout Initiate SSO logout for Cloud Directory. Manager, Writer
appid.mgmt.cd.post.sms.dispatcher.test Test the MFA configuration for SMS. Manager, Writer
appid.mgmt.remove.cd.user Delete Cloud Directory users and their profile. Manager, Writer
appid.mgmt.get.cd.userinfo Get a Cloud Directory user and their information. Manager, Reader, Writer
appid.mgmt.get.cd.rate.config Get the rate limite configuration. Manager, Reader, Writer
appid.mgmt.update.cd.rate.config Update the rate limit configuration. Manager, Writer
appid.mgmt.import.profiles Import user profiles that have been exported from another instance of App ID. Manager
appid.mgmt.export.profiles Export user profiles. Manager
appid.mgmt.add.scope Add a scope to an application. Manager, Writer
appid.mgmt.get.scopes Get the scopes that are associated with an application. Manager, Reader, Writer
appid.mgmt.delete.scope Delete a scope that is associated with an application. Manager, Writer
appid.mgmt.add.role Create a role. Manager, Writer
appid.mgmt.get.role Get a role that is associated with a scope. Manager, Reader, Writer
appid.mgmt.update.role Update a role. Manager, Writer
appid.mgmt.delete.role Delete a role. Manager, Writer
appid.mgmt.get.user.roles View the roles that are assigned to a specific user. Manager, Reader, Writer
appid.mgmt.update.user.roles Update a user's associated roles. Manager, Writer
appid.mgmt.get.webhook.config Get a registered extension's configuration. Manager, Reader, Writer
appid.mgmt.update.webhook.config Update a registered extensions configuration. Manager, Writer
appid.mgmt.update.webhook.active Update the status of a registered extension's configuration. Manager, Writer
appid.mgmt.test.webhook.config Test the configuration for a registered extension. Manager, Writer
appid.mgmt.del.totp.channel appid-mgmt-del-totp-channel Manager, Writer
appid.mgmt.get.application.roles Get application roles Manager, Reader, Writer
appid.mgmt.update.application.roles Update application roles Manager, Writer
appid.config.read Read configuration information Service Configuration Reader
appid.mgmt.get.settings Retrieve instance settings Manager, Reader, Writer
appid.mgmt.set.settings Set instance settings Manager, Writer

App Configuration

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use apprapp for the service name.

Table 10. Platform roles - App Configuration
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Table 10. Service roles - App Configuration
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Client SDK Role to manage Client SDK
Config Operator As a Config Operator, you can toggle the feature state.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 10. Service actions - App Configuration
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
apprapp.dashboard.view Dashboard view Administrator, Config Operator, Editor, Manager, Operator, Reader, Writer
apprapp.collections.list List collections Client SDK, Config Operator, Manager, Reader, Writer
apprapp.collections.create Create collections Manager
apprapp.collections.update Update collections Manager
apprapp.collections.delete Delete collections Manager
apprapp.features.list List features Config Operator, Manager, Reader, Writer
apprapp.features.create Create Features Manager
apprapp.features.update Update features Manager
apprapp.features.delete Delete features Manager
apprapp.segments.list List segments Config Operator, Manager, Reader, Writer
apprapp.segments.update Update segments Manager, Writer
apprapp.segments.create Create segments Manager, Writer
apprapp.segments.delete Delete segments Manager, Writer
apprapp.features.patch Patch features Writer
apprapp.features.toggle Toggle feature Config Operator, Manager, Writer
apprapp.properties.list List properties Config Operator, Manager, Reader, Writer
apprapp.properties.update Update properties Manager
apprapp.properties.create Create properties Manager
apprapp.properties.delete Delete properties Manager
apprapp.properties.patch Patch properties Writer
apprapp.environments.create Create environments Manager
apprapp.environments.update Update environments Manager
apprapp.environments.delete Delete environments Manager
apprapp.environments.list List environments Config Operator, Manager, Reader, Writer
apprapp.instances.export Export instance resources to a JSON Manager
apprapp.instances.import Import instance resources from a JSON Manager
apprapp.gitconfigs.create Create git configuration Manager
apprapp.gitconfigs.update Update git configurations Manager
apprapp.gitconfigs.delete Delete GIT configuration Manager
apprapp.gitconfigs.view GET a GIT configuration Config Operator, Manager, Reader, Writer
apprapp.gitconfigs.promote Promote configuration Manager
apprapp.usage.create Usage posting Client SDK, Config Operator, Manager, Reader, Writer
apprapp.sse.view SSE connect Client SDK, Config Operator, Manager, Reader, Writer
apprapp.originconfigs.update Update origin configuration for allowlisting CORS policy for Browser clients SDKs Manager
apprapp.originconfigs.list List origin configuration for allowlisting CORS policy for Browser clients SDKs Config Operator, Manager, Reader, Writer
apprapp.gitconfigs.restore Restore configuration Manager
apprapp.integrations.create Create a integration between App Configuration and an external service Manager
apprapp.integrations.list List integrations between App Configuration and external services Config Operator, Manager, Reader, Writer
apprapp.integrations.delete Delete the integration between App Configuration and an external service Manager
apprapp.workflowconfigs.create Create workflow configuration for service now integration for CR approval Manager
apprapp.workflowconfigs.update Update workflow configuration for service now integration for CR approval Manager
apprapp.workflowconfigs.list List the workflow configuration for service now integration for CR approval Config Operator, Manager, Reader, Writer
apprapp.workflowconfigs.delete Delete the workflow configuration for service now integration for CR approval Manager
apprapp.changerequest.create API endpoint to listen to service-now events Manager
apprapp.config.import Import the configuration of the instance Manager
apprapp.config.export Export the configuration of the instance Client SDK, Config Operator, Manager, Reader, Writer
apprapp.config.action Perform actions on the configuration of the instance like promote, restore to git Manager

Activity Tracker

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use atracker for the service name.

