IBM Cloud Docs
Managing roles and privileges

Managing roles and privileges

A role is a set of privileges that is assigned to a user to allow the user to perform and manage certain tasks in IBM® watsonx.data.

watsonx.data provides a set of predefined roles: Administrator, User, Manager, Writer, and Reader.

Use the Access control page to manage users and roles in watsonx.data. For more information, see Managing user access.

The following tables describe the privileges that you can assign to roles and associated permissions:

Instance and Install

Default admin access

Formation admins (IAM) have the default admin access.

Default user access

IAM formation non-admins (Operator, Editor, Viewer) have the default user access.

Resource-level permissions

Resource-level permissions
Action Admin User Metastore Access
Create Presto (Java) or Presto (C++) engines
Create or register Spark engines
Create Milvus services
Delete Milvus services
View Milvus services
Restart the internal HMS
Scale the Presto (Java) or Presto (C++) engines
Unregister any storage
Unregister any DB Connection
Activate cataloged storagees (restart HMS)
Register and unregister own storage
Register and unregister own DB connection
Access the metastore
Run Spark ingestion jobs

Engine (Presto (Java) or Presto (C++))

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Resource-level permissions
Action Admin Manager User Users without an explicit role
Delete
Grant and revoke access
Pause and resume
Restart
Associate and disassociate catalog
Access the Presto (Java) or Presto (C++) query monitor UI
View (UI and API)
Run workloads against the engine

Engine (External Spark)

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Resource-level permissions
Action Admin Manager User Users without an explicit role
Delete
Grant and revoke access
Update Spark engine metadata (like tags and description)
Scale Spark engine
View (UI and API)
Run workloads against the engine

Engine (Native Spark)

Default admin access

Default user access is granted to:

  • Formation admins (IAM)
  • Instance admins (CPD)
  • Install admins (Dev)

Resource-level permissions

Resource-level permissions
Action Admin Manager User Users without an explicit role
Create and delete engine
Grant and revoke access
Scale engine
Pause and resume
Update Spark engine metadata (like tags and description)
Update Spark default version
Update Spark default configuration
Scale Spark engine
Start and stop Spark history server
View Spark history UI
View Spark UI
Associate and disassociate catalog
View (UI and API)
Run workloads against the engine

Service (Milvus)

Default admin access

Formation admins (IAM) have the default admin access.

Resource-level permissions

Resource-level permissions
Action Admin Editor Viewer User Database creator (implicit role) Collection creator (implicit role) Partition creator (implicit role)
View assigned Milvus service
Delete assigned Milvus service
Grant access to assigned Milvus service
Revoke access from assigned Milvus service
Pause Milvus service
Resume Milvus service
Collection CreateIndex
Collection DropIndex
Global CreateCollection
Global DescribeCollection
Global ShowCollections
Global CreateAlias
Global DropAlias
Global DescribeAlias
Global ListAliases
Global FlushAll
Global CreateResourceGroup
Global DropResourceGroup
Global DescribeResourceGroup
Global ListResourceGroups
Global TransferNode
Global TransferReplica
Global CreateDatabase
Global DropDatabase
Global ListDatabases
Collection IndexDetail
Collection Search
Collection Query
Collection Load
Collection GetLoadingProgress
Collection GetLoadState
Collection Release
Collection RenameCollection
Collection DropCollection
Collection Insert
Collection Delete
Collection Flush
Collection GetFlushState
Collection Upsert
Collection GetStatistics
Collection Compaction
Collection Import
Collection LoadBalance
Collection CreatePartition
Collection DropPartition
Collection ShowPartitions
Collection HasPartition

storage

Default admin access (only if creator)

Formation admins (IAM) have the default admin access.

Resource-level permissions

Resource-level permissions
Action Admin Writer Reader Users without an explicit role
Unregister
Update storage properties (credentials)
Grant and revoke access
Modify files
Browse (storage browser in UI)
View (UI and API)

If you want to unregister or delete a storage, you must first deactivate the storage.

S3 REST API permissions (specific to IBM Spark and S3 proxy)

Users can get relative storage role for all sub-folders and files in a storage or can be granted file action for particular folders or files. The following tables explain the storage-level and data-object-level S3 REST API permissions.

The following tables are applicable only if you are using IBM Spark that by default uses an S3 signature or if you are using S3 proxy.

storage level access control in Access control > Infrastructure or Infrastructure manger > select storage and assign roles
storage role S3 REST API permission
Writer GET; HEAD; PUT; POST; PATCH; DELETE
Reader GET; HEAD
Admin GET; HEAD; PUT; POST; PATCH; DELETE
Data-object-level access control in Access control > Policies
Data object action S3 REST API permission
Read GET; HEAD
Write GET; HEAD; PUT; PATCH; POST without ?delete parameter
Delete DELETE; POST with ?delete parameter

Database

Default admin access (only if creator)

Formation admins (IAM) have the default admin access.

Resource-level permissions

Resource-level permissions
Action Admin Writer Reader Users without an explicit role
Unregister
Update db conn properties (credentials)
Grant and revoke access
Modify database objects
View (UI and API)

Catalog

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Resource-level permissions
Action Admin User Users without an explicit role
Delete
Grant and revoke access
Access to data Based on data policy
View (UI and API)

Schema

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Resource-level permissions
Action Catalog Admin or schema creator Others
Grant and revoke access
Drop
Access based on access data control policies defined in watsonx.data by admin
Create table based on access data control policies defined in watsonx.data by admin

Table

Default admin access (based on access data control policies defined in watsonx.data by admin)

Formation admins (IAM) have the default admin access.

Default user access (based on access data control policies defined in watsonx.data by admin)

IAM formation non-admins (Operator, Editor, Viewer) have the Default user access.

Resource-level permissions

Resource-level permissions
Action Catalog Admin or schema admin or table creator Others
Create, drop, and alter based on access data control policies defined in watsonx.data by admin
Column access based on access data control policies defined in watsonx.data by admin
Select based on access data control policies defined in watsonx.data by admin
Insert based on access data control policies defined in watsonx.data by admin
Update based on access data control policies defined in watsonx.data by admin
Delete based on access data control policies defined in watsonx.data by admin