IBM Cloud Docs
IAM roles and actions

IAM roles and actions

It is important to understand how to effectively assign access for users to work with products and take specific account management actions within your account to follow the principle of least privilege and minimize the number of policies that you have to manage. The following tables provide information about the access roles and the actions mapped to each by the IBM Cloud® services.

The following tables provide data from the individual IAM-enabled services that are available from the IBM Cloud catalog as well as the account management services that enable you to assign others the ability to work with users, access groups, support cases, and more in the account. If you don't see a platform roles or service roles table, then that means that particular service doesn't use those types of roles.

Each service has custom actions that they define and map to platform and service roles that you can use to assign access by creating an IAM access policy. If you are trying to assign access and an existing role doesn't fit your needs, you can create a custom role that combines any number of actions that are available for a given service.

For more information about assigning access for each service, check out the documentation for the service that you're using.

Statum KPI

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-amberoon-xaas-statumkpi for the service name.

Platform roles - Statum KPI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Statum KPI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Statum KPI
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-amberoon-xaas-statumkpi.dashboard.view Administrator, Editor, Operator

ViziVault Platform

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-anontech-xaas-vizivault for the service name.

Platform roles - ViziVault Platform
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - ViziVault Platform
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - ViziVault Platform
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-anontech-xaas-vizivault.dashboard.view Administrator, Editor, Operator

Cognitive View

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-cognitiveview-xaas-cognitiveview for the service name.

Platform roles - Cognitive View
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Cognitive View
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Cognitive View
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-cognitiveview-xaas-cognitiveview.dashboard.view Administrator, Editor, Operator

SimpleCloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-summusrender-xaas-simplecl0ud for the service name.

Platform roles - SimpleCloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - SimpleCloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - SimpleCloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-summusrender-xaas-simplecl0ud.dashboard.view Administrator, Editor, Operator

VPC+ DRaaS (VPC+ Disaster Recovery as a Service)

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use 3p-wanclds-draas-vpcplus for the service name.

Platform roles - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - VPC+ DRaaS (VPC+ Disaster Recovery as a Service)
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
3p-wanclds-draas-vpcplus.dashboard.view Administrator, Editor, Operator

Watson OpenScale

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use aiopenscale for the service name.

Platform roles - Watson OpenScale
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Watson OpenScale
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Watson OpenScale
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
aiopenscale.dashboard.view View OpenScale Administrator, Editor, Operator, Viewer
aiopenscale.dashboard.edit Edit OpenScale Administrator, Editor, Writer
aiopenscale.dashboard.administer Administer OpenScale Administrator
aiopenscale.kms.read KMS Read Reader

API Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use api-gateway for the service name.

Platform roles - API Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - API Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - API Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
api-gateway.dashboard.view Administrator, Editor, Operator
api-gateway.api.view Manager, Reader, Writer
api-gateway.api.create Manager, Writer
api-gateway.api.edit Manager, Writer
api-gateway.api.delete Manager, Writer
api-gateway.api.share Manager

API Connect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use apiconnect for the service name.

Platform roles - API Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - API Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
API Developer As an API Developer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Api Administrator As an Api Administrator, you can perform all platform actions except for managing the account and assigning access policies.
Community Manager As a Community Manager, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - API Connect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
apiconnect.instance.admin apiconnect.instance.admin Administrator
apiconnect.admin.manage Enables API Connect administrators to create provider orgs, manage gateways, and adjust other settings for the environment. Administrator, Api Administrator, Editor, Manager
apiconnect.instance.view apiconnect.instance.view API Developer, Administrator, Api Administrator, Community Manager, Editor, Manager, Operator, Reader, Viewer, Writer
apiconnect.instance.manage-community apiconnect.instance.manage-community Community Manager, Operator
apiconnect.instance.api-admin apiconnect.instance.api-admin Api Administrator, Editor, Manager
apiconnect.instance.develop apiconnect.instance.develop API Developer, Writer

App ID

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use appid for the service name.

Service roles - App ID
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - App ID
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
appid.mgmt.set.sender.details.cd Set the sender details for emails sent to Cloud Directory users. Manager, Writer
appid.mgmt.get.sender.details.cd View the sender details for the emails sent to Cloud Directory users. Manager, Reader, Writer
appid.mgmt.set.redirect.uris Add or update post-authentication redirect URIs. Manager, Writer
appid.mgmt.get.redirect.uris View the post-authentication redirect URIs that are currently configured. Manager, Reader, Writer
appid.mgmt.set.idps Configure the identity provider options that a user has at sign in. Manager, Writer
appid.mgmt.get.idps View the current identity provider options that a user has when they sign in. Manager, Reader, Writer
appid.mgmt.get.recent.activities View recent authentication activity for an application. Manager, Reader, Writer
appid.mgmt.get.ui.config View the current Login Widget configuration including the color and logo. Manager, Reader, Writer
appid.mgmt.set.ui.config Configure the appearance of the Login Widget including the color and logo. Manager, Writer
appid.mgmt.get.user.profile.config Get user information from your app configuration. Manager, Reader, Writer
appid.mgmt.set.user.profile.config Update a user profile with the information from your app. Manager, Writer
appid.mgmt.get.cd.users View Cloud Directory users and their data. Manager, Reader, Writer
appid.mgmt.add.cd.user Create a Cloud Directory user Manager, Writer
appid.mgmt.set.cd.user Update a Cloud Directory user's information. Manager, Writer
appid.mgmt.delete.cd.user Delete a user from Cloud Directory. Manager, Writer
appid.mgmt.get.email.template Get your current email template configuration. Manager, Reader, Writer
appid.mgmt.update.email.template Update your email template configuration Manager, Writer
appid.mgmt.delete.email.template Delete an email template configuration. Manager, Writer
appid.mgmt.get.saml.metadata Get the metadata that is used to link your SAML provider. Manager, Reader, Writer
appid.mgmt.resend.notification.cd Resend an email to a Cloud Directory user. Manager, Writer
appid.mgmt.get.tokens.configuration View the current configuration of your tokens. Manager, Reader, Writer
appid.mgmt.set.tokens.configuration Configure the access, identity, and refresh tokens. Manager, Writer
appid.mgmt.cd.sign.up Start the sign up process for a new Cloud Directory user. Manager, Writer
appid.mgmt.cd.sign.up.result View the result of a new user sign up. Manager, Writer
appid.mgmt.cd.forgot.password Start the forgot password email flow for a Cloud Directory user. Manager, Writer
appid.mgmt.cd.forgot.password.result View whether the forgot password email was successfully sent. Manager, Writer
appid.mgmt.cd.change.password Start the change password email flow for a Cloud Directory user. Manager, Writer
appid.mgmt.get.cd.actions.urls View the action URLs that are configured for Cloud Directory. Manager, Reader, Writer
appid.mgmt.get.cd.action.url Get a single action URI that is configured for Cloud Directory. Manager, Reader, Writer
appid.mgmt.update.cd.action.url Update an action URI that is configured for Cloud Directory. Manager, Writer
appid.mgmt.del.cd.action.url Delete an action URI that is configured for Cloud Directory. Manager, Writer
appid.mgmt.get.cd.password.policy View the Cloud Directory password policy configuration in regex form Manager, Reader, Writer
appid.mgmt.update.cd.password.policy Update a Cloud Directory password policy in regex. Manager, Writer
appid.mgmt.delete.profile Delete a user profile from App ID. Manager, Writer
appid.mgmt.get.profile View a user profile. Manager, Reader, Writer
appid.mgmt.update.profile Update a user's profile. Manager, Writer
appid.mgmt.get.profiles Search all of your user profiles and get a count of any anonymous users. Manager, Reader, Writer
appid.mgmt.revoke.refresh.token Revoke a user's refresh token. Manager, Writer
appid.mgmt.nominate.user Create a profile for a future user. Manager, Writer
appid.mgmt.update.cd.get.email.dispatcher View the email provider configuration. Manager, Reader, Writer
appid.mgmt.update.cd.set.email.dispatcher Configure or update an email provider. Manager, Writer
appid.mgmt.update.cd.post.email.dispatcher.test Test the email provider configuration. Manager, Writer
appid.mgmt.add.application Register a new application with App ID. Manager, Writer
appid.mgmt.delete.application Delete an application that is registered with App ID Manager, Writer
appid.mgmt.update.application Update an application that is registered with App ID. Manager, Writer
appid.mgmt.get.applications View all of the apps that are registered with your instance of App ID. Manager, Reader, Writer
appid.mgmt.get.application View a specific application that is registered with App ID. Manager, Reader, Writer
appid.mgmt.export.cd.users Export Cloud Directory users and their information as a JSON object. Manager
appid.mgmt.import.cd.users Import the Cloud Directory users and their information that was exported from another instance of the service. Manager
appid.mgmt.get.capture.runtime.activity Get the auditing status of the tenant as a JSON object. Manager, Reader, Writer
appid.mgmt.update.capture.runtime.activity Update the auditing status. Manager, Writer
appid.mgmt.get.mfa.channels Get a list of all of the configured MFA channels. Manager, Reader, Writer
appid.mgmt.get.mfa.channel Get an MFA channel. Manager, Reader, Writer
appid.mgmt.update.mfa.channel Update an MFA channel. Manager, Writer
appid.mgmt.update.mfa.config Update an MFA configuration. Manager, Writer
appid.mgmt.get.mfa.config View the current MFA configuration. Manager, Reader, Writer
appid.mgmt.get.advanced.password.management View the current advanced password policy configuration. Manager, Reader, Writer
appid.mgmt.set.advanced.password.management Configure advanced password policies. Manager, Writer
appid.mgmt.get.sso.config Get the Cloud Directory SSO configuration. Manager, Reader, Writer
appid.mgmt.update.sso.config Update the Cloud Directory SSO configuration. Manager, Writer
appid.mgmt.post.sso.logout Initiate SSO logout for Cloud Directory. Manager, Writer
appid.mgmt.cd.post.sms.dispatcher.test Test the MFA configuration for SMS. Manager, Writer
appid.mgmt.remove.cd.user Delete Cloud Directory users and their profile. Manager, Writer
appid.mgmt.get.cd.userinfo Get a Cloud Directory user and their information. Manager, Reader, Writer
appid.mgmt.get.cd.rate.config Get the rate limite configuration. Manager, Reader, Writer
appid.mgmt.update.cd.rate.config Update the rate limit configuration. Manager, Writer
appid.mgmt.import.profiles Import user profiles that have been exported from another instance of App ID. Manager
appid.mgmt.export.profiles Export user profiles. Manager
appid.mgmt.add.scope Add a scope to an application. Manager, Writer
appid.mgmt.get.scopes Get the scopes that are associated with an application. Manager, Reader, Writer
appid.mgmt.delete.scope Delete a scope that is associated with an application. Manager, Writer
appid.mgmt.add.role Create a role. Manager, Writer
appid.mgmt.get.role Get a role that is associated with a scope. Manager, Reader, Writer
appid.mgmt.update.role Update a role. Manager, Writer
appid.mgmt.delete.role Delete a role. Manager, Writer
appid.mgmt.get.user.roles View the roles that are assigned to a specific user. Manager, Reader, Writer
appid.mgmt.update.user.roles Update a user's associated roles. Manager, Writer
appid.mgmt.get.webhook.config Get a registered extension's configuration. Manager, Reader, Writer
appid.mgmt.update.webhook.config Update a registered extensions configuration. Manager, Writer
appid.mgmt.update.webhook.active Update the status of a registered extension's configuration. Manager, Writer
appid.mgmt.test.webhook.config Test the configuration for a registered extension. Manager, Writer
appid.mgmt.del.totp.channel appid-mgmt-del-totp-channel Manager, Writer
appid.mgmt.get.application.roles Get application roles Manager, Reader, Writer
appid.mgmt.update.application.roles Update application roles Manager, Writer
appid.config.read Read configuration information Service Configuration Reader
appid.mgmt.get.settings Retrieve instance settings Manager, Reader, Writer
appid.mgmt.set.settings Set instance settings Manager, Writer

App Configuration

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use apprapp for the service name.