Table 11. Platform roles - Activity Tracker
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 11. Service roles - Activity Tracker
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 11. Service actions - Activity Tracker
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
atracker.target.read read target Administrator, Editor, Operator, Viewer
atracker.target.create Create atracker target Administrator, Editor
atracker.target.update Update atracker target Administrator, Editor
atracker.target.delete Delete atracker target Administrator, Editor
atracker.target.list List the atracker targets Administrator, Editor, Operator, Viewer
atracker.route.read Read atracker route Administrator, Editor, Operator, Viewer
atracker.route.create Create atracker route Administrator, Editor
atracker.route.update Update atracker route Administrator, Editor
atracker.route.delete Delete atracker route Administrator, Editor
atracker.route.list List atracker routes Administrator, Editor, Operator, Viewer
atracker.endpoint.set Set atracker endpoint properties Administrator
atracker.endpoint.get Read atracker endpoint properties Administrator, Editor, Operator, Viewer
atracker.service.ingest Send events to Atracker Writer
atracker.setting.get Get Atracker setting Administrator, Editor, Operator, Viewer
atracker.setting.update Update Atracker setting Administrator
atracker.migration.post Post atracker migration Administrator
atracker.migration.get Get atracker migration Administrator, Editor, Operator, Viewer
atracker.migration.delete Delete Atracker migration Administrator
atracker.onboarding.get Get onboarding config for services only. Administrator, Editor, Operator, Viewer
atracker.onboarding.list List onboarding configs for services only. Administrator, Editor, Operator, Viewer
atracker.onboarding.create Create onboarding config for services only. Administrator
atracker.onboarding.update Update onboarding config for services only. Administrator
atracker.onboarding.delete Delete onboarding config for services only. Administrator

Bespoken Automated Testing For IVR and Chat

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use automated-testing-and-monitoring-for-voice-and-chat for the service name.

Table 12. Platform roles - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 12. Service roles - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 12. Service actions - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
automated-testing-and-monitoring-for-voice-and-chat.dashboard.view Administrator, Editor, Operator

Billing

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use billing for the service name.

No supported roles.

Cloud Foundry for Custom Domain

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cf4customdomain for the service name.

Table 14. Service roles - Cloud Foundry for Custom Domain
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 14. Service actions - Cloud Foundry for Custom Domain
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cf4customdomain.newdashboard.view View information in the new dashboard Manager, Reader, Writer

Cloud Foundry Enterprise Environment

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cfaas for the service name.

No supported roles.

Cloud Object Storage

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloud-object-storage for the service name.

Table 16. Service roles - Cloud Object Storage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Content Reader As a Content Reader, one can read and list objects in the bucket.
Manager As a Manager, one can create/modify/delete buckets including managing retention policy, configuring IP addresses. In addition, one can upload and download the objects in the bucket.
Notifications Manager As a Notifications Manager, the service can manage (view/modify/delete) configuration for notifications on a Cloud Object Storage bucket.
Object Reader As an Object Reader, one can read objects in the bucket.
Object Writer As an Object Writer, one can only write objects to a bucket.
Reader As a Reader, one can view bucket configuration and download the objects in the bucket.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a Writer, one can create/modify/delete buckets. In addition, one can upload and download the objects in the bucket.
Table 16. Service actions - Cloud Object Storage
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloud-object-storage.account.get_account_buckets List all buckets in a service instance. Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.put_bucket Create a bucket. Manager, Writer
cloud-object-storage.bucket.post_bucket Internal use only - unsupported for users. Manager, Writer
cloud-object-storage.bucket.delete_bucket Delete a bucket. Manager, Writer
cloud-object-storage.bucket.get List all the objects in a bucket. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.list_crk_id List the IDs of encryption root keys associated with a bucket. Manager, Writer
cloud-object-storage.bucket.head View bucket metadata. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.get_versions Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.get_uploads List all active multipart uploads for a bucket. Manager, Reader, Writer
cloud-object-storage.bucket.get_acl Read a bucket ACL [deprecated]. Manager
cloud-object-storage.bucket.put_acl Create a bucket ACL [deprecated]. Manager
cloud-object-storage.bucket.get_cors Read CORS rules. Manager, Reader, Writer
cloud-object-storage.bucket.put_cors Add CORS rules to a bucket. Manager, Writer
cloud-object-storage.bucket.delete_cors Delete CORS rules. Manager, Writer
cloud-object-storage.bucket.get_website Read bucket website configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_website Add bucket website configuration. Manager, Writer
cloud-object-storage.bucket.delete_website Delete bucket website configuration. Manager, Writer
cloud-object-storage.bucket.get_versioning Unsupported operation - used for S3 API compatibility only. Manager, Reader, Writer
cloud-object-storage.bucket.put_versioning Unsupported operation - used for S3 API compatibility only. Manager, Writer
cloud-object-storage.bucket.get_object_lock_configuration Get Object Lock Configuration from the bucket. Manager, Reader, Writer
cloud-object-storage.bucket.put_object_lock_configuration Set Object Lock Configuration from the bucket. Manager, Writer
cloud-object-storage.bucket.get_fasp_connection_info View Aspera FASP connection information. Manager, Reader, Writer
cloud-object-storage.account.delete_fasp_connection_info Delete Aspera FASP connection information. Manager, Writer
cloud-object-storage.bucket.get_location View the location and storage class of a bucket. Content Reader, Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.get_lifecycle Read a bucket lifecycle policy. Manager, Reader, Writer
cloud-object-storage.bucket.put_lifecycle Create a bucket lifecycle policy. Manager, Writer
