Managing user access
Security in IBM® watsonx.data is based on roles. A role is a group of permissions that control the actions you can perform in watsonx.data. To perform certain actions and manage specific sessions in watsonx.data, the user must also have the appropriate authorization.
Authorization is granted by assigning a specific role to the user account. Use the Role Based Access Control feature in watsonx.data to grant users the access privileges they require for their role.
Access to provision IBM Cloud resources is governed by using IAM access and account management services. You must have Administrator privileges to access the resource group in which you need to create the resources.
To manage access, complete the following steps:
-
Log in to the watsonx.data console.
-
From the navigation menu, select Access control. Under the Infrastructure tab, the different components (Engine, Catalog, Storage, and Database) are displayed in the table.
-
To provide access to individual infrastructure component, complete the following steps:
-
Click the overflow icon in the components row and then click Manage access. Alternatively, you can click the Display name of the component. The selected component page opens.
-
Under the Access control tab, click Add access.
-
In the Grant access to users and user groups window, provide the following details.
Add user Field Description Name You can select one or more users or user groups. Role Select the role from the drop-down list. You can assign roles based on the component type. For more information, see Roles and privileges. -
Click Add. The user is added and assigned the role.
-
-
To provide access to infrastructure components in batches, complete the following steps:
-
Click Add access. The Add access to infrastructure components page opens.
-
In the Add access to infrastructure components page, do the following :
- Select the components. You can select a maximum of twenty components at a time.
- Click Next.
- Select the uses or user groups. You can select a maximum of 100 users or user groups altogether at a time.
- Click Next.
- You can view a table with the list of users and the infrastructure components against each user. Select a role against each component from the Choose a role list.
You cannot change the existing role against a user (if it is seen already available in the table) from the page. To edit an existing role, see step 5.
- Click Save. The data is successfully saved.
-
-
To change the role that is assigned to a user, complete the following steps:
-
Under the Infrastructure tab, click the Display name of the component in the table.
The Access control tab for selected component opens.
-
Click the overflow menu for the selected user and then select Change role.
-
In the Change role window, select the role from the drop-down list.
-
Click Save.
-
-
To remove a user for a component, complete the following steps:
A catalog admin or a user who belongs to a group with an admin role can remove their own access to the catalog.
-
Under the Infrastructure tab, click the Display name of the component in the table.
The Access control tab for the selected component opens.
-
Click the overflow menu for the selected user and then select Remove.
-
In the Confirm removal window, click Remove.
The user remains in the Access control tab after removing from IBM Cloud or Cloud Pak for Data. You must remove the user manually from the Access control tab. You might see the user in the Access control tab of the engine after confirming the removal. It takes up to 20 minutes for the access revoke to be effective for the user and disappear from the tab.
-
-
To export the resource policies, complete the following steps:
You can export the details to a JSON file.
- Under the Infrastructure tab, select a component and click the Display name of the component in the table.
- The Access control tab for the selected component opens with the list of existing resource policies.
- To export the policies, select the required (or all) policies and click the Export link.
- The Export Users page opens. Specify the file name and click Export. The file gets downloaded to your machine.
-
To import the resource policies, complete the following steps:
You can import JSON files only.
a. Under the Infrastructure tab, select a component and click the Display name of the component in the table. b. The Access control tab for the selected component opens. c. To import policies, click the Import link. The Import page opens. d. In the Upload File section, select the file with policies that you want to upload. e. Click Next. The Validate section appears. The file that you uploaded is validated and if any invalid data items are found, it gets displayed in the Invalid data items table with the error description. f. Click Next. The Summary section opens. Verify and click Add imported users.