Platform roles - App Configuration
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - App Configuration
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Client SDK Role to manage Client SDK
Config Operator As a Config Operator, you can toggle the feature state.
Configuration Aggregator Reader As a Configuration Aggregator Reader, you have permission to query for the configuration metadata of resources
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - App Configuration
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
apprapp.dashboard.view Dashboard view Administrator, Config Operator, Editor, Manager, Operator, Reader, Writer
apprapp.collections.list List collections Client SDK, Config Operator, Manager, Reader, Writer
apprapp.collections.create Create collections Manager
apprapp.collections.update Update collections Manager
apprapp.collections.delete Delete collections Manager
apprapp.features.list List features Config Operator, Manager, Reader, Writer
apprapp.features.create Create Features Manager
apprapp.features.update Update features Manager
apprapp.features.delete Delete features Manager
apprapp.segments.list List segments Config Operator, Manager, Reader, Writer
apprapp.segments.update Update segments Manager, Writer
apprapp.segments.create Create segments Manager, Writer
apprapp.segments.delete Delete segments Manager, Writer
apprapp.features.patch Patch features Writer
apprapp.features.toggle Toggle feature Config Operator, Manager, Writer
apprapp.properties.list List properties Config Operator, Manager, Reader, Writer
apprapp.properties.update Update properties Manager
apprapp.properties.create Create properties Manager
apprapp.properties.delete Delete properties Manager
apprapp.properties.patch Patch properties Writer
apprapp.environments.create Create environments Manager
apprapp.environments.update Update environments Manager
apprapp.environments.delete Delete environments Manager
apprapp.environments.list List environments Config Operator, Manager, Reader, Writer
apprapp.instances.export Export instance resources to a JSON Manager
apprapp.instances.import Import instance resources from a JSON Manager
apprapp.gitconfigs.create Create git configuration Manager
apprapp.gitconfigs.update Update git configurations Manager
apprapp.gitconfigs.delete Delete GIT configuration Manager
apprapp.gitconfigs.view GET a GIT configuration Config Operator, Manager, Reader, Writer
apprapp.gitconfigs.promote Promote configuration Manager
apprapp.usage.create Usage posting Client SDK, Config Operator, Manager, Reader, Writer
apprapp.sse.view SSE connect Client SDK, Config Operator, Manager, Reader, Writer
apprapp.originconfigs.update Update origin configuration for allowlisting CORS policy for Browser clients SDKs Manager
apprapp.originconfigs.list List origin configuration for allowlisting CORS policy for Browser clients SDKs Config Operator, Manager, Reader, Writer
apprapp.gitconfigs.restore Restore configuration Manager
apprapp.integrations.create Create a integration between App Configuration and an external service Manager
apprapp.integrations.list List integrations between App Configuration and external services Config Operator, Manager, Reader, Writer
apprapp.integrations.delete Delete the integration between App Configuration and an external service Manager
apprapp.workflowconfigs.create Create workflow configuration for service now integration for CR approval Manager
apprapp.workflowconfigs.update Update workflow configuration for service now integration for CR approval Manager
apprapp.workflowconfigs.list List the workflow configuration for service now integration for CR approval Config Operator, Manager, Reader, Writer
apprapp.workflowconfigs.delete Delete the workflow configuration for service now integration for CR approval Manager
apprapp.changerequest.create API endpoint to listen to service-now events Manager
apprapp.config.import Import the configuration of the instance Manager
apprapp.config.export Export the configuration of the instance Client SDK, Config Operator, Manager, Reader, Writer
apprapp.config.action Perform actions on the configuration of the instance like promote, restore to git Manager
apprapp.config-aggregator-settings.update Update the settings for the Configuration aggregator Manager
apprapp.config-aggregator-settings.list Retrieve the settings for the Configuration aggregator Config Operator, Manager, Reader, Writer
apprapp.config-aggregator-status.read Retrieve the status of resource collection for the Configuration aggregator Config Operator, Manager, Reader, Writer
apprapp.config-aggregator.query Query API to retrieve resource metadata from Config Aggregator Configuration Aggregator Reader
apprapp.metrics.list The ability to see metrics. Config Operator, Manager, Reader, Writer
apprapp.metrics.create The ability to create metrics. Manager
apprapp.metrics.update The ability to edit or update existing metrics. Manager
apprapp.metrics.delete The ability to delete existing metrics. Manager
apprapp.experiments.list The ability to see experiments. Config Operator, Manager, Reader, Writer
apprapp.experiments.create The ability to create experiments. Manager
apprapp.experiments.update The ability to edit or update existing experiments. Manager
apprapp.experiments.delete The ability to delete existing experiments. Manager
apprapp.iterations.list The ability to view iterations of an experiment. Config Operator, Manager, Reader, Writer
apprapp.analytics.create The ability to submit featureflag evaluation & metric events for an ongoing experiment. Client SDK, Config Operator, Manager, Reader, Writer
apprapp.analytics.list The ability to view or download the metadata associated with the experiment. Manager
apprapp.config-aggregator-scope.read Retrieve the account scope of resource collection for the Configuration aggregator Config Operator, Manager, Reader, Writer
apprapp.clientsdk-apikey.encrypt The ability to obtain the encrypted ClientSDK apikey for a given plain ClientSDK apikey. Manager

Activity Tracker

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use atracker for the service name.

Platform roles - Activity Tracker
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Activity Tracker
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Writer The writer role is reserved for IBM internal use.
Service actions - Activity Tracker
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
atracker.target.read read target Administrator, Editor, Operator, Viewer
atracker.target.create Create atracker target Administrator, Editor
atracker.target.update Update atracker target Administrator, Editor
atracker.target.delete Delete atracker target Administrator, Editor
atracker.target.list List the atracker targets Administrator, Editor, Operator, Viewer
atracker.route.read Read atracker route Administrator, Editor, Operator, Viewer
atracker.route.create Create atracker route Administrator, Editor
atracker.route.update Update atracker route Administrator, Editor
atracker.route.delete Delete atracker route Administrator, Editor
atracker.route.list List atracker routes Administrator, Editor, Operator, Viewer
atracker.endpoint.set Set atracker endpoint properties Administrator
atracker.endpoint.get Read atracker endpoint properties Administrator, Editor, Operator, Viewer
atracker.service.ingest Send events to Atracker Writer
atracker.setting.get Get Atracker setting Administrator, Editor, Operator, Viewer
atracker.setting.update Update Atracker setting Administrator
atracker.migration.post Post atracker migration Administrator
atracker.migration.get Get atracker migration Administrator, Editor, Operator, Viewer
atracker.migration.delete Delete Atracker migration Administrator
atracker.onboarding.get Get onboarding config for services only. Administrator, Editor, Operator, Viewer
atracker.onboarding.list List onboarding configs for services only. Administrator, Editor, Operator, Viewer
atracker.onboarding.create Create onboarding config for services only. Administrator
atracker.onboarding.update Update onboarding config for services only. Administrator
atracker.onboarding.delete Delete onboarding config for services only. Administrator
atracker.destination.search Search for target destinations. Administrator, Editor, Operator, Viewer

Bespoken Automated Testing For IVR and Chat

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use automated-testing-and-monitoring-for-voice-and-chat for the service name.

Platform roles - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Bespoken Automated Testing For IVR and Chat
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
automated-testing-and-monitoring-for-voice-and-chat.dashboard.view Administrator, Editor, Operator

Billing

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use billing for the service name.

No supported roles.

Cloud Foundry for Custom Domain

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cf4customdomain for the service name.

Service roles - Cloud Foundry for Custom Domain
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Cloud Foundry for Custom Domain
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cf4customdomain.newdashboard.view View information in the new dashboard Manager, Reader, Writer

Cloud Foundry Enterprise Environment

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cfaas for the service name.

No supported roles.

Cloud Object Storage

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloud-object-storage for the service name.

Service roles - Cloud Object Storage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Backup Manager As a Backup Manager, one can write and manage backup vaults.
Backup Reader As a Backup Reader, one can only read backup vaults.
Content Reader As a Content Reader, one can read and list objects in the bucket.
Manager As a Manager, one can create/modify/delete buckets including managing retention policy, configuring IP addresses. In addition, one can upload and download the objects in the bucket.
Notifications Manager As a Notifications Manager, the service can manage (view/modify/delete) configuration for notifications on a Cloud Object Storage bucket.
Object Reader As an Object Reader, one can read objects in the bucket.
Object Writer As an Object Writer, one can only write objects to a bucket.
Reader As a Reader, one can view bucket configuration and download the objects in the bucket.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a Writer, one can create/modify/delete buckets. In addition, one can upload and download the objects in the bucket.
Service actions - Cloud Object Storage
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloud-object-storage.bucket.post_backup_policy Post a bucket backup policy. Manager, Writer
cloud-object-storage.bucket.get_backup_policy Get a backup policy. Manager, Reader, Writer
cloud-object-storage.bucket.list_backup_policies List all backup policies. Manager, Reader, Writer
cloud-object-storage.bucket.delete_backup_policy Delete a backup policy. Manager, Writer
cloud-object-storage.bucket.restore_sync Restore Syncing. Manager, Writer
cloud-object-storage.backup-vault.post_backup_vault Post a backup vault. Backup Manager
cloud-object-storage.backup-vault.delete_backup_vault Delete a backup vault. Backup Manager
cloud-object-storage.account.list_account_backup_vaults List backup vaults. Backup Manager
cloud-object-storage.backup-vault.get_basic Get a backup vault. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.get_activity_tracking Get backup vault activity tracking. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.get_metrics_monitoring Get backup vault metrics monitoring. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.put_activity_tracking Update backup vault activity tracking. Backup Manager
cloud-object-storage.backup-vault.put_metrics_monitoring Update backup vault metrics monitoring. Backup Manager
cloud-object-storage.backup-vault.get_crk_id LIST Backup Vault CRK id. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.get_recovery_range GET Backup Vault Recovery Range. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.list_recovery_ranges LIST Backup Vault Recovery Ranges. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.post_restore POST Restore. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.list_restores LIST Restores. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.get_restore GET Restore. Backup Manager, Backup Reader
cloud-object-storage.backup-vault.sync Backup Sync Backup Manager, Backup Reader
cloud-object-storage.account.get_account_buckets List all buckets in a service instance. Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.put_bucket Create a bucket. Manager, Writer
cloud-object-storage.bucket.post_bucket Internal use only - unsupported for users. Manager, Writer
cloud-object-storage.bucket.delete_bucket Delete a bucket. Manager, Writer
cloud-object-storage.bucket.get List all the objects in a bucket. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.list_crk_id List the IDs of encryption root keys associated with a bucket. Manager, Writer
cloud-object-storage.bucket.head View bucket metadata. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.get_versions Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Reader, Writer
cloud-object-storage.bucket.get_uploads List all active multipart uploads for a bucket. Manager, Reader, Writer
cloud-object-storage.bucket.get_acl Read a bucket ACL [deprecated]. Manager
cloud-object-storage.bucket.put_acl Create a bucket ACL [deprecated]. Manager
cloud-object-storage.bucket.get_cors Read CORS rules. Manager, Reader, Writer
cloud-object-storage.bucket.put_cors Add CORS rules to a bucket. Manager, Writer
cloud-object-storage.bucket.delete_cors Delete CORS rules. Manager, Writer
cloud-object-storage.bucket.get_website Read bucket website configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_website Add bucket website configuration. Manager, Writer
cloud-object-storage.bucket.delete_website Delete bucket website configuration. Manager, Writer
cloud-object-storage.bucket.get_versioning Unsupported operation - used for S3 API compatibility only. Manager, Reader, Writer
cloud-object-storage.bucket.put_versioning Unsupported operation - used for S3 API compatibility only. Manager, Writer
cloud-object-storage.bucket.get_object_lock_configuration Get Object Lock Configuration from the bucket. Manager, Reader, Writer
cloud-object-storage.bucket.put_object_lock_configuration Set Object Lock Configuration from the bucket. Manager, Writer
cloud-object-storage.bucket.get_fasp_connection_info View Aspera FASP connection information. Manager, Reader, Writer
cloud-object-storage.account.delete_fasp_connection_info Delete Aspera FASP connection information. Manager, Writer
cloud-object-storage.bucket.get_location View the location and storage class of a bucket. Content Reader, Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.get_lifecycle Read a bucket lifecycle policy. Manager, Reader, Writer
cloud-object-storage.bucket.put_lifecycle Create a bucket lifecycle policy. Manager, Writer
cloud-object-storage.bucket.get_activity_tracking Read activity tracking configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_activity_tracking Add activity tracking configuration. Manager, Writer
cloud-object-storage.bucket.get_metrics_monitoring Read metrics monitoring configuration. Manager, Reader, Writer
cloud-object-storage.bucket.put_metrics_monitoring Add metrics monitoring configuration. Manager, Writer
cloud-object-storage.bucket.put_protection Add Immutable Object Storage policy. Manager
cloud-object-storage.bucket.get_protection Read Immutable Object Storage policy. Manager, Reader, Writer
cloud-object-storage.bucket.put_firewall Add a firewall configuration. Manager
cloud-object-storage.bucket.get_firewall Read a firewall configuration. Manager
cloud-object-storage.bucket.put_public_access_block Add/Update a public access block configuration for a bucket. Manager
cloud-object-storage.bucket.delete_public_access_block Remove public access block configuration for a bucket. Manager
cloud-object-storage.bucket.get_public_access_block Retrieve public access block configuration for a bucket. Manager
cloud-object-storage.bucket.get_basic List objects in a bucket [deprecated]. Manager, Notifications Manager, Reader, Writer
cloud-object-storage.bucket.list_bucket_crn View a bucket CRN. Manager, Reader, Writer
cloud-object-storage.bucket.get_notifications Internal use only - unsupported for users. Notifications Manager
cloud-object-storage.bucket.put_notifications Internal use only - unsupported for users. Notifications Manager
cloud-object-storage.object.get View and download objects. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.head Read an object's metadata. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.get_version Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.get_object_lock_retention Get object lock retention settings on the object. Manager, Reader, Writer
cloud-object-storage.object.put_object_lock_retention_version Set object lock retention version settings on the object. Manager, Object Writer, Writer
cloud-object-storage.object.get_object_lock_retention_version Get object lock retention version settings on the object. Manager, Reader, Writer
cloud-object-storage.object.get_object_lock_legal_hold Get object lock legal hold state on the object. Manager, Reader, Writer
cloud-object-storage.object.put_object_lock_retention Set object lock retention settings on the object. Manager, Object Writer, Writer
cloud-object-storage.object.put_object_lock_legal_hold Set object lock legal hold state on the object. Manager, Object Writer, Writer
cloud-object-storage.object.put_object_lock_legal_hold_version Set object lock legal hold version state on the object. Manager, Object Writer, Writer
cloud-object-storage.object.get_object_lock_legal_hold_version Get object lock legal hold version state on the object. Manager, Reader, Writer
cloud-object-storage.object.head_version Unsupported operation - used for S3 API compatibility only. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.put Write and upload objects. Manager, Object Writer, Writer
cloud-object-storage.object.post Upload an object using HTML forms [deprecated]. Manager, Object Writer, Writer
cloud-object-storage.object.post_md Update object metadata using HTML forms [deprecated]. Manager, Object Writer, Writer
cloud-object-storage.object.post_initiate_upload Initiate multipart uploads. Manager, Object Writer, Writer
cloud-object-storage.object.put_part Upload an object part. Manager, Object Writer, Writer
cloud-object-storage.object.copy_part Copy (write) an object part. Manager, Writer
cloud-object-storage.object.copy_part_get Copy (read) an object part. Manager, Reader, Writer
cloud-object-storage.object.post_complete_upload Complete a multipart upload. Manager, Object Writer, Writer
cloud-object-storage.object.copy Copy (write) an object from one bucket to another. Manager, Writer
cloud-object-storage.object.copy_get Copy (read) an object from one bucket to another. Manager, Reader, Writer
cloud-object-storage.object.get_acl Read object ACL [deprecated]. Manager
cloud-object-storage.object.get_acl_version Read object ACL Version [deprecated]. Manager
cloud-object-storage.object.put_acl Write object ACL [deprecated]. Manager
cloud-object-storage.object.put_acl_version Unsupported operation - used for S3 API compatibility only. Manager
cloud-object-storage.object.delete Delete an object. Manager, Writer
cloud-object-storage.object.delete_version Unsupported operation - used for S3 API compatibility only. Manager, Writer
cloud-object-storage.object.get_tagging Read object tags Manager, Reader, Writer
cloud-object-storage.object.get_tagging_version Read object tag versions Manager, Reader, Writer
cloud-object-storage.object.put_tagging Add/Update object tags Manager, Object Writer, Writer
cloud-object-storage.object.put_tagging_version Add/Update object tag versions Manager, Object Writer, Writer
cloud-object-storage.object.delete_tagging Delete object tags Manager, Object Writer, Writer
cloud-object-storage.object.delete_tagging_version Delete object tag versions Manager, Object Writer, Writer
cloud-object-storage.object.get_uploads List parts of a multi-part object upload. Manager, Object Writer, Reader, Writer
cloud-object-storage.object.delete_upload Abort a multipart upload. Manager, Object Writer, Writer
cloud-object-storage.object.restore Temporarily restore an archived object. Manager, Writer
cloud-object-storage.object.post_multi_delete Delete multiple objects. Manager, Writer
cloud-object-storage.object.post_legal_hold Add a legal hold to an object. Manager, Writer
cloud-object-storage.object.get_legal_hold View any legal holds on an object. Manager, Reader, Writer
cloud-object-storage.object.post_extend_retention Extend a retention policy. Manager, Writer
cloud-object-storage.cip.read Internal use only - unsupported for users. Service Configuration Reader
cloud-object-storage.bucket.put_quota Set a hard quota on a bucket. Manager
cloud-object-storage.bucket.get_quota Read a bucket's hard quota. Manager, Writer
cloud-object-storage.object.copy_get_version Copy (read) a version of an object from one bucket to another. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.copy_part_get_version Copy (read) a version of an object as a part. Content Reader, Manager, Object Reader, Reader, Writer
cloud-object-storage.object.restore_version Temporarily restore an archived version of an object. Manager, Writer
cloud-object-storage.bucket.get_replication Read replication configuration of an bucket. Manager, Reader, Writer
cloud-object-storage.bucket.put_replication Add replication configuration to a bucket. Manager, Writer
cloud-object-storage.bucket.delete_replication Delete replication configuration of an bucket. Manager, Writer
cloud-object-storage.bucket.get_protection_management Read protection management of a bucket. Manager
cloud-object-storage.bucket.put_protection_management Add protection management to a bucket. Manager