cloud-object-storage.bucket.get_activity_tracking Read activity tracking configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_activity_tracking Add activity tracking configuration. Manager, Writer
cloud-object-storage.bucket.get_metrics_monitoring Read metrics monitoring configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_metrics_monitoring Add metrics monitoring configuration. Manager, Writer
cloud-object-storage.bucket.put_protection Add Immutable Object Storage policy. Manager
cloud-object-storage.bucket.get_protection Read Immutable Object Storage policy. Manager, Reader, Writer
cloud-object-storage.bucket.put_firewall Add a firewall configuration. Manager
cloud-object-storage.bucket.get_firewall Read a firewall configuration. Manager
cloud-object-storage.bucket.put_public_access_block Add/Update a public access block configuration for a bucket. Manager
cloud-object-storage.bucket.delete_public_access_block Remove public access block configuration for a bucket. Manager
cloud-object-storage.bucket.get_public_access_block Retrieve public access block configuration for a bucket. Manager
cloud-object-storage.bucket.get_basic List objects in a bucket [deprecated]. Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.list_bucket_crn View a bucket CRN. Manager, Reader, Writer
cloud-object-storage.bucket.get_notifications Internal use only - unsupported for users. Notifications Manager
cloud-object-storage.bucket.put_notifications Internal use only - unsupported for users. Notifications Manager
cloud-object-storage.object.get View and download objects. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.head Read an object's metadata. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.get_version Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.get_object_lock_retention Get object lock retention settings on the object. Manager, Reader, Writer
cloud-object-storage.object.put_object_lock_retention_version Set object lock retention version settings on the object. Manager, Object Writer, Writer
cloud-object-storage.object.get_object_lock_retention_version Get object lock retention version settings on the object. Manager, Reader, Writer
cloud-object-storage.object.get_object_lock_legal_hold Get object lock legal hold state on the object. Manager, Reader, Writer
cloud-object-storage.object.put_object_lock_retention Set object lock retention settings on the object. Manager, Object Writer, Writer
cloud-object-storage.object.put_object_lock_legal_hold Set object lock legal hold state on the object. Manager, Object Writer, Writer
cloud-object-storage.object.put_object_lock_legal_hold_version Set object lock legal hold version state on the object. Manager, Object Writer, Writer
cloud-object-storage.object.get_object_lock_legal_hold_version Get object lock legal hold version state on the object. Manager, Reader, Writer
cloud-object-storage.object.head_version Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.put Write and upload objects. Manager, Object Writer, Writer
cloud-object-storage.object.post Upload an object using HTML forms [deprecated]. Manager, Object Writer, Writer
cloud-object-storage.object.post_md Update object metadata using HTML forms [deprecated]. Manager, Object Writer, Writer
cloud-object-storage.object.post_initiate_upload Initiate multipart uploads. Manager, Object Writer, Writer
cloud-object-storage.object.put_part Upload an object part. Manager, Object Writer, Writer
cloud-object-storage.object.copy_part Copy (write) an object part. Manager, Writer
cloud-object-storage.object.copy_part_get Copy (read) an object part. Manager, Reader, Writer
cloud-object-storage.object.post_complete_upload Complete a multipart upload. Manager, Object Writer, Writer
cloud-object-storage.object.copy Copy (write) an object from one bucket to another. Manager, Writer
cloud-object-storage.object.copy_get Copy (read) an object from one bucket to another. Manager, Reader, Writer
cloud-object-storage.object.get_acl Read object ACL [deprecated]. Manager
cloud-object-storage.object.get_acl_version Read object ACL Version [deprecated]. Manager
cloud-object-storage.object.put_acl Write object ACL [deprecated]. Manager
cloud-object-storage.object.put_acl_version Unsupported operation - used for S3 API compatibility only. Manager
cloud-object-storage.object.delete Delete an object. Manager, Writer
cloud-object-storage.object.delete_version Unsupported operation - used for S3 API compatibility only. Manager, Writer
cloud-object-storage.object.get_tagging Read object tags Manager, Reader, Writer
cloud-object-storage.object.get_tagging_version Read object tag versions Manager, Reader, Writer
cloud-object-storage.object.put_tagging Add/Update object tags Manager, Object Writer, Writer
cloud-object-storage.object.put_tagging_version Add/Update object tag versions Manager, Object Writer, Writer
cloud-object-storage.object.delete_tagging Delete object tags Manager, Object Writer, Writer
cloud-object-storage.object.delete_tagging_version Delete object tag versions Manager, Object Writer, Writer
cloud-object-storage.object.get_uploads List parts of a multi-part object upload. Manager, Object Writer, Reader, Writer
cloud-object-storage.object.delete_upload Abort a multipart upload. Manager, Object Writer, Writer
cloud-object-storage.object.restore Temporarily restore an archived object. Manager, Writer
cloud-object-storage.object.post_multi_delete Delete multiple objects. Manager, Writer
cloud-object-storage.object.post_legal_hold Add a legal hold to an object. Manager, Writer
cloud-object-storage.object.get_legal_hold View any legal holds on an object. Manager, Reader, Writer
cloud-object-storage.object.post_extend_retention Extend a retention policy. Manager, Writer
cloud-object-storage.cip.read Internal use only - unsupported for users. Service Configuration Reader
cloud-object-storage.bucket.put_quota Set a hard quota on a bucket. Manager
cloud-object-storage.bucket.get_quota Read a bucket's hard quota. Manager, Writer
cloud-object-storage.object.copy_get_version Copy (read) a version of an object from one bucket to another. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.copy_part_get_version Copy (read) a version of an object as a part. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.restore_version Temporarily restore an archived version of an object. Manager, Writer
cloud-object-storage.bucket.get_replication Read replication configuration of an bucket. Manager, Reader, Writer
cloud-object-storage.bucket.put_replication Add replication configuration to a bucket. Manager, Writer
cloud-object-storage.bucket.delete_replication Delete replication configuration of an bucket. Manager, Writer
cloud-object-storage.bucket.get_protection_management Read protection management of a bucket. Manager
cloud-object-storage.bucket.put_protection_management Add protection management to a bucket. Manager

