IBM Cloud Docs
Managing IAM access for watsonx.data

Managing IAM access for watsonx.data

IBM Cloud® Identity and Access Management (IAM) controls access to IBM® watsonx.data service instances for users in your account. Every user that accesses the watsonx.data service in your account must be assigned an access policy with an IAM role.

Review the following roles, actions, and more to help determine the best way to assign access to watsonx.data.

The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. After you define the scope of the access policy, you assign a role.

Platform management roles enable users to perform tasks on service resources at the platform level. For more information about platform management roles, see Platform management roles. For more information about IAM access, see IAM access.

The following table describes the privileges that you can assign to platform management roles and associated permissions for watsonx.data service:

watsonx.data formation

Table 1. Roles and privileges for watsonx.data formation
Privileges Administrator User
Create Presto engine Y N
Delete Presto engine Y N
Restart the internal HMS Y N
Scale the Presto engines Y N
Scale the internal HMS Y N
Unregister own or an external bucket Y N
Unregister any database Y N
Activate cataloged buckets (restart HMS) Y N
Register own buckets Y Y
Unregister own buckets Y Y
Register own databases Y Y
Unregister own databases Y Y

Platform access roles

Following are the IBM Cloud® IAM platform management roles.

User roles

  • Viewer
  • Operator
  • Editor

Administrator roles

  • Administrator

The Service Configuration Reader and Key Manager roles are not relevant for watsonx.data.

Service access roles

Following are the service access roles:

  • MetadataAdmin: External users with read and write access to the metadata through Thrift APIs in watsonx.data.
  • DataAccess: Only supports IKC-watsonx.data service-to-service authorization to profile data in watsonx.data.
  • MetastoreView: External users with read access to the metadata through HMS REST APIs in watsonx.data.