Cloudant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloudantnosqldb for the service name.

Platform roles - Cloudant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Cloudant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Checkpointer As a checkpointer, you have permissions to write local documents enabling checkpoint writes. Checkpoints are local documents optionally created during replication recording their state.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Monitor As a monitor, you have permissions to get information about specified databases, list databases, monitor indexing and replication, view data volume usage and view provisioned and current throughput.
Reader As a reader, you can perform read-only actions within a service, such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Cloudant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloudantnosqldb.db.any Perform any database action Manager
cloudantnosqldb.activity-tracker-event-types.read Access list of configured activity tracker event types for a service instance Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
cloudantnosqldb.activity-tracker-event-types.write Update list of configured activity tracker event types for a service instance Administrator, Manager, Operator
cloudantnosqldb.sapi.lastactivity Access last activity time for account Manager
cloudantnosqldb.sapi.usercors Update CORS settings for a service instance Administrator, Manager
cloudantnosqldb.sapi.apikeys Generate Cloudant API keys for a service instance Manager
cloudantnosqldb.sapi.userccmdiagnostics Access current and maximum allowed throughput values Manager
cloudantnosqldb.sapi.supportattachments View attachments on support tickets for user Manager
cloudantnosqldb.sapi.supporttickets View support tickets for user Manager
cloudantnosqldb.sapi.userinfo Retrieve basic user infomation for this user Administrator, Editor, Manager, Operator, Viewer
cloudantnosqldb.users-database-info.read Read users' database info Manager
cloudantnosqldb.users-database.create Create users' databases Manager
cloudantnosqldb.users-database.delete Delete users' databases Manager
cloudantnosqldb.users.read Read from users' databases Manager
cloudantnosqldb.users.write Write to users' databases Manager
cloudantnosqldb.database.create Create databases Manager
cloudantnosqldb.database.delete Delete databases Manager
cloudantnosqldb.sapi.userplan Retrieve and update instance plan settings Administrator, Editor, Manager, Operator, Viewer
cloudantnosqldb.sapi.usage-data-volume View instance data usage Administrator, Editor, Manager, Monitor, Operator, Viewer
cloudantnosqldb.sapi.usage-requests View instance requests usage Manager
cloudantnosqldb.account-active-tasks.read View active tasks for instance Manager, Monitor
cloudantnosqldb.sapi.db-security Allow update of database security Manager
cloudantnosqldb.session.write Write _session endpoint Manager, Reader, Writer
cloudantnosqldb.session.read Read _session endpoint Manager, Reader, Writer
cloudantnosqldb.session.delete Delete _session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.write Write _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.read Read _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.iam-session.delete Delete _iam_session endpoint Manager, Reader, Writer
cloudantnosqldb.account-db-updates.read Read db_updates feed Manager, Reader, Writer
cloudantnosqldb.any-document.read Read any documents in a normal database Manager, Reader, Writer
cloudantnosqldb.database-info.read Read /db/ database info Manager, Monitor, Reader, Writer
cloudantnosqldb.account-dbs-info.read Read _dbs_info endpoint Manager, Monitor, Reader, Writer
cloudantnosqldb.replicator-database-info.read Read _replicator database info Manager
cloudantnosqldb.replicator-database.create Create _replicator databases Manager
cloudantnosqldb.replicator-database.delete Delete _replicator databases Manager
cloudantnosqldb.replication.write Write to _replicator databases Manager
cloudantnosqldb.replication.read Read from _replicator databases Manager
cloudantnosqldb.replication-scheduler.read Read from replication _scheduler endpoints Manager, Monitor
cloudantnosqldb.account-up.read View _up Manager, Monitor
cloudantnosqldb.account-uuids.read Generate doc ID UUIDs Manager, Writer
cloudantnosqldb.data-document.write Create, update, and delete normal documents in a database Manager, Writer
cloudantnosqldb.local-document.write Write _local documents Checkpointer, Manager, Writer
cloudantnosqldb.design-document.write Write _design documents Manager
cloudantnosqldb.cluster-membership.read View cluster membership Manager
cloudantnosqldb.database-security.read Read database security definitions Manager
cloudantnosqldb.database-security.write Write database security definitions Manager
cloudantnosqldb.database-shards.read View database shard metadata Manager, Monitor
cloudantnosqldb.capacity-throughput.read Read current provisioned throughput Administrator, Editor, Manager, Monitor, Operator, Viewer
cloudantnosqldb.capacity-throughput.write Update provisioned throughput capacity Administrator, Editor, Manager
cloudantnosqldb.current-throughput.read Read current request throughput Manager, Monitor
cloudantnosqldb.limits-throughput.read Read throughput limits for current Plan Manager
cloudantnosqldb.account-all-dbs.read List all databases Manager, Monitor, Reader, Writer
cloudantnosqldb.account-deleted-dbs.list List deleted databases Manager, Monitor
cloudantnosqldb.account-deleted-dbs.restore Restore deleted database Manager
cloudantnosqldb.account-deleted-dbs.delete Delete deleted database Manager
cloudantnosqldb.account-meta-info.read View account metadata Manager, Monitor, Reader, Writer
cloudantnosqldb.database-ensure-full-commit.execute Call _ensure_full_commit endpoint Checkpointer, Manager, Writer
cloudantnosqldb.account-search-analyze.execute Call _search_analyze endpoint Manager, Reader, Writer
cloudantnosqldb.couchdbextension-instance.read View metadata of an Extension for Apache CouchDB instance Manager
cloudantnosqldb.couchdbextension-instance.write Make changes to an Extension for Apache CouchDB instance Manager
cloudantnosqldb.legacy-root-credential.revoke Revoke legacy credential tied to your instance URL Administrator, Manager
cloudantnosqldb.legacy-credentials.revoke Migrate instance to IAM only Administrator, Manager

IBM Cloud Shell

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cloudshell for the service name.

Platform roles - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Cloud Developer As a cloud developer, you can create Cloud Shell environments to manage IBM Cloud resources and develop applications for IBM Cloud (Web Preview enabled).
Cloud Operator As a cloud operator, you can create Cloud Shell environments to manage IBM Cloud resources.
File Manager As a file manager, you can create Cloud Shell environments to manage IBM Cloud resources and manage files in your workspace (File Upload and File Download enabled).
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - IBM Cloud Shell
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cloudshell.account-settings.update The ability to update Cloud Shell account settings. Administrator
cloudshell.server.create The ability to create Cloud Shell environments. Administrator, Cloud Developer, Cloud Operator, File Manager
cloudshell.server.preview-web The ability to preview web applications in Cloud Shell (Web Preview enabled). Administrator, Cloud Developer
cloudshell.server.manage-file The ability to manage files in the Cloud Shell workspace (File Upload and File Download enabled). Administrator, File Manager
cloudshell.config.read Configuration Information Point API access Service Configuration Reader

IBM watsonx Code Assistant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use code-assistant for the service name.

Platform roles - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - IBM watsonx Code Assistant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
code-assistant.dashboard.view Administrator, Editor, Operator

Code Engine

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use codeengine for the service name.