Cloudant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloudantnosqldb for the service name.

Table 17. Platform roles - Cloudant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 17. Service roles - Cloudant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Checkpointer As a checkpointer, you have permissions to write local documents enabling checkpoint writes. Checkpoints are local documents optionally created during replication recording their state.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Monitor As a monitor, you have permissions to get information about specified databases, list databases, monitor indexing and replication, view data volume usage and view provisioned and current throughput.
Reader As a reader, you can perform read-only actions within a service, such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 17. Service actions - Cloudant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloudantnosqldb.db.any Perform any database action Manager
cloudantnosqldb.activity-tracker-event-types.read Access list of configured activity tracker event types for a service instance Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
cloudantnosqldb.activity-tracker-event-types.write Update list of configured activity tracker event types for a service instance Administrator, Manager, Operator
cloudantnosqldb.sapi.lastactivity Access last activity time for account Manager
cloudantnosqldb.sapi.usercors Update CORS settings for a service instance Administrator, Manager
cloudantnosqldb.sapi.apikeys Generate Cloudant API keys for a service instance Manager
cloudantnosqldb.sapi.userccmdiagnostics Access current and maximum allowed throughput values Manager
cloudantnosqldb.sapi.supportattachments View attachments on support tickets for user Manager
cloudantnosqldb.sapi.supporttickets View support tickets for user Manager
cloudantnosqldb.sapi.userinfo Retrieve basic user infomation for this user Administrator, Editor, Manager, Operator, Viewer
cloudantnosqldb.users-database-info.read Read users' database info Manager
cloudantnosqldb.users-database.create Create users' databases Manager
cloudantnosqldb.users-database.delete Delete users' databases Manager
cloudantnosqldb.users.read Read from users' databases Manager
cloudantnosqldb.users.write Write to users' databases Manager
cloudantnosqldb.database.create Create databases Manager
cloudantnosqldb.database.delete Delete databases Manager
cloudantnosqldb.sapi.userplan Retrieve and update instance plan settings Administrator, Editor, Manager, Operator, Viewer
cloudantnosqldb.sapi.usage-data-volume View instance data usage Administrator, Editor, Manager, Monitor, Operator, Viewer
cloudantnosqldb.sapi.usage-requests View instance requests usage Manager
cloudantnosqldb.account-active-tasks.read View active tasks for instance Manager, Monitor
cloudantnosqldb.sapi.db-security Allow update of database security Manager
cloudantnosqldb.session.write Write _session endpoint Manager, Reader, Writer
cloudantnosqldb.session.read Read _session endpoint Manager, Reader, Writer
cloudantnosqldb.session.delete Delete _session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.write Write _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.read Read _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.delete Delete _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.account-db-updates.read Read db_updates feed Manager, Reader, Writer
cloudantnosqldb.any-document.read Read any documents in a normal database Manager, Reader, Writer
cloudantnosqldb.database-info.read Read /db/ database info Manager, Monitor, Reader, Writer
cloudantnosqldb.account-dbs-info.read Read _dbs_info endpoint Manager, Monitor, Reader, Writer
cloudantnosqldb.replicator-database-info.read Read _replicator database info Manager
cloudantnosqldb.replicator-database.create Create _replicator databases Manager
cloudantnosqldb.replicator-database.delete Delete _replicator databases Manager
cloudantnosqldb.replication.write Write to _replicator databases Manager
cloudantnosqldb.replication.read Read from _replicator databases Manager
cloudantnosqldb.replication-scheduler.read Read from replication _scheduler endpoints Manager, Monitor
cloudantnosqldb.account-up.read View _up Manager, Monitor
cloudantnosqldb.account-uuids.read Generate doc ID UUIDs Manager, Writer
cloudantnosqldb.data-document.write Create, update, and delete normal documents in a database Manager, Writer
cloudantnosqldb.local-document.write Write _local documents Checkpointer, Manager, Writer
cloudantnosqldb.design-document.write Write _design documents Manager
cloudantnosqldb.cluster-membership.read View cluster membership Manager
cloudantnosqldb.database-security.read Read database security definitions Manager
cloudantnosqldb.database-security.write Write database security definitions Manager
cloudantnosqldb.database-shards.read View database shard metadata Manager, Monitor
cloudantnosqldb.capacity-throughput.read Read current provisioned throughput Administrator, Editor, Manager, Monitor, Operator, Viewer
cloudantnosqldb.capacity-throughput.write Update provisioned throughput capacity Administrator, Editor, Manager
cloudantnosqldb.current-throughput.read Read current request throughput Manager, Monitor
cloudantnosqldb.limits-throughput.read Read throughput limits for current Plan Manager
cloudantnosqldb.account-all-dbs.read List all databases Manager, Monitor, Reader, Writer
cloudantnosqldb.account-deleted-dbs.list List deleted databases Manager, Monitor
cloudantnosqldb.account-deleted-dbs.restore Restore deleted database Manager
cloudantnosqldb.account-deleted-dbs.delete Delete deleted database Manager
cloudantnosqldb.account-meta-info.read View account metadata Manager, Monitor, Reader, Writer
cloudantnosqldb.database-ensure-full-commit.execute Call _ensure_full_commit endpoint Checkpointer, Manager, Writer
cloudantnosqldb.account-search-analyze.execute Call _search_analyze endpoint Manager, Reader, Writer
cloudantnosqldb.couchdbextension-instance.read View metadata of an Extension for Apache CouchDB instance Manager
cloudantnosqldb.couchdbextension-instance.write Make changes to an Extension for Apache CouchDB instance Manager
cloudantnosqldb.legacy-root-credential.revoke Revoke legacy credential tied to your instance URL Administrator, Manager
cloudantnosqldb.legacy-credentials.revoke Migrate instance to IAM only Administrator, Manager

IBM Cloud Shell

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloudshell for the service name.

Table 18. Platform roles - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Table 18. Service roles - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Cloud Developer As a cloud developer, you can create Cloud Shell environments to manage IBM Cloud resources and develop applications for IBM Cloud (Web Preview enabled).
Cloud Operator As a cloud operator, you can create Cloud Shell environments to manage IBM Cloud resources.
File Manager As a file manager, you can create Cloud Shell environments to manage IBM Cloud resources and manage files in your workspace (File Upload and File Download enabled).
Service Configuration Reader The ability to read services configuration for Governance management.
Table 18. Service actions - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloudshell.account-settings.update The ability to update Cloud Shell account settings. Administrator
cloudshell.server.create The ability to create Cloud Shell environments. Administrator, Cloud Developer, Cloud Operator, File Manager
cloudshell.server.preview-web The ability to preview web applications in Cloud Shell (Web Preview enabled). Administrator, Cloud Developer
cloudshell.server.manage-file The ability to manage files in the Cloud Shell workspace (File Upload and File Download enabled). Administrator, File Manager
cloudshell.config.read Configuration Information Point API access Service Configuration Reader

IBM watsonx Code Assistant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use code-assistant for the service name.

Table 19. Platform roles - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 19. Service roles - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 19. Service actions - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
code-assistant.dashboard.view Administrator, Editor, Operator

Code Engine

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use codeengine for the service name.

Table 20. Platform roles - Code Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Table 20. Service roles - Code Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Compute Environment Administrator Can manage Code Engine Compute Environments.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 20. Service actions - Code Engine
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
codeengine.dashboard.view View Dashboard Administrator, Editor, Operator
codeengine.tenant.read View project details Manager, Reader, Writer
codeengine.tenant.entities.create Create project contents, such as applications, job definitions, and jobs Manager, Writer
codeengine.tenant.entities.update Modify existing items already contained by a project, such as applications, jobs, or job definitions. This does not include the ability to create or delete these items. Manager, Writer
codeengine.tenant.entities.delete Delete existing items from within a project Manager, Writer
codeengine.tenant.entities.read List and view existing items within a project Manager, Reader, Writer
codeengine.config.read Configuration Information Point API access Service Configuration Reader
codeengine.computeenvironment.create Allows you to create a Code Engine Compute Environment. Compute Environment Administrator
codeengine.computeenvironment.delete Allows you to delete compute environments. Compute Environment Administrator
codeengine.computeenvironment.projects.create Allows you to create projects in this compute environment. Manager, Writer
codeengine.computeenvironment.projects.delete Allows you to delete projects in this compute environment. Manager, Writer

Cognos Dashboard

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cognos-dashboard for the service name.

Table 21. Platform roles - Cognos Dashboard
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 21. Service roles - Cognos Dashboard
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 21. Service actions - Cognos Dashboard
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cognos-dashboard.dashboard.author Author Dashboard Administrator, Editor, Manager, Operator, Reader, Viewer, Writer

Compass

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use compass for the service name.

