IBM Cloud Docs
Managing roles and privileges

Managing roles and privileges

A role is a set of privileges that is assigned to a user to allow the user to perform and manage certain tasks in IBM® watsonx.data.

watsonx.data provides a set of predefined roles: Administrator, User, Manager, Writer, and Reader.

Use the Access control page to manage users and roles in watsonx.data. For more information, see Managing user access.

The following tables describe the privileges that you can assign to roles and associated permissions:

Formation, Instance, and Install

Default admin access

Formation admins (IAM) have the default admin access.

Default user access

IAM formation non-admins (Operator, Editor, Viewer) have the default user access.

Resource-level permissions

Table 1. Resource-level permissions
Action Admin User Metastore Access
Create Presto (Java) or Presto (C++) engines
Create or register Spark engines
Create Milvus services
Delete Milvus services
View Milvus services
Restart the internal HMS
Scale the Presto (Java) or Presto (C++) engines
Unregister any bucket
Unregister any DB Connection
Activate cataloged buckets (restart HMS)
Register and unregister own bucket
Register and unregister own DB connection
Access the metastore

Engine (Presto (Java) or Presto (C++))

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Table 2. Resource-level permissions
Action Admin Manager User Users without an explicit role
Delete
Grant and revoke access
Pause and resume
Restart
Associate and disassociate catalog
Access the Presto (Java) or Presto (C++) query monitor UI
View existence (infra page and …/api/…/ engines)
Run workloads against the engine

Engine (External Spark)

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Table 3. Resource-level permissions
Action Admin Manager User Users without an explicit role
Delete
Grant and revoke access
Update Spark engine metadata (like tags and description)
Scale Spark engine
View existence (infra page and …/api/…/ engines)
Run workloads against the engine

Engine (Native Spark)

Default admin access

Default user access is granted to:

  • Formation admins (IAM)
  • Instance admins (CPD)
  • Install admins (Dev)

Resource-level permissions

Table 2. Resource-level permissions
Action Admin Manager User Users without an explicit role
Create and delete engine
Grant and revoke access
Scale engine
Pause and resume
Update Spark engine metadata (like tags and description)
Update Spark default version
Update Spark default configuration
Scale Spark engine
Start and stop Spark history server
View Spark history UI
View Spark UI
Associate and disassociate catalog
View existence (infra page and …/api/…/ engines)
Run workloads against the engine

Service (Milvus)

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Table 4. Resource-level permissions
Action Admin Editor Viewer Users without an explicit role Database creator (Implicit role) Collection creator (Implicit role)
View assigned Milvus service
Delete assigned Milvus service
Grant access to assigned Milvus service
Revoke access from assigned Milvus service
Collection CreateIndex
Collection DropIndex
Global CreateCollection
Global DescribeCollection
Global ShowCollections
Collection CreateAlias
Collection DropAlias
Collection DescribeAlias
Collection ListAliases
Global FlushAll
Global CreateResourceGroup
Global DropResourceGroup
Global DescribeResourceGroup
Global ListResourceGroups
Global TransferNode
Global TransferReplica
Global CreateDatabase
Global DropDatabase
Global ListDatabases
Collection IndexDetail
Collection Search
Collection Query
Collection Load
Collection GetLoadState
Collection Release
Collection RenameCollection
Collection DropCollection
Collection Insert
Collection Delete
Collection Flush
Collection GetFlushState
Collection Upsert
Collection GetStatistics
Collection Compaction
Collection Import
Collection LoadBalance
Collection CreatePartition
Collection DropPartition
Collection ShowPatitions
Collection HasPatition

Bucket

Default admin access (only if creator)

Formation admins (IAM) have the default admin access.

Resource-level permissions

Table 5. Resource-level permissions
Action Admin Writer Reader Users without an explicit role
Unregister
Update bucket properties (credentials)
Grant and revoke access
Modify files
Browse (bucket browser in UI)
View existence (infra page and …/api/…/ buckets)

If you want to unregister or delete a bucket, you must first deactivate the bucket.

S3 REST API permissions (specific to IBM Spark and S3 proxy)

Users can get relative bucket role for all sub-folders and files in a bucket or can be granted file action for particular folders or files. The following tables explain the bucket-level and data-object-level S3 REST API permissions.

The following tables are applicable only if you are using IBM Spark that by default uses an S3 signature or if you are using S3 proxy.

Table 6. Bucket level access control in Access control > Infrastructure or Infrastructure manger > select bucket and assign roles
Bucket role S3 REST API permission
Writer GET; HEAD; PUT; POST; PATCH; DELETE
Reader GET; HEAD
Admin GET; HEAD; PUT; POST; PATCH; DELETE
Table 7. Data-object-level access control in Access control > Policies
Data object action S3 REST API permission
Read GET; HEAD
Write GET; HEAD; PUT; PATCH; POST without ?delete parameter
Delete DELETE; POST with ?delete parameter

Database

Default admin access (only if creator)

Formation admins (IAM) have the default admin access.

Resource-level permissions

Table 8. Resource-level permissions
Action Admin Writer Reader Users without an explicit role
Unregister
Update db conn properties (credentials)
Grant and revoke access
Modify database objects
View existance (infra page and …/api/…/extdb)

Catalog

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Table 9. Resource-level permissions
Action Admin User Users without an explicit role
Delete
Grant and revoke access
Access to data Based on data policy
View existence (infra page and …/)

Schema

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Table 10. Resource-level permissions
Action Catalog Admin or schema creator Others
Grant and revoke access
Drop
Access based on access data control policies defined in watsonx.data by admin
Create table based on access data control policies defined in watsonx.data by admin

Table

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Table 11. Resource-level permissions
Action Catalog Admin or schema admin or table creator Others
Create, drop, and alter based on access data control policies defined in watsonx.data by admin
Column access based on access data control policies defined in watsonx.data by admin
Select based on access data control policies defined in watsonx.data by admin
Insert based on access data control policies defined in watsonx.data by admin
Update based on access data control policies defined in watsonx.data by admin
Delete based on access data control policies defined in watsonx.data by admin