Platform roles - Code Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Code Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Compute Environment Administrator Can manage Code Engine Compute Environments.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Code Engine
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
codeengine.dashboard.view View Dashboard Administrator, Editor, Operator
codeengine.tenant.read View project details Manager, Reader, Writer
codeengine.tenant.entities.create Create project contents, such as applications, job definitions, and jobs Manager, Writer
codeengine.tenant.entities.update Modify existing items already contained by a project, such as applications, jobs, or job definitions. This does not include the ability to create or delete these items. Manager, Writer
codeengine.tenant.entities.delete Delete existing items from within a project Manager, Writer
codeengine.tenant.entities.read List and view existing items within a project Manager, Reader, Writer
codeengine.config.read Configuration Information Point API access Service Configuration Reader
codeengine.computeenvironment.create Allows you to create a Code Engine Compute Environment. Compute Environment Administrator
codeengine.computeenvironment.delete Allows you to delete compute environments. Compute Environment Administrator
codeengine.computeenvironment.projects.create Allows you to create projects in this compute environment. Manager, Writer
codeengine.computeenvironment.projects.delete Allows you to delete projects in this compute environment. Manager, Writer
codeengine.tenant.update The ability to change the project configuration, such as adjusting the allowed outbound destinations that deployed workload can connect to. Manager

Compass

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use compass for the service name.

Service roles - Compass
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Compass
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
compass.dataprotection.view Manager, Reader, Writer
compass.dataprotection.operate Manager, Writer
compass.dataprotection.administer Manager

IBM Cloud Compliance and Security Center

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use compliance for the service name.

Platform roles - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Data Provider Role assigned to external Provider to push Compliance data to SCC
Instance Viewer View Security and Compliance Center instances
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Compliance and Security Center
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
compliance.posture-management.dashboard-view Access the Security and Compliance dashboard to view security and compliance posture and results. Administrator, Editor, Operator, Viewer
compliance.posture-management.controls-create Add a control to a profile. Administrator, Editor, Manager, Writer
compliance.posture-management.controls-read View the controls that you can add to a profile. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.controls-update Update an existing control. Administrator, Editor, Manager, Writer
compliance.posture-management.controls-delete Delete a control. Administrator, Editor, Manager, Writer
compliance.posture-management.scopes-create Create a scope. Administrator, Editor
compliance.posture-management.scopes-update Edit a scope. Administrator, Editor
compliance.posture-management.scopes-read View scopes. Administrator, Editor, Operator, Viewer
compliance.posture-management.scopes-delete Delete a scope. Administrator, Editor
compliance.posture-management.credentials-create Create a credential. Administrator, Editor
compliance.posture-management.credentials-update Update a credential. Administrator, Editor
compliance.posture-management.credentials-read View credentials. Administrator, Editor, Operator, Viewer
compliance.posture-management.credentials-delete Delete a credential. Administrator, Editor
compliance.posture-management.credentialsmap-create Map credentials to a scope. Administrator, Editor
compliance.posture-management.credentialsmap-update Edit an existing credentials mapping. Administrator, Editor
compliance.posture-management.credentialsmap-read View credentials mappings. Administrator, Editor, Operator, Viewer
compliance.posture-management.credentialsmap-delete Delete a credentials mapping. Administrator, Editor
compliance.posture-management.profiles-create Create a profile. Administrator, Editor, Manager, Writer
compliance.posture-management.profiles-update Update a profile. Administrator, Editor, Manager, Writer
compliance.posture-management.profiles-read View profiles. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.profiles-delete Delete a profile. Administrator, Editor, Manager, Writer
compliance.posture-management.validations-create Run a vallidation scan. Administrator, Editor
compliance.posture-management.validations-update Update a validation scan. Administrator, Editor
compliance.posture-management.validations-read View a validation scan. Administrator, Editor, Operator, Viewer
compliance.posture-management.validations-delete Delete a validation scan. Administrator, Editor
compliance.posture-management.collectors-create Create a collector. Administrator, Editor
compliance.posture-management.collectors-update Update a collector. Administrator, Editor
compliance.posture-management.collectors-read View collectors. Administrator, Editor, Operator, Viewer
compliance.posture-management.collectors-delete Delete a collector. Administrator, Editor
compliance.posture-management.values-create Add parameters to an existing goal. Administrator, Editor
compliance.posture-management.values-update Update the parameters of an existing goal. Administrator, Editor
compliance.posture-management.values-read View the parameters that are associated with a goal. Administrator, Editor, Operator, Viewer
compliance.posture-management.tenants-create Create tenants Administrator, Editor
compliance.posture-management.tenants-update Update tenants Administrator, Editor
compliance.posture-management.tenants-read View tenants Administrator, Editor, Operator, Viewer
compliance.posture-management.tenants-delete Delete tenants Administrator, Editor
compliance.posture-management.events-create Create an audit log for monitoring compliance activity. Administrator, Editor, Operator, Viewer
compliance.posture-management.events-view View audit logs. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.rules-create Create a config rule. Administrator, Editor, Manager, Writer
compliance.configuration-governance.rules-read View the config rules that are available for your accounts. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.configuration-governance.rules-update Update an existing config rule. Administrator, Editor, Manager, Writer
compliance.configuration-governance.rules-delete Delete a config rule. Administrator, Editor, Manager, Writer
compliance.configuration-governance.templates-create Create a template. Administrator, Editor
compliance.configuration-governance.templates-read View the templates that are available for your accounts. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.templates-update Update an existing template. Administrator, Editor
compliance.configuration-governance.templates-delete Delete a template. Administrator, Editor
compliance.configuration-governance.attachments-create Create an attachment between a rule and a scope. Administrator, Editor
compliance.configuration-governance.attachments-read View the attachments that are associated with a rule. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.attachments-update Update a rule attachment. Administrator, Editor
compliance.configuration-governance.attachments-delete Delete a rule attachment. Administrator, Editor
compliance.configuration-governance.services-create Create a definition to enable a service for configuration governance. Administrator, Editor
compliance.configuration-governance.services-update Update an existing service definition. Administrator, Editor
compliance.configuration-governance.services-delete Delete a service definition. Administrator, Editor
compliance.configuration-governance.config-state-create Create configuration governance config state. Administrator, Editor
compliance.configuration-governance.config-state-read Read configuration governance config state. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.config-state-update Update configuration governance config state. Administrator, Editor
compliance.configuration-governance.config-state-delete Delete configuration governance config state. Administrator, Editor
compliance.configuration-governance.results-create Create configuration governance results. Administrator, Editor
compliance.configuration-governance.results-read Read configuration governance results. Administrator, Editor, Operator, Viewer
compliance.configuration-governance.results-update Update configuration governance results. Administrator, Editor
compliance.configuration-governance.results-delete Delete configuration governance results. Administrator, Editor
compliance.posture-management.tags-create Create tags. Administrator, Editor, Operator
compliance.posture-management.tags-update Update tags. Administrator, Editor, Operator
compliance.posture-management.tags-delete Delete a tag. Administrator, Editor, Operator
compliance.posture-management.tags-read View tags. Administrator, Editor, Operator, Viewer
compliance.posture-management.keys-read Read BYOK/KYOK configuration Administrator, Editor, Operator, Viewer
compliance.posture-management.keys-write Edit BYOK/KYOK configuration Administrator, Editor
compliance.posture-management.keys-delete Enable/Disable BYOK configuration Administrator, Editor
compliance.admin.settings-read Read Configured Settings Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.admin.settings-update Update Configured Settings Administrator, Manager
compliance.admin.test-event-send Send test notifications Administrator, Manager, Writer
compliance.platform.notifications.write To send platform notifications Manager, Reader, Writer
compliance.posture-management.integrations-read Read compliance posture management integrations Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.integrations-create Create compliance posture management integrations Administrator, Editor, Manager, Operator, Writer
compliance.posture-management.integrations-update Update compliance posture management integrations Administrator, Editor, Manager, Operator, Writer
compliance.posture-management.integrations-delete Delete compliance posture management integrations Administrator, Editor, Manager, Writer
compliance.posture-management.attachments-create Create Attachments Administrator, Editor, Manager, Writer
compliance.posture-management.attachments-update Update Attachments Administrator, Editor, Manager, Writer
compliance.posture-management.attachments-read Read Attachments Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.attachments-delete Delete Attachments Administrator, Editor, Manager, Writer
compliance.posture-management.control-libraries-create Add New Control Libraries Administrator, Editor, Manager, Writer
compliance.posture-management.control-libraries-read Read Control Libraries Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.control-libraries-update Update Control Libraries Administrator, Editor, Manager, Writer
compliance.posture-management.control-libraries-delete Delete Control Libraries Administrator, Editor, Manager, Writer
compliance.posture-management.scans-create Create a Scan Administrator, Editor, Manager, Writer
compliance.posture-management.scans-read Read Scans Administrator, Editor, Operator, Viewer
compliance.posture-management.scans-update Update Scans Administrator, Editor
compliance.posture-management.scans-delete Delete Scans Administrator, Editor
compliance.posture-management.reports-read Read Scan Results and Reports Administrator, Editor, Manager, Operator, Reader, Writer
compliance.posture-management.profiles-compare Compare profiles Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.posture-management.attachments-upgrade Upgrade attachments Administrator, Editor, Manager, Writer
compliance.posture-management.provider-data-write Ingest Data from Providers Administrator, Data Provider, Editor, Manager, Operator, Writer
compliance.targets.read View Targets Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.targets.create Create Target Administrator, Editor, Manager, Operator, Writer
compliance.targets.update Update Target Administrator, Editor, Manager, Operator, Writer
compliance.targets.delete Delete Target Administrator, Editor, Manager, Operator, Writer
compliance.scopes.create Create a scope Administrator, Editor, Manager, Operator, Writer
compliance.scopes.delete Delete a scope Administrator, Editor, Manager, Operator, Writer
compliance.scopes.read View scopes Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
compliance.scopes.update Edit a scope Administrator, Editor, Manager, Operator, Writer
compliance.ticket-configurations.create Create Ticket Configuration Manager, Writer
compliance.ticket-configurations.update Update Ticket Configuration Manager, Writer
compliance.ticket-configurations.delete Delete Ticket Configuration Manager, Writer
compliance.ticket-configurations.read Read Ticket Configuration Manager, Reader, Writer
compliance.tickets.read Read Tickets Metadata Manager, Reader, Writer

Consult with IBM Cloud Garage

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use consult-with-icg-wes for the service name.

Platform roles - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Consult with IBM Cloud Garage
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
consult-with-icg-wes.dashboard.view The ability to view your provisioned Consult with IBM Garage services in the dashboard. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer

Container Registry

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use container-registry for the service name.

Service roles - Container Registry
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Container Registry
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
container-registry.exemption.manager Create an exemption for a security issue. Delete an exemption for a security issue. Manager
container-registry.image.push Push a container image. Sign a container image. Import IBM software that is downloaded from IBM Passport Advantage Online. Restore a deleted container image from the trash. Create a new container image that refers to a source image. Manager, Writer
container-registry.image.pull Pull a container image. Inspect the signature for a container image. Create a new image that refers to a source image. Manager, Reader, Writer
container-registry.namespace.create Add a namespace. Manager
container-registry.namespace.delete Remove a namespace. Manager
container-registry.image.delete Delete one or more container images. Remove a tag, or tags, from each specified container image in IBM Cloud Container Registry. Delete the signature for a container image. Clean up your namespaces by retaining only images that meet your criteria. Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Writer
container-registry.namespace.list List your namespaces. Manager, Reader
container-registry.image.list List your container images. Display the container images that are in the trash. Manager, Reader, Service Configuration Reader
container-registry.image.vulnerabilities View a vulnerability assessment report for your container image. Manager, Reader, Service Configuration Reader
container-registry.image.inspect Display details about a specific container image. Manager, Reader
container-registry.quota.get Display your current quotas for traffic and storage, and usage information against those quotas. Manager, Reader, Writer
container-registry.quota.set Modify the specified quota. Manager
container-registry.plan.get Display your pricing plan. Manager
container-registry.plan.set Upgrade to the standard plan. Manager
container-registry.auth.get Get Auth Configuration, such as whether IAM policy enforcement is enabled Manager, Reader, Writer
container-registry.auth.set Enable IAM policy enforcement. Manager
container-registry.retention.analyze Clean up your namespaces by retaining only container images that meet your criteria. Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Reader
container-registry.retention.get Get an image retention policy. Manager, Reader
container-registry.retention.set Set a policy to clean up your namespaces by retaining only container images that meet your criteria. Manager, Writer
container-registry.retention.list List the image retention policies for your account. Manager, Reader
container-registry.exemption.list List your exemptions for security issues. List the types of security issues that you can exempt. Manager, Reader
container-registry.settings.get Get Account Settings, such as whether platform metrics are enabled Manager, Reader, Writer
container-registry.settings.set Set Account Settings, such as whether platform metrics are enabled Manager
container-registry.config.read Configuration Information Point API access Service Configuration Reader

Kubernetes Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use containers-kubernetes for the service name.