Table 22. Service roles - Compass
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 22. Service actions - Compass
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
compass.dataprotection.view Manager, Reader, Writer
compass.dataprotection.operate Manager, Writer
compass.dataprotection.administer Manager

IBM Cloud Compliance and Security Center

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use compliance for the service name.

Table 23. Platform roles - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 23. Service roles - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Data Provider Role assigned to external Provider to push Compliance data to SCC
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 23. Service actions - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
compliance.posture-management.dashboard-view Access the Security and Compliance dashboard to view security and compliance posture and results. Administrator, Editor, Operator, Viewer
compliance.posture-management.controls-create Add a control to a profile. Administrator, Editor
compliance.posture-management.controls-read View the controls that you can add to a profile. Administrator, Editor, Operator, Viewer
compliance.posture-management.controls-update Update an existing control. Administrator, Editor
compliance.posture-management.controls-delete Delete a control. Administrator, Editor
compliance.posture-management.scopes-create Create a scope. Administrator, Editor
compliance.posture-management.scopes-update Edit a scope. Administrator, Editor
compliance.posture-management.scopes-read View scopes. Administrator, Editor, Operator, Viewer
compliance.posture-management.scopes-delete Delete a scope. Administrator, Editor
compliance.posture-management.credentials-create Create a credential. Administrator, Editor
compliance.posture-management.credentials-update Update a credential. Administrator, Editor
compliance.posture-management.credentials-read View credentials. Administrator, Editor, Operator, Viewer
compliance.posture-management.credentials-delete Delete a credential. Administrator, Editor
compliance.posture-management.credentialsmap-create Map credentials to a scope. Administrator, Editor
compliance.posture-management.credentialsmap-update Edit an existing credentials mapping. Administrator, Editor
compliance.posture-management.credentialsmap-read View credentials mappings. Administrator, Editor, Operator, Viewer
compliance.posture-management.credentialsmap-delete Delete a credentials mapping. Administrator, Editor
compliance.posture-management.profiles-create Create a profile. Administrator, Editor
compliance.posture-management.profiles-update Update a profile. Administrator, Editor
compliance.posture-management.profiles-read View profiles. Administrator, Editor, Operator, Viewer
compliance.posture-management.profiles-delete Delete a profile. Administrator, Editor
compliance.posture-management.validations-create Run a vallidation scan. Administrator, Editor
compliance.posture-management.validations-update Update a validation scan. Administrator, Editor
compliance.posture-management.validations-read View a validation scan. Administrator, Editor, Operator, Viewer
compliance.posture-management.validations-delete Delete a validation scan. Administrator, Editor
compliance.posture-management.collectors-create Create a collector. Administrator, Editor
compliance.posture-management.collectors-update Update a collector. Administrator, Editor
compliance.posture-management.collectors-read View collectors. Administrator, Editor, Operator, Viewer
compliance.posture-management.collectors-delete Delete a collector. Administrator, Editor
compliance.posture-management.values-create Add parameters to an existing goal. Administrator, Editor
compliance.posture-management.values-update Update the parameters of an existing goal. Administrator, Editor
compliance.posture-management.values-read View the parameters that are associated with a goal. Administrator, Editor, Operator, Viewer
compliance.posture-management.tenants-create Create tenants Administrator, Editor
compliance.posture-management.tenants-update Update tenants Administrator, Editor
compliance.posture-management.tenants-read View tenants Administrator, Editor, Operator, Viewer
compliance.posture-management.tenants-delete Delete tenants Administrator, Editor
compliance.posture-management.events-create Create an audit log for monitoring compliance activity. Administrator, Editor, Operator, Viewer
compliance.posture-management.events-view View audit logs. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.rules-create Create a config rule. Administrator, Editor
compliance.configuration-governance.rules-read View the config rules that are available for your accounts. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.rules-update Update an existing config rule. Administrator, Editor
compliance.configuration-governance.rules-delete Delete a config rule. Administrator, Editor
compliance.configuration-governance.templates-create Create a template. Administrator, Editor
compliance.configuration-governance.templates-read View the templates that are available for your accounts. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.templates-update Update an existing template. Administrator, Editor
compliance.configuration-governance.templates-delete Delete a template. Administrator, Editor
compliance.configuration-governance.attachments-create Create an attachment between a rule and a scope. Administrator, Editor
compliance.configuration-governance.attachments-read View the attachments that are associated with a rule. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.attachments-update Update a rule attachment. Administrator, Editor
compliance.configuration-governance.attachments-delete Delete a rule attachment. Administrator, Editor
compliance.configuration-governance.services-create Create a definition to enable a service for configuration governance. Administrator, Editor
compliance.configuration-governance.services-update Update an existing service definition. Administrator, Editor
compliance.configuration-governance.services-delete Delete a service definition. Administrator, Editor
compliance.configuration-governance.config-state-create Create configuration governance config state. Administrator, Editor
compliance.configuration-governance.config-state-read Read configuration governance config state. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.config-state-update Update configuration governance config state. Administrator, Editor
compliance.configuration-governance.config-state-delete Delete configuration governance config state. Administrator, Editor
compliance.configuration-governance.results-create Create configuration governance results. Administrator, Editor
compliance.configuration-governance.results-read Read configuration governance results. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.results-update Update configuration governance results. Administrator, Editor
compliance.configuration-governance.results-delete Delete configuration governance results. Administrator, Editor
compliance.posture-management.tags-create Create tags. Administrator, Editor, Operator
compliance.posture-management.tags-update Update tags. Administrator, Editor, Operator
compliance.posture-management.tags-delete Delete a tag. Administrator, Editor, Operator
compliance.posture-management.tags-read View tags. Administrator, Editor, Operator, Viewer
compliance.posture-management.keys-read Read BYOK/KYOK configuration Administrator, Editor, Operator, Viewer
compliance.posture-management.keys-write Edit BYOK/KYOK configuration Administrator, Editor
compliance.posture-management.keys-delete Enable/Disable BYOK configuration Administrator, Editor
compliance.admin.settings-read View Admin Settings Administrator, Editor, Operator, Viewer
compliance.admin.settings-update Edit Admin Settings Administrator
compliance.admin.test-event-send Send test events Administrator
compliance.platform.notifications.write To send platform notifications Manager, Reader, Writer
compliance.posture-management.integrations-read Read compliance posture management integrations Administrator, Editor, Operator, Viewer
compliance.posture-management.integrations-create Create compliance posture management integrations Administrator, Editor, Operator
compliance.posture-management.integrations-update Update compliance posture management integrations Administrator, Editor, Operator
compliance.posture-management.integrations-delete Delete compliance posture management integrations Administrator, Editor
compliance.posture-management.attachments-create Create Attachments Administrator, Editor
compliance.posture-management.attachments-update Update Attachments Administrator, Editor
compliance.posture-management.attachments-read Read Attachments Administrator, Editor, Operator, Viewer
compliance.posture-management.attachments-delete Delete Attachments Administrator, Editor
compliance.posture-management.control-libraries-create Add New Control Libraries Administrator, Editor
compliance.posture-management.control-libraries-read Read Control Libraries Administrator, Editor, Operator, Viewer
compliance.posture-management.control-libraries-update Update Control Libraries Administrator, Editor
compliance.posture-management.control-libraries-delete Delete Control Libraries Administrator, Editor
compliance.posture-management.scans-create Add New Scans Administrator, Editor
compliance.posture-management.scans-read Read Scans Administrator, Editor, Operator, Viewer
compliance.posture-management.scans-update Update Scans Administrator, Editor
compliance.posture-management.scans-delete Delete Scans Administrator, Editor
compliance.posture-management.reports-read View results Administrator, Editor, Operator
compliance.posture-management.profiles-compare Compare profiles Administrator, Editor, Operator, Viewer
compliance.posture-management.attachments-upgrade Upgrade attachments Administrator, Editor
compliance.posture-management.provider-data-write Write Compliance data from Provider Administrator, Data Provider, Editor, Operator
compliance.targets.read View Targets Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.targets.create Create Target Administrator, Editor, Manager, Operator, Writer
compliance.targets.update Update Target Administrator, Editor, Manager, Operator, Writer
compliance.targets.delete Delete Target Administrator, Editor, Manager, Operator, Writer

