IBM Cloud Docs
Access management and governance in watsonx.data

Access management and governance in watsonx.data

This topic provides details about access management and governance in watsonx.data.

Access management is a critical aspect of security that ensures only authorized individuals can access watsonx.data and also involves defining right access and privileges to right people to right components and services in watsonx.data.

Access management in watsonx.data includes three levels of access control:

User authentication (Level 1)

User authentication is the first-level access required for users to authenticate into the watsonx.data. It has two parts to it.

  • Access to the platform where watsonx.data is deployed. For example, watsonx.data on IBM cloud, AWS. For more information, see Managing users.
  • Role Based Access Control within watsonx.data. For example, Admin and User roles with specific access and privileges.For more information, see Managing user roles.

Level 1 authentication in watsonx.data on IBM Cloud is aligned with the IBM Cloud authentication framework. For more information, see IBM Cloud IAM roles and Actions and roles for account management services.

You can create access groups, or give access to a trusted profile, user, or service ID access to any of the target and specific permissions.

In addition to the authentication, in IBM cloud, the IAM platform roles are assigned some privileges and permissions by default. The following table provides the details. These roles are to be assigned to users or user groups.

Platform Roles
Field Description
IAM platform roles Actions
IAM Platform Administrator lakehouse.metastore.admin
lakehouse.dashboard.view
IAM Platform Operator, Editor, Viewer lakehouse.dashboard.view
Others Depends on the actions that are assigned by the administrator
jdbc.url Provide the JDBC URL.

The following table provides the service role details that are specific to watsonx.data on IBM Cloud and AWS. Metastore Admin role is used for Db2, Netezza, and Spark. Metastore Admin has full access to HMS Thrift API. Metastore Viewer role has read access to HMS Rest API. The Data Access role is used only for IKC integration on data profiling.

Service roles
Field Description
Service roles Actions
Metastore Admin lakehouse.metastore.admin
Metastore Viewer lakehouse.metastore.view
Data Access (primarily used for service to service integration. For example, IKC integration with WXD) lakehouse.data.access

Authentication options

Users can authenticate by using IBM API key or IAM token for API or CLI access to watsonx.data API and services. Username and password to access watsonx.data UI console.

Authentication options for presto-cli Users can also use presto-cli or connect to Presto via JDBC with IBM Cloud – IBM API key or IAM token. For more information, see Connecting to Presto server in watsonx.data on IBM Cloud.

User access to resources (Level 2)

With the second-level access control, you can assign roles for watsonx.data users to view, edit, and administer the resources, which include engines, catalogs, storage, and databases.

Controlling access to the engines and other components is a critical requirement for many enterprises. To ensure that the resource usage is under control, IBM® watsonx.data provides the ability to manage access controls on these resources. A user with admin privileges on the resources can grant access to other users.

For more information on L2 access control in watsonx.data on IBM Cloud and AWS, see Managing users and Managing roles and privileges.

Advance User Access to resources (Level 3)

At the data access level, you can define data access policies and grant or restrict access to schema, table, and columns in watsonx.data. You can define policies by using watsonx.data Access Management System, or IBM Knowledge Catalog integration or Apache Ranger integration.

watsonx.data Access management system For more information about data access policies in watsonx.data on IBM Cloud, see Managing data policy rules.

IBM Knowledge Catalog integration for data governance and access control Integrating watsonx.data with IBM Knowledge Catalog provides self-service access to data assets for knowledge workers who need to use those data assets to gain insights.

For more information, see Integrating with IBM Knowledge Catalog.

Apache Ranger integration for data governance and access control IBM watsonx.data supports Apache Ranger policies to allow comprehensive data security on integrating with multiple governance tools and engines.

For more information, see Enabling Apache Ranger policy for resources.

Common Policy Gateway (CPG)

CPG is standalone service capable of making or delegating governance decisions (including built-in and external policies) on a per request basis. It is a unified service that allow all applications to leverage a single service to either approve or delegate access control, and governance approval to an external system. it is a key differentiating capability which allows watsonx.data to integrate with any policy engine to provide greater flexibility and ease of integrating with client ecosystem.

Data Access Service (DAS)

Data Access Service (DAS) proxy in watsonx.data provides a unified way to access object storage, govern external engines, and audit data access. All of these are accomplished without exposing credentials or requiring complex modifications to engines, which are not controlled by watsonx.data.

For more information, see Data Access Service overview.

Getting connection information

You can see the connection information of watsonx.data from the Connect information tile of the Configurations page and from the Instance details page. For more information about watsonx.data connections, see Getting connection information.

Default username and password in watsonx.data on IBM Cloud

Username – Username can either be ibmlhapikey or ibmlhtoken.

Password – Password can either be IBM Cloud API key or IBM IAM access token. For more information see, Getting IBM API key and Getting IBM Access Management (IAM) token.

To use API keys to communicate with watsonx.data, you must create the API key from the account where the watsonx.data is provisonined.