Platform roles - Kubernetes Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Kubernetes Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Compliance Management Allows Security and Compliance Center to access your cluster to setup, run, and fetch compliance results.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Kubernetes Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
containers-kubernetes.cluster.create Users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. Administrator, Compliance Management
containers-kubernetes.cluster.read Users such as auditors or billing can see cluster details but not modify the infrastructure. Administrator, Editor, Operator, Viewer
containers-kubernetes.cluster.operate Users such as reliability or DevOps engineers can add worker nodes and troubleshoot infrastructure such as reloading a worker node. They cannot create, delete, change credentials, or set up cluster-wide features. Administrator, Operator
containers-kubernetes.cluster.update Users such as developers can bind service, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Administrator, Editor
containers-kubernetes.kube.read Users get read access to most Kubernetes resources in the namespace, but not to certain resources like roles, role bindings, or secrets. Corresponds to the RBAC view cluster role, which can be scoped to a namespace. Reader
containers-kubernetes.kube.write Users get read and write access to most Kubernetes resources in the namespace, but not to certain resources like roles or role bindings. Corresponds to the RBAC edit cluster role, which can be scoped to a namespace. Writer
containers-kubernetes.kube.manage When scoped to one namespace: Users can read and write to all Kubernetes resources in the namespace, but not to objects that apply across namespaces, the namespace resource quota, or the namespace itself. Corresponds to the RBAC admin cluster role to that namespace. When scoped to all namespaces in the cluster (by leaving the previous namespace field empty): Users can read and write to all Kubernetes resources in all namespaces in the cluster and work with objects that apply across namespaces, like top pods, top nodes, or creating an Ingress resource to make apps publicly available. Corresponds to the RBAC cluster-admin cluster role. Manager

Context-Based Restrictions

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use context-based-restrictions for the service name.

Platform roles - Context-Based Restrictions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Context-Based Restrictions
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
context-based-restrictions.account-settings.read View context-based restriction account settings Administrator, Editor, Viewer
context-based-restrictions.account-settings.update Update context-based restriction account settings Administrator

Network Zone Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use context-based-restrictions.zone for the service name.

Platform roles - Network Zone Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Network Zone Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
context-based-restrictions.zone.create Network Zone Create Administrator, Editor
context-based-restrictions.zone.read Network Zone Read Administrator, Editor, Viewer
context-based-restrictions.zone.update Network Zone Update Administrator, Editor
context-based-restrictions.zone.delete Network Zone Delete Administrator, Editor

Continuous Delivery

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use continuous-delivery for the service name.

Platform roles - Continuous Delivery
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can modify the Authorized Users list.
Editor As an editor, you can create, view, update, change the plan for, and delete instances of the Continuous Delivery service.
Operator As an operator, you can view instances of the Continuous Delivery service.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Continuous Delivery
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Continuous Delivery
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
continuous-delivery.dashboard.view View instances of the Continuous Delivery service. Administrator, Editor, Operator
continuous-delivery.instance.add-auth-users Add entries to the Authorized Users list on the Manage tab of a Continuous Delivery service instance. Administrator, Manager, Writer
continuous-delivery.instance.remove-auth-users Remove entries from the Authorized Users list on the Manage tab of a Continuous Delivery service instance. Administrator, Manager, Writer
continuous-delivery.instance.config-auth-users Configure authorized users. Administrator, Manager
continuous-delivery.settings.read View additional settings for the Continuous Delivery service. Administrator, Editor, Manager, Operator, Viewer
continuous-delivery.settings.update Update additional settings for the Continuous Delivery service. Administrator, Manager
continuous-delivery.consolidated-auth-users.list View the consolidated user list managed by this Continuously Delivery instance. Administrator, Editor, Manager, Operator, Viewer

Converlistics

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use converlistics for the service name.

Platform roles - Converlistics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Converlistics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Converlistics
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
converlistics.dashboard.view Administrator, Editor, Operator

Watson Assistant

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use conversation for the service name.

Platform roles - Watson Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Watson Assistant
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Logs Reader As a logs reader, you can view user conversations and analytics.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Version Maker As a Version Maker, you will be able to create or delete versions of your assistant.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Watson Assistant
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /conversation Can use API endpoints to extract data from skills and assistants Manager, Reader, Writer
POST /conversation Can use API endpoints to create data & to use the message endpoint Manager, Reader, Writer
DELETE /conversation Can use API endpoints to delete data from skills and assistant Manager, Reader, Writer
PATCH /conversation Can use API endpoint to modify data from skills and assistant Manager, Reader, Writer
PUT /conversation Can use API endpoint to modify data from skills and assistant Manager, Reader, Writer
conversation.assistant.legacy Can perform authoring methods for a workspace through v1 APIs. Manager
conversation.skill.write Can rename, edit, or delete a skill. Manager, Writer
conversation.skill.read Can open and view a skill. Manager, Reader, Writer
conversation.assistant.write Can rename, edit, or delete an assistant. Manager, Writer
conversation.assistant.read Can open and view an assistant. Manager, Reader, Writer
conversation.logs.read Can view skill analytics and access user conversation logs. Logs Reader, Manager
conversation.assistant.list Can list assistant or skill Manager, Reader, Viewer, Writer
conversation.assistant.default Default access for Assistant Manager, Reader, Viewer, Writer
conversation.environment.write Can rename, edit, or delete an environment Manager, Writer
conversation.environment.read Can open and view an environment Manager, Reader, Writer
conversation.release.write Can create or delete a Release for an Assistant Manager, Version Maker, Writer

IBM Cloud Pak for Data

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use cp4d for the service name.

Platform roles - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Service roles - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
CloudPak Data Engineer Create or view governance artifacts.
CloudPak Data Quality Analyst CloudPak Data Quality Analyst
CloudPak Data Scientist Find data in catalogs and use data in projects.
CloudPak Data Source Administrator Create data source definitions and see a list of all connections across the account
CloudPak Data Source Creator Create data source definitions
CloudPak Data Steward Create or view governance artifacts and curate data into catalogs.
Governance Artifacts Administrator Manage governance artifacts
Lineage Administrator Perform actions related to managing data lineage, like importing lineage metadata, publishing new assets, managing external agents or updating mappings.
Manager Manage catalogs, governance artifacts, categories, and workflow.
Policy Decision Operator Evaluate data access requests on behalf of other users
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Reporting Administrator Manage reports on Watson Knowledge Catalog data.
Service actions - IBM Cloud Pak for Data
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
cp4d.catalog.manage Manage catalogs
Administrator, Editor, Manager
cp4d.governance-categories.manage Manage governance categories
Manager
cp4d.governance-workflows.manage Manage governance workflows
Manager
cp4d.wkc.reporting.manage Manage reporting Reporting Administrator
cp4d.governance-artifacts.access Access governance artifacts CloudPak Data Engineer, CloudPak Data Scientist, CloudPak Data Steward
cp4d.catalog.access Access catalogs CloudPak Data Scientist, CloudPak Data Steward, Manager, Policy Decision Operator
cp4d.data-protection-rules.manage Manage data protection rules CloudPak Data Engineer, CloudPak Data Steward, Manager
cp4d.glossary.manage Perform business glossary administrative tasks Manager
cp4d.project.manage Manage projects Manager
cp4d.deployment-space.manage Manage deployment space Manager
cp4d.glossary.admin Manage governance artifacts Governance Artifacts Administrator
cp4d.data-quality-asset-types.access Manage data quality assets CloudPak Data Quality Analyst, Manager
cp4d.data-quality-sla-rules.manage Manage data quality SLA rules CloudPak Data Quality Analyst, Manager
cp4d.data-quality.measure Execute data quality rules CloudPak Data Quality Analyst, Manager
cp4d.data-quality.drill-down Drill down to issue details CloudPak Data Quality Analyst, Manager
cp4d.catalog-assets-to-projects.add Users with this permission can add assets from a catalog to a project. Users must also have the Admin or Editor role in the catalog and the project, and must be asset owners or asset members. Administrator, CloudPak Data Scientist, CloudPak Data Steward, Editor, Manager
cp4d.data-source-definitions.manage Create data source definitions and see a list of all connections across the account CloudPak Data Source Administrator, Manager
cp4d.data-source-definitions.create Create data source definitions CloudPak Data Source Creator, Lineage Administrator, Manager
cp4d.data-lineage.manage Manage data lineage Lineage Administrator, Manager
cp4d.data-lineage.access Access data lineage Lineage Administrator, Manager, Reader
cp4d.governance-policy-decision.evaluate Permission required for an integration user to be allowed to evaluate data access requests on behalf of registered platform users Policy Decision Operator

Db2 Warehouse

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dashdb for the service name.

Platform roles - Db2 Warehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Db2 Warehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Db2 Warehouse
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dashdb.console.access dashdb.console.access Manager, Writer
dashdb.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator, Manager
dashdb.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Manager, Operator, Viewer, Writer
dashdb.console.scale scale operation Administrator, Editor, Operator
dashdb.console.backup backup operation Administrator, Editor, Operator
dashdb.console.restore restore operation Administrator, Editor, Operator
dashdb.console.settings set configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
dashdb.console.view-settings view database settings Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/backups/:backup_id Delete a backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v5/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v5/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/backups/:backup_id Delete a backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/privatelink/allowlist Read Privatelink allowlist of principals Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/privatelink/allowlist Patch Privatelink allowlist principals Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Read scheduled scaling configuration Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Update scheduled scaling Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/groups/:group_id/schedule_scaling Delete scheduled scaling Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/switch_license switch license type or term Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/db2audit/install_v3 Install Db2 audit v3 Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/db2audit/process_report Process db2 archived audit logs into a human-readable csv format Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/version Retrieve Db2 audit version Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/alias Retrieve Db2 audit storage alias Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/replication Retrieve replication status Administrator, Editor, Operator, Viewer
PUT /v5/:platform/deployments/:deployment_id/replication/:id Activate/deactivate replication Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/encryption Retrieve wired encryption status Administrator, Editor, Operator, Viewer
PUT /v5/:platform/deployments/:deployment_id/encryption/:id Enable/disable wired encryption Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/user_policy Create user policy Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/user_policy Update existing user policy Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/user_policy Delete existing user policy Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/backup_records Read all backup history records Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/hibernate Pause the instance through a disablement Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/hibernate Resume the instance by removing a disablement Administrator, Editor, Operator
dashdb.console.pause Pause the instance Administrator, Editor, Operator
dashdb.console.resume Resume the instance Administrator, Editor, Operator

Db2 on Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dashdb-for-transactions for the service name.

Platform roles - Db2 on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Db2 on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Service actions - Db2 on Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dashdb-for-transactions.console.access Allows users to view the Db2 Console. Manager
dashdb-for-transactions.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator, Manager
dashdb-for-transactions.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Editor, Operator, Viewer
dashdb-for-transactions.console.clone clone operation Administrator, Editor
dashdb-for-transactions.console.scale scale operation Administrator, Editor, Operator
dashdb-for-transactions.console.backup backup operation Administrator, Editor, Operator
dashdb-for-transactions.console.restore restore operation Administrator, Editor, Operator
dashdb-for-transactions.console.settings set configuration Administrator, Editor, Operator
dashdb-for-transactions.console.view-settings view database settings Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
GET /2017-12/:platform/tasks/:task_id Read a task Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a deployment Administrator, Editor, Operator, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a deployment Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/resyncs resyncs Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v5/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v5/:platform/task_infos/:task_id Read a Task metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Viewer
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users Create a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id Read a Db2 database user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id Update a Db2 database user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_id Remove a Db2 database user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/inplace_restores Perform in place database restore Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/adminpassword Update admin password Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/users/:user_id/password Update password Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/billable Set billable annotation to true Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/migrated Set migration flag to false Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/dr_take_over dr_take_over Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/get_dr get_dr Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/resyncs resyncs Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/configure_sets Configures db2set parameters Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/configure_sets Configures db2set parameters Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/configure_sets Retrieves configured parameters Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/configure_sets Retrieves configured parameters Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/task_infos Read all deployment tasks metadata Administrator, Editor, Operator, Viewer
GET /v4/:platform/task_infos/:task_id Read a Task metadata
Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/rebalance rebalance tablespaces Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/reducemax reclaim disk space Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/configure_iks_worker Configure bare metal and dedicated virtual machine Administrator, Editor, Operator, Viewer
POST /hyperwarp_messages hyperwarp subscriber endpoint Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/hibernate Hibernate the target instance Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/hibernate Reactivate the target hibernating instance. Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/db2audit/version Retrieve Db2 audit version Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/db2audit/alias Retrieve Db2 audit storage alias Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db2audit/install_v3 Installs Db2 audit v3 Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db2audit/process_report db2audit process report Administrator, Editor, Operator, Viewer
PATCH /v6/:platform/deployments/:deployment_id/availability Update deployment availability Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/iops_range retrieve the disk range and the corresponding iops range Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/instance_types Retrieve the list of available instance types Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/availability Update deployment availability Administrator, Editor, Operator, Viewer

IBM Data Product Hub

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-product-hub for the service name.