Consult with IBM Cloud Garage

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use consult-with-icg-wes for the service name.

Table 24. Platform roles - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 24. Service roles - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 24. Service actions - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
consult-with-icg-wes.dashboard.view The ability to view your provisioned Consult with IBM Garage services in the dashboard. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer

Container Registry

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use container-registry for the service name.

Table 25. Service roles - Container Registry
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 25. Service actions - Container Registry
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
container-registry.exemption.manager Create an exemption for a security issue. Delete an exemption for a security issue. Manager
container-registry.image.push Push a container image. Sign a container image. Import IBM software that is downloaded from IBM Passport Advantage Online. Restore a deleted container image from the trash. Create a new container image that refers to a source image. Manager, Writer
container-registry.image.pull Pull a container image. Inspect the signature for a container image. Create a new image that refers to a source image. Manager, Reader, Writer
container-registry.namespace.create Add a namespace. Manager
container-registry.namespace.delete Remove a namespace. Manager
container-registry.image.delete Delete one or more container images. Remove a tag, or tags, from each specified container image in IBM Cloud Container Registry. Delete the signature for a container image. Clean up your namespaces by retaining only images that meet your criteria. Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Writer
container-registry.namespace.list List your namespaces. Manager, Reader
container-registry.image.list List your container images. Display the container images that are in the trash. Manager, Reader, Service Configuration Reader
container-registry.image.vulnerabilities View a vulnerability assessment report for your container image. Manager, Reader, Service Configuration Reader
container-registry.image.inspect Display details about a specific container image. Manager, Reader
container-registry.quota.get Display your current quotas for traffic and storage, and usage information against those quotas. Manager, Reader, Writer
container-registry.quota.set Modify the specified quota. Manager
container-registry.plan.get Display your pricing plan. Manager
container-registry.plan.set Upgrade to the standard plan. Manager
container-registry.auth.get Get Auth Configuration, such as whether IAM policy enforcement is enabled Manager, Reader, Writer
container-registry.auth.set Enable IAM policy enforcement. Manager
container-registry.retention.analyze Clean up your namespaces by retaining only container images that meet your criteria. Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Reader
container-registry.retention.get Get an image retention policy. Manager, Reader
container-registry.retention.set Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Writer
container-registry.retention.list List the image retention policies for your account. Manager, Reader
container-registry.exemption.list List your exemptions for security issues. List the types of security issues that you can exempt. Manager, Reader
container-registry.settings.get Get Account Settings, such as whether platform metrics are enabled Manager, Reader, Writer
container-registry.settings.set Set Account Settings, such as whether platform metrics are enabled Manager
container-registry.config.read Configuration Information Point API access Service Configuration Reader

Kubernetes Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use containers-kubernetes for the service name.

Table 26. Platform roles - Kubernetes Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 26. Service roles - Kubernetes Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Compliance Management Allows Security and Compliance Center to access your cluster to setup, run, and fetch compliance results.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 26. Service actions - Kubernetes Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
containers-kubernetes.cluster.create Users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. Administrator, Compliance Management
containers-kubernetes.cluster.read Users such as auditors or billing can see cluster details but not modify the infrastructure. Administrator, Editor, Operator, Viewer
containers-kubernetes.cluster.operate Users such as reliability or DevOps engineers can add worker nodes and troubleshoot infrastructure such as reloading a worker node. They cannot create, delete, change credentials, or set up cluster-wide features. Administrator, Operator
containers-kubernetes.cluster.update Users such as developers can bind service, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Administrator, Editor
containers-kubernetes.kube.read Users get read access to most Kubernetes resources in the namespace, but not to certain resources like roles, role bindings, or secrets. Corresponds to the RBAC view cluster role, which can be scoped to a namespace. Reader
containers-kubernetes.kube.write Users get read and write access to most Kubernetes resources in the namespace, but not to certain resources like roles or role bindings. Corresponds to the RBAC edit cluster role, which can be scoped to a namespace. Writer
containers-kubernetes.kube.manage When scoped to one namespace: Users can read and write to all Kubernetes resources in the namespace, but not to objects that apply across namespaces, the namespace resource quota, or the namespace itself. Corresponds to the RBAC admin cluster role to that namespace. When scoped to all namespaces in the cluster (by leaving the previous namespace field empty): Users can read and write to all Kubernetes resources in all namespaces in the cluster and work with objects that apply across namespaces, like top pods, top nodes, or creating an Ingress resource to make apps publicly available. Corresponds to the RBAC cluster-admin cluster role. Manager

Context-Based Restrictions

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use context-based-restrictions for the service name.

