Managing roles and privileges
A role is a set of privileges that is assigned to a user to allow the user to perform and manage certain tasks in IBM® watsonx.data.
watsonx.data provides a set of predefined roles: Administrator, User, Manager, Writer, and Reader.
Use the Access control page to manage users and roles in watsonx.data. For more information, see Managing user access.
The following tables describe the privileges that you can assign to roles and associated permissions:
Formation, Instance, and Install
Default admin access
Formation admins (IAM) have the default admin access.
Default user access
IAM formation non-admins (Operator, Editor, Viewer) have the default user access.
Resource-level permissions
Action | Admin | User | Metastore Access |
---|---|---|---|
Create Presto (Java) or Presto (C++) engines | ✓ | ||
Create or register Spark engines | ✓ | ||
Create Milvus services | ✓ | ||
Delete Milvus services | ✓ | ||
View Milvus services | ✓ | ||
Restart the internal HMS | ✓ | ||
Scale the Presto (Java) or Presto (C++) engines | ✓ | ||
Unregister any bucket | ✓ | ||
Unregister any DB Connection | ✓ | ||
Activate cataloged buckets (restart HMS) | ✓ | ||
Register and unregister own bucket | ✓ | ✓ | ✓ |
Register and unregister own DB connection | ✓ | ✓ | ✓ |
Access the metastore | ✓ | ✓ |
Engine (Presto (Java) or Presto (C++))
Default admin access
Formation admins (IAM) have the default admin access.
Resource-level permissions
Action | Admin | Manager | User | Users without an explicit role |
---|---|---|---|---|
Delete | ✓ | |||
Grant and revoke access | ✓ | |||
Pause and resume | ✓ | ✓ | ||
Restart | ✓ | ✓ | ||
Associate and disassociate catalog | ✓ | ✓ | ||
Access the Presto (Java) or Presto (C++) query monitor UI | ✓ | ✓ | ||
View existence (infra page and …/api/…/ engines) |
✓ | ✓ | ✓ | |
Run workloads against the engine | ✓ | ✓ | ✓ |
Engine (External Spark)
Default admin access
Formation admins (IAM) have the default admin access.
Resource-level permissions
Action | Admin | Manager | User | Users without an explicit role |
---|---|---|---|---|
Delete | ✓ | |||
Grant and revoke access | ✓ | |||
Update Spark engine metadata (like tags and description) | ✓ | ✓ | ||
Scale Spark engine | ✓ | ✓ | ||
View existence (infra page and …/api/…/ engines) |
✓ | ✓ | ✓ | |
Run workloads against the engine | ✓ | ✓ | ✓ |
Engine (Native Spark)
Default admin access
Default user access is granted to:
- Formation admins (IAM)
- Instance admins (CPD)
- Install admins (Dev)
Resource-level permissions
Action | Admin | Manager | User | Users without an explicit role |
---|---|---|---|---|
Create and delete engine | ✓ | |||
Grant and revoke access | ✓ | |||
Scale engine | ✓ | ✓ | ||
Pause and resume | ✓ | ✓ | ||
Update Spark engine metadata (like tags and description) | ✓ | ✓ | ||
Update Spark default version | ✓ | ✓ | ||
Update Spark default configuration | ✓ | ✓ | ||
Scale Spark engine | ✓ | ✓ | ||
Start and stop Spark history server | ✓ | ✓ | ✓ | |
View Spark history UI | ✓ | ✓ | ✓ | |
View Spark UI | ✓ | ✓ | ✓ | |
Associate and disassociate catalog | ✓ | ✓ | ||
View existence (infra page and …/api/…/ engines) |
✓ | ✓ | ✓ | |
Run workloads against the engine | ✓ | ✓ | ✓ |
Service (Milvus)
Default admin access
Formation admins (IAM) have the default admin access.
Resource-level permissions
Action | Admin | Editor | Viewer | Users without an explicit role | Database creator (Implicit role) | Collection creator (Implicit role) |
---|---|---|---|---|---|---|
View assigned Milvus service | ✓ | ✓ | ✓ | ✓ | ||
Delete assigned Milvus service | ✓ | |||||
Grant access to assigned Milvus service | ✓ | |||||
Revoke access from assigned Milvus service | ✓ | |||||
Collection CreateIndex |
✓ | ✓ | ✓ | ✓ | ||
Collection DropIndex |
✓ | ✓ | ✓ | ✓ | ||
Global CreateCollection |
✓ | ✓ | ✓ | |||
Global DescribeCollection |
✓ | ✓ | ✓ | ✓ | ✓ | |
Global ShowCollections |
✓ | ✓ | ✓ | ✓ | ||
Collection CreateAlias |
✓ | ✓ | ✓ | |||
Collection DropAlias |
✓ | ✓ | ✓ | |||
Collection DescribeAlias |
✓ | ✓ | ✓ | ✓ | ||
Collection ListAliases |
✓ | ✓ | ✓ | ✓ | ✓ | |
Global FlushAll |
✓ | ✓ | ||||
Global CreateResourceGroup |
✓ | |||||
Global DropResourceGroup |
✓ | |||||
Global DescribeResourceGroup |
✓ | |||||
Global ListResourceGroups |
✓ | |||||
Global TransferNode |
✓ | |||||
Global TransferReplica |
✓ | |||||
Global CreateDatabase |
✓ | ✓ | ||||
Global DropDatabase |
✓ | ✓ | ||||
Global ListDatabases |
✓ | ✓ | ✓ | |||
Collection IndexDetail |
✓ | ✓ | ✓ | ✓ | ✓ | |
Collection Search |
✓ | ✓ | ✓ | ✓ | ✓ | |
Collection Query |
✓ | ✓ | ✓ | ✓ | ✓ | |
Collection Load |