Platform roles - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you can view service instances and additionally can create the data product catalog and manage users on the catalog.
Service actions - IBM Data Product Hub
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-product-hub.dashboard.view The ability to view the IBM Data Product Exchange dashboard Administrator, Editor, Manager, Operator, Viewer
data-product-hub.catalog.manage The ability to create a data product catalog Manager

IBM Data Replication on Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-replication for the service name.

Platform roles - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Data Replication on Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-replication.replications.retrieve data-replication.replications.retrieve Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-replication.replications.create Create replication Manager, Writer
data-replication.replications.operate Operate Replication Manager, Writer
data-replication.replications.delete Delete Replication Manager, Writer
data-replication.replications.update Update Replication Manager, Writer

Watson Studio

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-science-experience for the service name.

No supported roles.

Data Store for Memcache

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-store-for-memcache for the service name.

Platform roles - Data Store for Memcache
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Service roles - Data Store for Memcache
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager null
Reader null
Writer null
Service actions - Data Store for Memcache
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-store-for-memcache.keys.create Administrator, Manager
data-store-for-memcache.keys.read Manager, Reader, Writer
data-store-for-memcache.keys.update Manager, Writer
data-store-for-memcache.keys.delete Manager
data-store-for-memcache.keys.encode Manager, Writer
data-store-for-memcache.keys.decode Manager, Writer

Data Virtualization

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-virtualization for the service name.

Platform roles - Data Virtualization
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Data Virtualization
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
DataAccess (For Service to Service Authorization Only) Used for Service to Service authorization. Do not choose this role for service credential generation.
Manager (For generated service credentials only) This role is only enabled for generated service credentials. Using this role will grant the generated Service ID Manager access.
Service actions - Data Virtualization
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-virtualization.console.manage-users Allows management of users for database access such as creating new users or assign and IAM user or service id to a database user. Administrator
data-virtualization.console.monitor Allows viewing of metrics and information that allow you to understand the resources your database is using or workload it is running. Administrator, Editor, Manager (For generated service credentials only), Operator, Viewer
data-virtualization.data.access Allows data access for other services. DataAccess (For Service to Service Authorization Only)
data-virtualization.console.scale scale operation Administrator, Editor, Manager (For generated service credentials only), Operator
data-virtualization.console.backup backup operation Administrator, Editor, Operator
data-virtualization.console.restore restore operation Administrator, Editor, Operator
data-virtualization.console.settings set configuration Administrator, Editor, Manager (For generated service credentials only), Operator
GET /v4/:platform/deployments/:deployment_id/configuration Get deployment configuration Administrator, Editor, Operator, Viewer
data-virtualization.console.view-settings view database settings Administrator, Editor, Manager (For generated service credentials only), Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v4/:platform/regions Read discover available regions Administrator, Editor, Operator, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Viewer
GET /v4/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a Data Virtualization database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a Data Virtualization database user Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a Data Virtualization database user Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a Data Virtualization database user Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connection Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connection Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read whitelisted IP addresses Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create whitelisted IP addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a whitelisted IP address Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk add whitelist IP addresses Administrator, Editor, Operator
GET /2017-12/:platform/tasks/:task_id Read a task Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/backups/:backup_id Read a backup Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a deployment Administrator, Editor, Operator, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a deployment Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/groups/member Update scaling member configuration Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id/locked Update user locked state Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/describe_updates Get db updates Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/db_updates Create db update Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/check_updates Check deployment for available updates Administrator, Editor, Operator, Viewer

Netezza Performance Server

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use data-warehouse for the service name.

Platform roles - Netezza Performance Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Netezza Performance Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Netezza Performance Server
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
data-warehouse.dashboard.view The capability to view the service instance details page Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-warehouse.database.connect The action describes who can connect to the database Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
data-warehouse.database.admin The role defines people with admin privileges on the database Administrator, Manager

Databases for Elasticsearch

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-elasticsearch for the service name.

Platform roles - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for Elasticsearch
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/elasticsearch/file_syncs Create elasticsearch file sync Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/elasticsearch/file_syncs Create elasticsearch file sync Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
deployment-elasticsearch-file-syncs.create Create elasticsearch file sync Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for EDB

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-enterprisedb for the service name.

Platform roles - Databases for EDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for EDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for EDB
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
databases-for-enterprisedb.emp.allow Allow access to EnterpriseDB Migration Portal Administrator, Editor, Operator, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for etcd

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-etcd for the service name.

Platform roles - Databases for etcd
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for etcd
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for etcd
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for MongoDB

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-mongodb for the service name.

Platform roles - Databases for MongoDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for MongoDB
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for MongoDB
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for MySQL

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-mysql for the service name.

Platform roles - Databases for MySQL
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for MySQL
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for MySQL
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for PostgreSQL

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-postgresql for the service name.

Platform roles - Databases for PostgreSQL
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for PostgreSQL
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for PostgreSQL
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/postgresql/logical_replication_slots Create postgresql logical replication slot Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/postgresql/logical_replication_slots/:name Delete postgresql logical replication slot Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/postgresql/logical_replication_slots Create postgresql logical replication slot Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/postgresql/logical_replication_slots/:name Delete postgresql logical replication slot Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
deployment-postgresql-logical-replication-slot.create Create postgresql logical replication slot Administrator, Editor, Operator
deployment-postgresql-logical-replication-slot.delete Delete postgresql logical replication slot Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Databases for Redis

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use databases-for-redis for the service name.

Platform roles - Databases for Redis
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Databases for Redis
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Databases for Redis
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

IBM Knowledge Catalog for Watson Data and AI

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use datacatalog for the service name.

Platform roles - IBM Knowledge Catalog for Watson Data and AI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - IBM Knowledge Catalog for Watson Data and AI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Watsonx.data Service Access (For Service to Service Authorization Only) for IKC Watsonx.data Service Access (For Service to Service Authorization Only) for IKC
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Knowledge Catalog for Watson Data and AI
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
datacatalog Do not use - Please select from the IBM Cloud Pak for Data service Administrator
datacatalog.catalog.create Do not use - Please select from the IBM Cloud Pak for Data service Administrator, Manager, Writer
datacatalog.data.access Watsonx.data Service Access to IKC Watsonx.data Service Access (For Service to Service Authorization Only) for IKC

DataStage

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use datastage for the service name.

Platform roles - DataStage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - DataStage
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service actions - DataStage
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
datastage.dashboard.view DataStage dashboard view Administrator, Editor, Operator, Reader

Direct Link Connect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use directlink.connect for the service name.

Platform roles - Direct Link Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Direct Link Connect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
directlink.connect.view View Administrator, Editor, Operator, Viewer
directlink.connect.edit Edit Administrator, Editor

Direct Link Dedicated

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use directlink.dedicated for the service name.

Platform roles - Direct Link Dedicated
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Direct Link Dedicated
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
directlink.dedicated.view View Administrator, Editor, Operator, Viewer
directlink.dedicated.edit Edit Administrator, Editor

Discovery

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use discovery for the service name.

Service roles - Discovery
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Discovery
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
PUT /discovery Update existing resources Manager, Writer
POST /discovery Create new resources Manager, Writer
DELETE /discovery Delete resources Manager, Writer
PATCH /discovery Make partial update to resources Manager, Writer
GET /discovery Retrieve resources Manager, Reader, Writer

DNS Services

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dns-svcs for the service name.

Platform roles - DNS Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - DNS Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - DNS Services
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dns-svcs.dashboard.view Administrator, Editor, Operator
dns-svcs.zones.read Manager, Reader, Writer
dns-svcs.zones.update Manager, Writer
dns-svcs.zones.manage Manager
dns-svcs.resource-records.manage Manager
dns-svcs.resource-records.update Manager, Writer
dns-svcs.resource-records.read Manager, Reader, Writer
dns-svcs.acls.manage Manager
dns-svcs.acls.update Manager, Writer
dns-svcs.acls.read Manager, Reader, Writer
dns-svcs.permitted-networks.manage Manager
dns-svcs.permitted-networks.update Manager, Writer
dns-svcs.permitted-networks.read Manager, Reader, Writer

Dynamic Dashboard Embedded

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use dynamic-dashboard-embedded for the service name.

Service roles - Dynamic Dashboard Embedded
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
null null
null null
null null
Service actions - Dynamic Dashboard Embedded
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
dynamic-dashboard-embedded.instances.write null, null, null

ibm-cloud-for-education

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use education for the service name.

No supported roles.

IBM Cloud Platform Enterprise Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use enterprise for the service name.

Platform roles - IBM Cloud Platform Enterprise Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator Administrators can update the enterprise, create accounts and account groups, move accounts between account groups, import existing accounts, and view usage reports.
Editor Editors can update the enterprise, create accounts and account groups, view usage reports, and import accounts.
Operator Operators can view the enterprise, account groups, and accounts.
Viewer Viewers can view the enterprise, account groups, and accounts.
Service roles - IBM Cloud Platform Enterprise Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Usage Report Viewer Usage report viewers can view the usage reports for the entire enterprise, an account group and its accounts, or a specific account.
Service actions - IBM Cloud Platform Enterprise Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
enterprise.enterprise.create Administrator
enterprise.enterprise.update Administrator, Editor
enterprise.enterprise.retrieve Administrator, Editor, Operator, Usage Report Viewer, Viewer
enterprise.enterprise.import Administrator, Editor
enterprise.enterprise.retrieve-usage-report Administrator, Editor, Usage Report Viewer
enterprise.enterprise.attach-config-rules Administrator
enterprise.enterprise.detach-config-rules Administrator
enterprise.enterprise.update-config-rules Administrator
enterprise.enterprise.attach-templates Administrator
enterprise.enterprise.detach-templates Administrator
enterprise.enterprise.update-templates Administrator
enterprise.account-group.create Administrator, Editor
enterprise.account-group.update Administrator, Editor
enterprise.account-group.delete Administrator, Editor
enterprise.account-group.retrieve Administrator, Editor, Operator, Usage Report Viewer, Viewer
enterprise.account-group.retrieve-usage-report Administrator, Editor, Usage Report Viewer
enterprise.account-group.attach-config-rules Administrator
enterprise.account-group.detach-config-rules Administrator
enterprise.account-group.update-config-rules Administrator
enterprise.account-group.attach-templates Administrator
enterprise.account-group.detach-templates Administrator
enterprise.account-group.update-templates Administrator
enterprise.account.create Administrator, Editor
enterprise.account.update Administrator, Editor
enterprise.account.move Administrator
enterprise.account.delete Administrator, Editor
enterprise.account.retrieve Administrator, Editor, Operator, Usage Report Viewer, Viewer
enterprise.account.retrieve-usage-report Administrator, Editor, Usage Report Viewer
enterprise.account.attach-config-rules Administrator
enterprise.account.detach-config-rules Administrator
enterprise.account.update-config-rules Administrator
enterprise.account.attach-templates Administrator
enterprise.account.detach-templates Administrator
enterprise.account.update-templates Administrator

License and Entitlement

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use entitlement for the service name.

Platform roles - License and Entitlement
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Service actions - License and Entitlement
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
entitlement.entitlement.write Administrator, Editor
entitlement.entitlement.write-admin Administrator

Event Notifications

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use event-notifications for the service name.