Table 27. Platform roles - Context-Based Restrictions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 27. Service actions - Context-Based Restrictions
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
context-based-restrictions.account-settings.read View context-based restriction account settings Administrator, Editor, Viewer
context-based-restrictions.account-settings.update Update context-based restriction account settings Administrator

Network Zone Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use context-based-restrictions.zone for the service name.

Table 28. Platform roles - Network Zone Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 28. Service actions - Network Zone Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
context-based-restrictions.zone.create Network Zone Create Administrator, Editor
context-based-restrictions.zone.read Network Zone Read Administrator, Editor, Viewer
context-based-restrictions.zone.update Network Zone Update Administrator, Editor
context-based-restrictions.zone.delete Network Zone Delete Administrator, Editor

Continuous Delivery

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use continuous-delivery for the service name.

Table 29. Platform roles - Continuous Delivery
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can modify the Authorized Users list.
Editor As an editor, you can create, view, update, change the plan for, and delete instances of the Continuous Delivery service.
Operator As an operator, you can view instances of the Continuous Delivery service.
Table 29. Service roles - Continuous Delivery
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 29. Service actions - Continuous Delivery
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
continuous-delivery.dashboard.view View instances of the Continuous Delivery service. Administrator, Editor, Operator
continuous-delivery.instance.add-auth-users Add entries to the Authorized Users list on the Manage tab of a Continuous Delivery service instance. Administrator, Manager, Writer
continuous-delivery.instance.remove-auth-users Remove entries from the Authorized Users list on the Manage tab of a Continuous Delivery service instance. Administrator, Manager, Writer
continuous-delivery.instance.config-auth-users Configure authorized users. Administrator, Manager

Converlistics

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use converlistics for the service name.

Table 30. Platform roles - Converlistics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 30. Service roles - Converlistics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 30. Service actions - Converlistics
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
converlistics.dashboard.view Administrator, Editor, Operator

Watson Assistant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use conversation for the service name.

Table 31. Platform roles - Watson Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 31. Service roles - Watson Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Logs Reader As a logs reader, you can view user conversations and analytics.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Version Maker As a Version Maker, you will be able to create or delete versions of your assistant.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 31. Service actions - Watson Assistant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /conversation Can use API endpoints to extract data from skills and assistants Manager, Reader, Writer
POST /conversation Can use API endpoints to create data & to use the message endpoint Manager, Reader, Writer
DELETE /conversation Can use API endpoints to delete data from skills and assistant Manager, Reader, Writer
PATCH /conversation Can use API endpoint to modify data from skills and assistant Manager, Reader, Writer
PUT /conversation Can use API endpoint to modify data from skills and assistant Manager, Reader, Writer
conversation.assistant.legacy Can perform authoring methods for a workspace through v1 APIs. Manager
conversation.skill.write Can rename, edit, or delete a skill. Manager, Writer
conversation.skill.read Can open and view a skill. Manager, Reader, Writer
conversation.assistant.write Can rename, edit, or delete an assistant. Manager, Writer
conversation.assistant.read Can open and view an assistant. Manager, Reader, Writer
conversation.logs.read Can view skill analytics and access user conversation logs. Logs Reader, Manager
conversation.assistant.list Can list assistant or skill Manager, Reader, Viewer, Writer
conversation.assistant.default Default access for Assistant Manager, Reader, Viewer, Writer
conversation.environment.write Can rename, edit, or delete an environment Manager, Writer
conversation.environment.read Can open and view an environment Manager, Reader, Writer
conversation.release.write Can create or delete a Release for an Assistant Manager, Version Maker, Writer

IBM Cloud Pak for Data

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cp4d for the service name.

Table 32. Platform roles - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Table 32. Service roles - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
CloudPak Data Engineer Create or view governance artifacts.
CloudPak Data Quality Analyst CloudPak Data Quality Analyst
CloudPak Data Scientist Find data in catalogs and use data in projects.
CloudPak Data Steward Create or view governance artifacts and curate data into catalogs.
Governance Artifacts Administrator Manage governance artifacts
Manager Manage catalogs, governance artifacts, categories, and workflow.
Reporting Administrator Manage reports on Watson Knowledge Catalog data.
Table 32. Service actions - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cp4d.catalog.manage Manage catalogs
Administrator, Editor, Manager
cp4d.governance-categories.manage Manage governance categories
Manager
cp4d.governance-workflows.manage Manage governance workflows
Manager
cp4d.wkc.reporting.manage Manage reporting Reporting Administrator
cp4d.governance-artifacts.access Access governance artifacts CloudPak Data Engineer, CloudPak Data Scientist, CloudPak Data Steward
cp4d.catalog.access Access catalogs CloudPak Data Scientist, CloudPak Data Steward, Manager
cp4d.data-protection-rules.manage Manage data protection rules CloudPak Data Engineer, CloudPak Data Steward, Manager
cp4d.glossary.manage Perform business glossary administrative tasks Manager
cp4d.project.manage Manage projects Manager
cp4d.deployment-space.manage Manage deployment space Manager
cp4d.glossary.admin Manage governance artifacts Governance Artifacts Administrator
cp4d.data-quality-asset-types.access Manage data quality assets CloudPak Data Quality Analyst, Manager
cp4d.data-quality-sla-rules.manage Manage data quality SLA rules CloudPak Data Quality Analyst, Manager
cp4d.data-quality.measure Execute data quality rules CloudPak Data Quality Analyst, Manager
cp4d.data-quality.drill-down Drill down to issue details CloudPak Data Quality Analyst, Manager
cp4d.catalog-assets-to-projects.add Users with this permission can add assets from a catalog to a project. Users must also have the Admin or Editor role in the catalog and the project, and must be asset owners or asset members. Administrator, CloudPak Data Scientist, CloudPak Data Steward, Editor, Manager

Db2 Warehouse

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dashdb for the service name.

Table 33. Platform roles - Db2 Warehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 33. Service roles - Db2 Warehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 33. Service actions - Db2 Warehouse
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dashdb.console.access dashdb.console.access Manager, Writer
dashdb.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator, Manager
dashdb.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Manager, Operator, Viewer, Writer
dashdb.console.scale scale operation Administrator, Editor, Operator
dashdb.console.backup backup operation Administrator, Editor, Operator
dashdb.console.restore restore operation Administrator, Editor, Operator
dashdb.console.settings set configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
dashdb.console.view-settings view database settings Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/backups/:backup_id Delete a backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v5/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v5/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/backups/:backup_id Delete a backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/privatelink/allowlist Read Privatelink allowlist of principals Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/privatelink/allowlist Patch Privatelink allowlist principals Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Read scheduled scaling configuration Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Update scheduled scaling Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Delete scheduled scaling Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/switch_license switch license type or term Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/db2audit/install_v3 Install Db2 audit v3 Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/db2audit/process_report Process db2 archived audit logs into a human-readable csv format Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/version Retrieve Db2 audit version Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/alias Retrieve Db2 audit storage alias Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/replication Retrieve replication status Administrator, Editor, Operator, Viewer
PUT /v5/:platform/deployments/:deployment_id/replication/:id Activate/deactivate replication Administrator, Editor, Operator

Db2 on Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dashdb-for-transactions for the service name.

