As an Administrator, you add the people in your organization who need access to Cloud Pak for Data as a Service to the IBM Cloud account and then assign them the appropriate roles for their tasks.
- Add nonadministrative users to the IBM Cloud account and assign access groups or roles so that they can work in Cloud Pak for Data as a Service. The new users receive an email invitation to join the account. They must accept the invitation to be added to the account.
- Set up access groups to simplify permissions and role assignment. See Setting up access groups.
- Optional: Add administrative users to the IBM Cloud account.
Add nonadministrative users to your IBM Cloud account
You invite users to your IBM Cloud account by sending an email invitation. The user accepts the invitation to join the account. You must assign them roles (or access groups) to provide the necessary permissions to work in Cloud Pak for Data as a Service. For a baseline role assignment, you can provide minimum permissions by assigning the following roles in the Manage > Access(IAM) > Users > Invite users > Access policy screen in IBM Cloud:
Level | Role | Description |
---|---|---|
Service | All Identity and Access enabled services | Can access all services that use IAM for access management; usually assigned only to administrators in a production environment |
Resources | All resources | Scope of resources for which user has access |
Resource group access | Viewer | Can view but not modify resource groups |
Service access | Reader | Can perform read-only actions within a service |
Platform access | Viewer | Can view but not modify service instances |
A convenient method for assigning roles is to create access groups and assign new users to one or more access groups. Examples of basic access groups are provided as suggestions for how to get started with access groups. See Example IAM access groups. You can assign the new users to the CPD-Common-User group to provide minimum permissions.
Later, you can assign specific roles or access groups based on the tasks the user performs in Cloud Pak for Data as a Service.
IBM account membership
To be authorized for Cloud Pak for Data as a Service, users must have existing IBMids. If the invited user does not have an IBMid, it is created for them when they join the account.
Assigning roles
Access groups expedite role assignments by grouping permissions for large numbers of users. You create a group and assign policies and rules to the group. When you assign users to an access group, they are awarded access based on the group parameters. All members of an access group have the same access permissions, and all members are updated when the policy is edited.
After creating a set of access groups, follow these steps to add users as members of an access group:
- From Cloud Pak for Data as a Service, click Administration > Access (IAM) to open the Manage access and users page for your IBM Cloud account.
- Click Users > Invite users.
- Enter one or more email addresses that are separated by commas, spaces, or line breaks. The limit is 100 email addresses. The settings apply to all the email addresses.
- Click the Access groups tile and select one or more access groups, then click Add. Access groups are created prior to adding users. See Setting up IAM access groups and Example IAM access groups.
- Click Invite to send an email invitation to each email address. The user is assigned to the access group when they accept the invitation to join the account.
Alternatively, you can assign minimum permissions to individual users:
-
From Cloud Pak for Data as a Service, click Administration > Access (IAM) to open the Manage access and users page for your IBM Cloud account.
-
Click Users > Invite users+.
-
Enter one or more email addresses that are separated by commas, spaces, or line breaks. The limit is 100 email addresses. The settings apply to all the email addresses.
-
Click the Access policy tile.
-
Select All Identity and Access enabled services, then click Next to assign Resource access.
-
For Resources, choose All resources. Click Next.
-
For Resource group access, choose Viewer. Click Next
-
For Roles and action, choose the following minimum permissions:
- In the Service access section, select Reader
- In the Platform access section, select Viewer.
-
Review the settings and edit if necessary.
-
Click Add to save the policy.
-
Click Invite to send an email invitation to each email address. The policies are assigned to the users when they accept the invitation to join the account.
Watch this video to see how to invite users to your account.
This video provides a visual method to learn the concepts and tasks in this documentation.
Modifying a user's role
When you change a user's role, their access to services changes. Their ability to complete work in Cloud Pak for Data as a Service can be impacted if they do not have the necessary access.
Optional: Add administrative users to your IBM Cloud account
You can add administrative users with the Administrator role for account management. This role also provides the Manager role for all services in the account. For example, users with this role can create catalogs, governance artifacts, categories, and reports with IBM Knowledge Catalog.
To add a user as an IBM Cloud account administrator:
- Follow the steps to add a non-administrative user, except change these settings for an individual user's roles:
- In the Service access section, select Manager.
- In the Platform access section, select Administrator.
- Alternatively, create an access group containing these roles and assign the user to the access group. See Setting up IAM access groups.
- Click Invite. The new users receive an email invitation to join the account. They must accept the invitation to be added to the account.
- After the user joins the account, add account management permissions. Click the user's name, then Access > Assign access under Access policies.
- For the service to assign access to, choose All Account Management Services.
- Next, in the Platform access section, select Administrator and click Add.
- Click Assign.
Next steps
- Setting up IAM access groups.
- Finish setting up the platform.
- Upgrade your service instances to billable plans.
Learn more
- Working with IAM access groups
- Roles in Cloud Pak for Data as a Service
- IBM Cloud docs: Account types
- IBM Cloud docs: IAM access
- IBM Cloud docs: What is IBM Cloud Identity and Access Management
- IBM Cloud docs: Setting up access groups
- IBM Cloud docs: Giving access to resources in resource groups
Parent topic: Managing users and access