Platform roles - Event Notifications
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Event Notifications
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Channel Editor Custom role to handle subscription activities
Custom Email Status Reporter Custom role to handle vpc api callbacks
Device Manager Custom role to handle push device registration with the event-noitifications service
Email Sender Custom role to send email events from classic to VPC
Event Notification Publisher Custom role to send notifications
Event Source Manager Custom role to handle source integration with the event-notifications service
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Pool ID Manager Custom role is to manage apis related to pool id for sms
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
SMTP Manager Custom role is to manage SMTP Configurations
Status Reporter Custom role to handle messaging api callbacks
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Event Notifications
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
event-notifications.dashboard.view This action is to view the dashboard Administrator, Channel Editor, Event Source Manager, Manager, Operator, Reader, Viewer, Writer
event-notifications.sources.create This action is to integrate a new source Administrator, Event Source Manager, Manager
event-notifications.sources.read This action is to get an already integrated source Administrator, Channel Editor, Event Source Manager, Manager, Reader
event-notifications.sources.update This action is to update an already integrated source Administrator, Event Source Manager, Manager
event-notifications.sources.delete This action is to delete an already integrated source Administrator, Event Source Manager, Manager
event-notifications.sources.list This action is to list all integrated sources in an instance Administrator, Channel Editor, Event Source Manager, Manager, Reader
event-notifications.topics.create This action is to create a new topic Administrator, Manager, Writer
event-notifications.topics.read This action is to get an already created topic Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.topics.update This action is to update an already created topic Administrator, Manager, Writer
event-notifications.topics.delete This action is to delete an already created topic Administrator, Manager
event-notifications.topics.list This action is to list all topics in an instance Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.rules.create This action is to create a rule under a source Administrator, Manager, Writer
event-notifications.rules.read This action is to get a rule in an instance Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.rules.update This action is to update an existing rule Administrator, Manager, Writer
event-notifications.rules.delete This action is to delete a rule in an instance Administrator, Manager
event-notifications.rules.list This action is to list all rules in an instance based on the sourceID and/or topicID Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.destinations.create This action is to create a new destination Administrator, Manager, Writer
event-notifications.destinations.read This action is to get a destination within an instance Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.destinations.update This action is to update existing destination information Administrator, Manager, Writer
event-notifications.destinations.delete This action is to delete a destination Administrator, Manager
event-notifications.destinations.list This action is to list all destinations within an instance Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.subscriptions.create This action is to create associate a destination to a topic Administrator, Channel Editor, Manager, Writer
event-notifications.subscriptions.read This action is to get a destination-topic mapping Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.subscriptions.update This action is to update a destination-topic mapping Administrator, Channel Editor, Manager, Writer
event-notifications.subscriptions.delete This action is to delete a subscription Administrator, Channel Editor, Manager
event-notifications.subscriptions.list This action is to list subscriptions based on the topicID and/or destinationID Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.notifications.post This action is to publish an event to EN Administrator, Event Notification Publisher, Event Source Manager, Manager, Writer
event-notifications.counts.get This action is to get counts of all entities in an instance Channel Editor, Event Notification Publisher, Event Source Manager, Manager, Reader
event-notifications.events.create This API is used to create a new Event Administrator, Event Source Manager, Manager
event-notifications.events.read This API is used to get information about an event Event Source Manager
event-notifications.events.list This API is used to list all events in an instance under a source Administrator, Event Source Manager, Manager, Reader
event-notifications.events.delete This API is used to delete an event in an instance under a source Event Source Manager
event-notifications.publickey.read To get public keys related to webhook encryption Administrator, Channel Editor, Manager, Reader, Writer
event-notifications.severities.create This API is used to create a new Event Event Source Manager
event-notifications.severities.read This API is used to get information about an event Event Source Manager
event-notifications.severities.list This API is used to list all events in an instance under a source Administrator, Event Source Manager, Manager, Reader
event-notifications.severities.delete This API is used to delete an event in an instance under a source Event Source Manager
event-notifications.email-status.create The API is used for callback from messaging service Status Reporter
event-notifications.sms-status.create The API is used for callback from messaging service Status Reporter
event-notifications.webhook-status.create The API is used for callback from messaging service Status Reporter
event-notifications.devices.create This API is used to register new device for push destination Administrator, Device Manager, Manager
event-notifications.devices.read This API is used to get registered push destination device by device_id Administrator, Device Manager, Manager
event-notifications.devices.update This API is used to update the push registered device for push destination Administrator, Device Manager, Manager
event-notifications.devices.delete This API is used to delete registered push device for push destination Administrator, Device Manager, Manager
event-notifications.devices.list This API is used to get all registered devices for push destination Administrator, Manager
event-notifications.tag-subscriptions.list The API is get subscriptions for push destination Administrator, Manager
event-notifications.tag-subscriptions.devices.list This Api is used to get subscriptions by device for push destination Administrator, Device Manager, Manager
event-notifications.tag-subscriptions.create The API is create subscription for push destination Administrator, Device Manager, Manager
event-notifications.tag-subscriptions.delete The API is delete subscription for push destination Administrator, Device Manager, Manager
event-notifications.channel-groups.create This action is to integrate a new channel group Administrator, Device Manager, Manager
event-notifications.channel-groups.read This action is to read a channel group Administrator, Device Manager, Manager, Reader
event-notifications.channel-groups.list This action is to get all channel groups Administrator, Device Manager, Manager, Reader
event-notifications.channel-groups.update This action is to update a channel group Administrator, Device Manager, Manager
event-notifications.channel-groups.delete This action is to delete a channel group Administrator, Manager
event-notifications.channels.create This action is to create fcm channel Administrator, Device Manager, Manager
event-notifications.channels.read This action is to read a channel Administrator, Device Manager, Manager, Reader
event-notifications.channels.list This action is to read all fcm channels Administrator, Device Manager, Manager, Reader
event-notifications.channels.update This action is to update fcm channel Administrator, Device Manager, Manager
event-notifications.channels.delete This action is to delete a fcm channel Administrator, Manager
event-notifications.integrations.create This action is to create an integration. For example BYOK integration with EN. Administrator, Event Source Manager, Manager
event-notifications.integrations.update This action is to update an already created integration with EN Administrator, Event Source Manager, Manager
event-notifications.integrations.read This action is to get an already-created integration Administrator, Event Source Manager, Manager
event-notifications.integrations.list This action is to list all integrations with EN Administrator, Event Source Manager, Manager
event-notifications.integrations.delete This action is to delete integration Event Source Manager, Manager
event-notifications.custom-email.create This action is to send an email event to the VPC endpoint Email Sender
event-notifications.custom-email-status.create Action to handle the callback from the VPC cluster Custom Email Status Reporter
event-notifications.templates.create This action is to create a templates Administrator, Manager, Writer
event-notifications.templates.read This action is to get a single template Administrator, Manager, Reader, Writer
event-notifications.templates.list This action is to list all templates Administrator, Manager, Reader, Writer
event-notifications.templates.update This action is to update a template Administrator, Manager, Writer
event-notifications.templates.delete This action is to delete a single template Administrator, Manager, Writer
event-notifications.pool-id-mapping.create This action is to create a new pool id mapping for a destination Pool ID Manager
event-notifications.pool-id-mapping.delete This action is to delete a new pool id mapping for a destination Pool ID Manager
event-notifications.pool-id-mapping.update This action is to update a new pool id mapping for a destination Pool ID Manager
event-notifications.delivery.create This API is used to send the status of push devices Administrator, Device Manager, Manager
event-notifications.smtp-config.create This API is used to create new smtp configuration Administrator, Manager, SMTP Manager, Writer
event-notifications.smtp-config.read This action is to get the smtp config Administrator, Manager, Reader, SMTP Manager, Writer
event-notifications.smtp-config.list This action is to get all smtp configs within an instance Administrator, Manager, Reader, SMTP Manager, Writer
event-notifications.smtp-config.update This api is to update a smtp config in an instance Administrator, Manager, SMTP Manager, Writer
event-notifications.smtp-config.delete This action is to delete a SMTP configuration within an instance Administrator, Manager, SMTP Manager, Writer
event-notifications.smtp-user.create This action is to create a user within a SMTP configuration Administrator, Manager, SMTP Manager, Writer
event-notifications.smtp-user.read This action is to read user details under an SMTP configuration Administrator, Manager, Reader, SMTP Manager, Writer
event-notifications.smtp-user.list This action is to get all users within an SMTP configuration Administrator, Manager, Reader, SMTP Manager, Writer
event-notifications.smtp-user.update This action is to update a user within an SMTP configuration Administrator, Manager, SMTP Manager, Writer
event-notifications.smtp-user.delete This action is to delete a user within an SMTP configuration Manager, SMTP Manager, Writer
event-notifications.smtp-config.enable This internal API is to manage EN Authorization Pool ID Manager
event-notifications.metrics.read This API is to get metrics for resources in Event Notifications Administrator, Manager, Reader, Writer

IBM Cloud Functions

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use functions for the service name.

Service roles - IBM Cloud Functions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Functions
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
functions.namespaces.read Manager, Reader, Writer
functions.namespaces.delete Manager
functions.namespaces.update Manager
functions.entities.create Manager, Writer
functions.entities.update Manager, Writer
functions.entities.delete Manager, Writer
functions.entities.read Manager, Reader, Writer
functions.entities.activate Manager, Reader, Writer

Globalization Pipeline

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use g11n-pipeline for the service name.

Platform roles - Globalization Pipeline
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Globalization Pipeline
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Globalization Pipeline
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
g11n-pipeline.dashboard.view Administrator, Editor, Operator
g11n-pipeline.user.create-user Manager
g11n-pipeline.document.delete-document Manager
g11n-pipeline.document-translation-request.create-translation-request Manager
g11n-pipeline.bundle.update-resource-entry-info Manager, Writer
g11n-pipeline.translation-request.get-translation-requests Manager, Writer
g11n-pipeline.document.create-document Manager
g11n-pipeline.bundle.get-resource-strings Manager, Reader, Writer
g11n-pipeline.xliff-document.update-documents-with-xliff Manager, Writer
g11n-pipeline.user.update-user Manager
g11n-pipeline.bundle.update-resource-entries Manager, Writer
g11n-pipeline.translation-request.get-tr-resource-entry-info Manager, Writer
g11n-pipeline.xliff.update-bundles-with-xliff Manager, Writer
g11n-pipeline.bundle.upload-resource-entries Manager
g11n-pipeline.document.get-document-list Manager, Writer
g11n-pipeline.document-translation-request.get-tr-document-segment-info Manager, Writer
g11n-pipeline.xliff.get-xliff-from-tr Manager, Writer
g11n-pipeline.document-translation-request.update-translation-request Manager
g11n-pipeline.document-translation-request.get-document-translation-request Manager, Writer
g11n-pipeline.config.put-translation-config Manager
g11n-pipeline.xliff-document.get-xliff-from-document-tr Manager, Writer
g11n-pipeline.user.get-users Manager
g11n-pipeline.config.put-mt-service-binding Manager
g11n-pipeline.translation-request.update-translation-request Manager
g11n-pipeline.document-translation-request.get-document-translation-requests Manager, Writer
g11n-pipeline.user.get-user Manager, Writer
g11n-pipeline.document-translation-request.get-tr-document-segments Manager, Writer
g11n-pipeline.translation-request.get-tr-resource-entries Manager, Writer
g11n-pipeline.document-translation-request.delete-document-translation-request Manager
g11n-pipeline.bundle.delete-bundle Manager
g11n-pipeline.bundle.get-resource-entry-info Manager, Writer
g11n-pipeline.bundle.get-bundle-list Manager, Writer
g11n-pipeline.bundle.create-bundle Manager
g11n-pipeline.bundle.get-bundle-info Manager, Reader, Writer
g11n-pipeline.bundle.update-bundle Manager
g11n-pipeline.translation-request.get-tr-bundle-info Manager, Writer
g11n-pipeline.config.get-all-mt-service-bindings Manager
g11n-pipeline.service-instance.get-service-instance-info Manager, Writer
g11n-pipeline.xliff.get-xliff-from-bundles Manager, Writer
g11n-pipeline.config.delete-mt-service-binding Manager
g11n-pipeline.config.get-translation-config Manager
g11n-pipeline.user.delete-user Manager
g11n-pipeline.document-translation-request.get-tr-document-info Manager, Writer
g11n-pipeline.config.get-mt-service-binding Manager
g11n-pipeline.config.delete-translation-config Manager
g11n-pipeline.xliff-document.get-xliff-from-documents Manager, Writer
g11n-pipeline.config.get-all-translation-configs Manager, Writer
g11n-pipeline.translation-request.delete-translation-request Manager
g11n-pipeline.translation-request.get-translation-request Manager, Writer
g11n-pipeline.translation-request.create-translation-request Manager
g11n-pipeline.bundle.get-bundle-info-full Manager, Writer
g11n-pipeline.bundle.get-bundle-list-all Manager
g11n-pipeline.bundle.get-resource-strings-all Manager, Writer
g11n-pipeline.user.get-user-all Manager
g11n-pipeline.bundle.update-resource-strings-src Manager
g11n-pipeline.bundle.update-resource-entry-info-src Manager
g11n-pipeline.document.get-document-content Manager, Reader, Writer
g11n-pipeline.document.get-document-meta-data Manager, Reader, Writer
g11n-pipeline.document.get-document-meta-data-full Manager, Writer
g11n-pipeline.document.get-document-segments Manager, Writer
g11n-pipeline.document.update-document-meta-data Manager
g11n-pipeline.document.get-segment-info Manager, Writer
g11n-pipeline.document.upload-document-content Manager
g11n-pipeline.document.update-segment-translation Manager, Writer

gatekeeper

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use gatekeeper for the service name.

Service roles - gatekeeper
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - gatekeeper
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
gatekeeper.frauddashboard.read ability to view gatekeeper fraud landing page dashboard as a reader Manager, Reader, Writer
gatekeeper.fraudcase.read searching or viewing a case Manager, Reader, Writer
gatekeeper.fraudcasenotes.create Ability to create and edit fraud case Manager, Writer
gatekeeper.fraudagents.create Ability to view, create, edit and delete agents Manager
gatekeeper.fraudhyperwarp.read Ability to view hyperwarp Manager, Reader, Writer
gatekeeper.fraudhyperwarp.create Ability to view, create, edit and delete hyperwarp Manager
gatekeeper.fraudmetrics.read Ability to view Metrics Manager, Reader, Writer
gatekeeper.fraudrules.read Ability to view assignment rules Manager, Reader, Writer
gatekeeper.fraudrules.create The ability to create, edit and Delete assignment Rules Manager
gatekeeper.abusedashboard.read ability to view gatekeeper abuse landing page dashboard as a reader Manager, Reader, Writer
gatekeeper.abusereport.read This role is for searching or viewing a ticket Manager, Reader, Writer
gatekeeper.abusereport.update This role is for updating a ticket
Manager, Writer
gatekeeper.abuseadmin.read This role is for viewing abuse rules, playbook, queue, types and boilerplate Manager
gatekeeper.abuseadmin.create This role is for creating or deleting abuse rules, playbook, queue, types and boilerplate Manager
gatekeeper.fraudagents.read Ability to view agents only Manager, Reader, Writer

GhoST API

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use ghost-api for the service name.