Table 34. Platform roles - Db2 on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 34. Service roles - Db2 on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Table 34. Service actions - Db2 on Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dashdb-for-transactions.console.access Allows users to view the Db2 Console. Manager
dashdb-for-transactions.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator, Manager
dashdb-for-transactions.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Editor, Operator, Viewer
dashdb-for-transactions.console.clone clone operation Administrator, Editor
dashdb-for-transactions.console.scale scale operation Administrator, Editor, Operator
dashdb-for-transactions.console.backup backup operation Administrator, Editor, Operator
dashdb-for-transactions.console.restore restore operation Administrator, Editor, Operator
dashdb-for-transactions.console.settings set configuration Administrator, Editor, Operator
dashdb-for-transactions.console.view-settings view database settings Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
GET /2017-12/:platform/tasks/:task_id Read a task Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a deployment Administrator, Editor, Operator, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a deployment Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/resyncs resyncs Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v5/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v5/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/resyncs resyncs Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/configure_sets Configures db2set parameters Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/configure_sets Configures db2set parameters Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/configure_sets Retrieves configured parameters Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/configure_sets Retrieves configured parameters Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/task_infos/:task_id Read a Task metadata
Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/rebalance rebalance tablespaces Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/reducemax reclaim disk space Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/configure_iks_worker Configure bare metal and dedicated virtual machine Administrator, Editor, Operator, Viewer
POST /hyperwarp_messages hyperwarp subscriber endpoint Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/hibernate Hibernate the target instance Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/hibernate Reactivate the target hibernating instance. Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/db2audit/version Retrieve Db2 audit version Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/alias Retrieve Db2 audit storage alias Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db2audit/install_v3 Installs Db2 audit v3 Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db2audit/process_report db2audit process report Administrator, Editor, Operator, Viewer

IBM Data Product Hub

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-product-hub for the service name.

Table 35. Platform roles - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 35. Service roles - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you can view service instances and additionally can create the data product catalog and manage users on the catalog.
Table 35. Service actions - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-product-hub.dashboard.view The ability to view the IBM Data Product Exchange dashboard Administrator, Editor, Manager, Operator, Viewer
data-product-hub.catalog.manage The ability to create a data product catalog Manager

IBM Data Replication on Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-replication for the service name.

Table 36. Platform roles - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 36. Service roles - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 36. Service actions - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-replication.replications.retrieve data-replication.replications.retrieve Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-replication.replications.create Create replication Manager, Writer
data-replication.replications.operate Operate Replication Manager, Writer
data-replication.replications.delete Delete Replication Manager, Writer
data-replication.replications.update Update Replication Manager, Writer

Watson Studio

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-science-experience for the service name.

No supported roles.

Data Store for Memcache

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-store-for-memcache for the service name.

Table 38. Platform roles - Data Store for Memcache
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Table 38. Service roles - Data Store for Memcache
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager null
Reader null
Writer null
Table 38. Service actions - Data Store for Memcache
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-store-for-memcache.keys.create Administrator, Manager
data-store-for-memcache.keys.read Manager, Reader, Writer
data-store-for-memcache.keys.update Manager, Writer
data-store-for-memcache.keys.delete Manager
data-store-for-memcache.keys.encode Manager, Writer
data-store-for-memcache.keys.decode Manager, Writer

Data Virtualization

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-virtualization for the service name.

Table 39. Platform roles - Data Virtualization
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 39. Service roles - Data Virtualization
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
DataAccess (For Service to Service Authorization Only) Used for Service to Service authorization. Do not choose this role for service credential generation.
Manager (For generated service credentials only) This role is only enabled for generated service credentials. Using this role will grant the generated Service ID Manager access.
Table 39. Service actions - Data Virtualization
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-virtualization.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator
data-virtualization.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Editor, Manager (For generated service credentials only), Operator, Viewer
data-virtualization.data.access Allows data access for other services. DataAccess (For Service to Service Authorization Only)
data-virtualization.console.scale scale operation Administrator, Editor, Manager (For generated service credentials only), Operator
data-virtualization.console.backup backup operation Administrator, Editor, Operator
data-virtualization.console.restore restore operation Administrator, Editor, Operator
data-virtualization.console.settings set configuration Administrator, Editor, Manager (For generated service credentials only), Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
data-virtualization.console.view-settings view database settings Administrator, Editor, Manager (For generated service credentials only), Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Data Virtualization database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Data Virtualization database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Data Virtualization database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Data Virtualization database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
GET /2017-12/:platform/tasks/:task_id Read a task Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a deployment Administrator, Editor, Operator, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a deployment Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer

Netezza Performance Server

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-warehouse for the service name.

Table 40. Platform roles - Netezza Performance Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Table 40. Service roles - Netezza Performance Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Table 40. Service actions - Netezza Performance Server
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-warehouse.dashboard.view The capability to view the service instance details page Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-warehouse.database.connect The action describes who can connect to the database Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-warehouse.database.admin The role defines people with admin privileges on the database Administrator, Manager

Databases for DataStax

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-cassandra for the service name.

Table 41. Platform roles - Databases for DataStax
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Table 41. Service roles - Databases for DataStax
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 41. Service actions - Databases for DataStax
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for Elasticsearch

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-elasticsearch for the service name.

Table 42. Platform roles - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Table 42. Service roles - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 42. Service actions - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/elasticsearch/file_syncs Create elasticsearch file sync Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/elasticsearch/file_syncs Create elasticsearch file sync Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
deployment-elasticsearch-file-syncs.create Create elasticsearch file sync Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for EDB

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-enterprisedb for the service name.

Table 43. Platform roles - Databases for EDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Table 43. Service roles - Databases for EDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 43. Service actions - Databases for EDB
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
databases-for-enterprisedb.emp.allow Allow access to EnterpriseDB Migration Portal Administrator, Editor, Operator, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for etcd

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-etcd for the service name.

Table 44. Platform roles - Databases for etcd
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Table 44. Service roles - Databases for etcd
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Table 44. Service actions - Databases for etcd
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for MongoDB

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-mongodb for the service name.

Table 45. Platform roles - Databases for MongoDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.