✓ | ✓ | ✓ | ✓ | ||
Collection GetLoadState |
✓ | ✓ | ✓ | ✓ | ||
Collection Release |
✓ | ✓ | ✓ | ✓ | ||
Collection RenameCollection |
✓ | ✓ | ✓ | ✓ | ||
Collection DropCollection |
✓ | ✓ | ✓ | ✓ | ||
Collection Insert |
✓ | ✓ | ✓ | ✓ | ||
Collection Delete |
✓ | ✓ | ✓ | ✓ | ||
Collection Flush |
✓ | ✓ | ✓ | ✓ | ||
Collection GetFlushState |
✓ | ✓ | ✓ | ✓ | ||
Collection Upsert |
✓ | ✓ | ✓ | ✓ | ||
Collection GetStatistics |
✓ | ✓ | ✓ | ✓ | ||
Collection Compaction |
✓ | ✓ | ✓ | ✓ | ||
Collection Import |
✓ | ✓ | ✓ | ✓ | ||
Collection LoadBalance |
✓ | ✓ | ✓ | ✓ | ||
Collection CreatePartition |
✓ | ✓ | ✓ | ✓ | ||
Collection DropPartition |
✓ | ✓ | ✓ | ✓ | ||
Collection ShowPatitions |
✓ | ✓ | ✓ | ✓ | ✓ | |
Collection HasPatition |
✓ | ✓ | ✓ | ✓ | ✓ |
Bucket
Default admin access (only if creator)
Formation admins (IAM) have the default admin access.
Resource-level permissions
Action | Admin | Writer | Reader | Users without an explicit role |
---|---|---|---|---|
Unregister | ✓ | |||
Update bucket properties (credentials) | ✓ | |||
Grant and revoke access | ✓ | |||
Modify files | ✓ | ✓ | ||
Browse (bucket browser in UI) | ✓ | ✓ | ✓ | |
View existence (infra page and …/api/…/ buckets) |
✓ | ✓ | ✓ | ✓ |
If you want to unregister or delete a bucket, you must first deactivate the bucket.
S3 REST API permissions (specific to IBM Spark and S3 proxy)
Users can get relative bucket role for all sub-folders and files in a bucket or can be granted file action for particular folders or files. The following tables explain the bucket-level and data-object-level S3 REST API permissions.
The following tables are applicable only if you are using IBM Spark that by default uses an S3 signature or if you are using S3 proxy.
Bucket role | S3 REST API permission |
---|---|
Writer | GET; HEAD; PUT; POST; PATCH; DELETE |
Reader | GET; HEAD |
Admin | GET; HEAD; PUT; POST; PATCH; DELETE |
Data object action | S3 REST API permission |
---|---|
Read | GET; HEAD |
Write | GET; HEAD; PUT; PATCH; POST without ?delete parameter |
Delete | DELETE; POST with ?delete parameter |
Database
Default admin access (only if creator)
Formation admins (IAM) have the default admin access.
Resource-level permissions
Action | Admin | Writer | Reader | Users without an explicit role |
---|---|---|---|---|
Unregister | ✓ | |||
Update db conn properties (credentials) |
✓ | |||
Grant and revoke access | ✓ | |||
Modify database objects | ✓ | ✓ | ||
View existance (infra page and …/api/…/extdb ) |
✓ | ✓ | ✓ | ✓ |
Catalog
Default admin access (based on access data control policies defined in watsonx.data by admin)
Formation admins (IAM) have the default admin access.
Default user access (based on access data control policies defined in watsonx.data by admin)
IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.
Resource-level permissions
Action | Admin | User | Users without an explicit role |
---|---|---|---|
Delete | ✓ | ||
Grant and revoke access | ✓ | ||
Access to data | ✓ | Based on data policy | |
View existence (infra page and …/ ) |
✓ | ✓ |
Schema
Default admin access (based on access data control policies defined in watsonx.data by admin)
Formation admins (IAM) have the default admin access.
Default user access (based on access data control policies defined in watsonx.data by admin)
IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.
Resource-level permissions
Action | Catalog Admin or schema creator | Others |
---|---|---|
Grant and revoke access | ✓ | |
Drop | ✓ | |
Access | ✓ | based on access data control policies defined in watsonx.data by admin |
Create table | ✓ | based on access data control policies defined in watsonx.data by admin |
Table
Default admin access (based on access data control policies defined in watsonx.data by admin)
Formation admins (IAM) have the default admin access.
Default user access (based on access data control policies defined in watsonx.data by admin)
IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.
Resource-level permissions
Action | Catalog Admin or schema admin or table creator | Others |
---|---|---|
Create, drop, and alter | ✓ | based on access data control policies defined in watsonx.data by admin |
Column access | ✓ | based on access data control policies defined in watsonx.data by admin |
Select | ✓ | based on access data control policies defined in watsonx.data by admin |
Insert | ✓ | based on access data control policies defined in watsonx.data by admin |
Update | ✓ | based on access data control policies defined in watsonx.data by admin |
Delete | ✓ | based on access data control policies defined in watsonx.data by admin |