Platform roles - GhoST API
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Viewer As a viewer, you can view service instances, but you can't modify them.

GhoST Tagging Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use ghost-tags for the service name.

Platform roles - GhoST Tagging Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service actions - GhoST Tagging Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
ghost-tags.create-access-tag The ability to create access management tags in an account Administrator
ghost-tags.delete-access-tag The ability to delete access management tags in an account Administrator

Global Catalog

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use globalcatalog for the service name.

Platform roles - Global Catalog
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator Administrators can change object metadata or visibility for private services added to the account and can restrict the visibility of a public service.
Editor Editors can change object metadata, but can’t change visibility for private services added to the account.
Operator Operators can view private services added to the account.
Viewer Viewers can view private services added to the account.
Service actions - Global Catalog
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
globalcatalog.is.admin Is Admin Administrator
globalcatalog.is.editor Is Editor Editor
globalcatalog.is.viewer Is Viewer Operator, Viewer

Personal Catalog

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use globalcatalog-collection for the service name.

Platform roles - Personal Catalog
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - Personal Catalog
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
IBMOperation (Internal) - IBM Use only
IBMTransactionManager (IBM Only) Internal IBM Transaction Manager
Publisher You can publish offerings that are approved by IBM and that are in a private catalog to which you're assigned the viewer role.
Service Configuration Reader The ability to read services configuration for Governance management.
Share Request Manager You can view and manage share requests that are sent and received from accounts, enterprises, or account groups.
Service actions - Personal Catalog
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
globalcatalog-collection.instance.promote Publish item to public, assuming also has viewer access. Administrator, Publisher
globalcatalog-collection.operation.approve This action approves the publishing of items to public. Only IBM can use this action. Publisher
globalcatalog-collection.account.manage This action manages account level settings, e.g. Hiding the public catalog from the account members. Administrator
globalcatalog-collection.support.janitor (Internal) Janitor support IBMOperation
globalcatalog-collection.support.approveibm (Internal) - Approve publishing to IBM only IBMOperation
globalcatalog-collection.support.approvepublic (Internal) Approve publishing to public IBMOperation
globalcatalog-collection.support.approveshare (Internal) Approve publishing to Shared IBMOperation
globalcatalog-collection.config.read Fortress compliance - read configuration IBMOperation, Service Configuration Reader
globalcatalog-collection.restrictedtags.update Permission to set restricted tags in a product. IBMOperation
globalcatalog-collection.support.switch-boundary (Internal) Switch regulated boundaries for an account. IBMTransactionManager
globalcatalog-collection.accountshare.view-sent-request View share requests that are sent from your own account. Administrator, Share Request Manager
globalcatalog-collection.accountshare.manage-sent-request This action manages share requests that are sent from your own account. You can delete or make a request to share a catalog type to another account, enterprise, or account group. Administrator, Share Request Manager
globalcatalog-collection.accountshare.view-incoming-request View share requests that are received by this account. Administrator, Share Request Manager
globalcatalog-collection.accountshare.manage-incoming-request This action manages share requests that are received by this account. You can approve or deny these received share requests with this action. Administrator, Share Request Manager

Instance Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use globalcatalog-instance for the service name.

Platform roles - Instance Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Instance Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
globalcatalog-instance.dashboard.view View Dashboard Administrator, Editor, Operator, Viewer

HPCaaS from Rescale

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use hpcaas-from-rescale-prod for the service name.

Platform roles - HPCaaS from Rescale
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Editor null
Operator null
Service actions - HPCaaS from Rescale
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
hpcaas-from-rescale-prod.dashboard.view Administrator, Editor, Operator

Hyper Protect Crypto Services

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use hs-crypto for the service name.

Platform roles - Hyper Protect Crypto Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Hyper Protect Crypto Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Certificate Manager Managing client certificates to configure mutual TLS for EP11 workloads
KMS Key Purge Role As a KMS Key Purge, the user is allowed to purge encryption keys.
Key Custodian - Creator Manages Keys. For a complete key lifecycle both Creator and Deployer roles are needed. To implement separaton of duties assign Creator and Deployer role to different people. Can create keys
Key Custodian - Deployer Manages Keys. For a complete key lifecycle both Creator and Deployer roles are needed. To implement separaton of duties assign Creator and Deployer role to different people. Can deploy keys
Kmip Adapter Manager The rights necessary to manage access to resources governed via the KMIP protocol
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Reader Plus As a reader plus, you can perform read-only actions within the service such as viewing service-specific resources. You can also access key material of standard keys.
Service Configuration Reader The ability to read services configuration for Governance management.
VMWare KMIP Manager Allow the VMWare Solutions service to configure KMIP (activate/deactivate KMIP endpoint, manage client certificates)
Vault Administrator Can manage vaults, keystores (incl. cost implications), templates, and can perform destructive lifecycle actions on managed keys. Different vaults can be used to e.g. separate teams, lines of business, or customers.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Hyper Protect Crypto Services
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
hs-crypto.crypto.decrypt hs-crypto.crypto.decrypt Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.derivekey hs-crypto.crypto.derivekey Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.digest hs-crypto.crypto.digest Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.digestkey hs-crypto.crypto.digestkey Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.encrypt hs-crypto.crypto.encrypt Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.generatekey hs-crypto.crypto.generatekey Manager, Writer
hs-crypto.crypto.generatekeypair hs-crypto.crypto.generatekeypair Manager, Writer
hs-crypto.crypto.generaterandom hs-crypto.crypto.generaterandom Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.getattributevalue hs-crypto.crypto.getattributevalue Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.getmechanisminfo hs-crypto.crypto.getmechanisminfo Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.getmechanismlist hs-crypto.crypto.getmechanismlist Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.rewrapkeyblob hs-crypto.crypto.rewrapkeyblob Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.setattributevalue hs-crypto.crypto.setattributevalue Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.sign hs-crypto.crypto.sign Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.unwrapkey hs-crypto.crypto.unwrapkey Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.verify hs-crypto.crypto.verify Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.wrapkey hs-crypto.crypto.wrapkey Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.login hs-crypto.crypto.login Manager, Reader, Reader Plus, Writer
hs-crypto.crypto.logout hs-crypto.crypto.logout Manager, Reader, Reader Plus, Writer
hs-crypto.discovery.listservers hs-crypto.discovery.listservers Manager, Reader, Reader Plus, Writer
hs-crypto.voting.registertopic hs-crypto.voting.registertopic Manager, Reader, Reader Plus, Writer
hs-crypto.voting.listtopicsbyids hs-crypto.voting.listtopicsbyids Manager, Reader, Reader Plus, Writer
hs-crypto.voting.listtopicsbyattributes hs-crypto.voting.listtopicsbyattributes Manager, Reader, Reader Plus, Writer
hs-crypto.voting.deletetopic hs-crypto.voting.deletetopic Manager, Reader, Reader Plus, Writer
hs-crypto.voting.newpoll hs-crypto.voting.newpoll Manager, Reader, Reader Plus, Writer
hs-crypto.voting.finishpoll hs-crypto.voting.finishpoll Manager, Reader, Reader Plus, Writer
hs-crypto.voting.registerpermanentvoter hs-crypto.voting.registerpermanentvoter Manager, Reader, Reader Plus, Writer
hs-crypto.voting.listvotersbyids hs-crypto.voting.listvotersbyids Manager, Reader, Reader Plus, Writer
hs-crypto.voting.listvotersbyattributes hs-crypto.voting.listvotersbyattributes Manager, Reader, Reader Plus, Writer
hs-crypto.voting.deletevoter hs-crypto.voting.deletevoter Manager, Reader, Reader Plus, Writer
hs-crypto.voting.newvote hs-crypto.voting.newvote Manager, Reader, Reader Plus, Writer
hs-crypto.voting.getpollresults hs-crypto.voting.getpollresults Manager, Reader, Reader Plus, Writer
hs-crypto.voting.registerlivevoter hs-crypto.voting.registerlivevoter Manager, Reader, Reader Plus, Writer
hs-crypto.keystore.createkeystore hs-crypto.keystore.createkeystore Manager
hs-crypto.keystore.deletekey hs-crypto.keystore.deletekey Manager, Writer
hs-crypto.keystore.deletekeystore hs-crypto.keystore.deletekeystore Manager
hs-crypto.keystore.listkeysbyattributes hs-crypto.keystore.listkeysbyattributes Manager, Reader, Reader Plus, Writer
hs-crypto.keystore.listkeysbyids hs-crypto.keystore.listkeysbyids Manager, Reader, Reader Plus, Writer
hs-crypto.keystore.listkeystoresbyattributes hs-crypto.keystore.listkeystoresbyattributes Manager
hs-crypto.keystore.listkeystoresbyids hs-crypto.keystore.listkeystoresbyids Manager
hs-crypto.keystore.storenewkey hs-crypto.keystore.storenewkey Manager, Writer
hs-crypto.keystore.updatekey hs-crypto.keystore.updatekey Manager, Writer
hs-crypto.dashboard.view View the dashboard Administrator, Editor, Operator
hs-crypto.instances.read Get Instance API endpoint info Administrator, Editor, Key Custodian - Creator, Key Custodian - Deployer, Manager, Reader, VMWare KMIP Manager, Vault Administrator, Viewer, Writer
hs-crypto.secrets.list Retrieve a list of encryption keys. Manager, Reader, Reader Plus, Service Configuration Reader, VMWare KMIP Manager, Writer
hs-crypto.secrets.wrap Wrap an encryption key. Manager, Reader, Reader Plus, Writer
hs-crypto.secrets.unwrap Unwrap an encryption key. Manager, Reader, Reader Plus, Writer
hs-crypto.secrets.create Create an encryption key. Manager, Writer
hs-crypto.secrets.read Retrieve an encryption key. Manager, Reader Plus, Writer
hs-crypto.secrets.delete Delete an encryption key. Manager
hs-crypto.secrets.rotate Rotate an encryption key. Manager, Writer
hs-crypto.instances.manage Manage instance via TKE. Manager
hs-crypto.ep11.use Use the GREP11 Interface for Hyper Protect Crypto Services Administrator, Editor, Manager, Reader, Reader Plus, Viewer, Writer
hs-crypto.importtoken.create Allow creation of secure import tokens Manager, Writer
hs-crypto.importtoken.read Allow retrieval of secure import tokens Manager, Writer
hs-crypto.policies.read Retrieve policies for an encryption key Manager, Service Configuration Reader
hs-crypto.policies.write Set policies for an encryption key Manager
hs-crypto.instancepolicies.read Retrieve instance level policies Manager, Service Configuration Reader
hs-crypto.instancepolicies.write Add or update instance level policies Manager
hs-crypto.secrets.setkeyfordeletion Set or prepare an encryption key for deletion Manager, Writer
hs-crypto.secrets.unsetkeyfordeletion Unset an encryption key for deletion Manager, Writer
hs-crypto.secrets.readmetadata Retrieve the details of an encryption key Manager, Reader, Reader Plus, Writer
hs-crypto.secrets.rewrap Rewrap an encryption key Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.list Retrieve a list of registrations Manager, Reader, Reader Plus, Service Configuration Reader, Writer
hs-crypto.secrets.listkeyversions Retrieve a list of versions that are associated with an encryption key Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.listforkey Retrieve a list of registrations for a given encryption key Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.deactivate Move a suspended registration to the deactivated state Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.create Create a registration between an encryption key and a cloud resource Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.write Replace an existing registration Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.merge Update the details of an existing registration Manager, Reader, Reader Plus, Writer
hs-crypto.registrations.delete Delete a registration Manager, Reader, Reader Plus, Writer
hs-crypto.secrets.disable Disable operations for an encryption key Manager
hs-crypto.secrets.enable Enable operations for an encryption key Manager
hs-crypto.secrets.restore Restore a previously deleted encryption key Manager
hs-crypto.secrets.eventack Acknowledge a key lifecycle event Manager, Reader, Reader Plus, Writer
hs-crypto.kmip.activate Activate KMIP endpoint VMWare KMIP Manager
hs-crypto.kmip.deactivate Deactivate KMIP endpoint VMWare KMIP Manager
hs-crypto.kmip.status Get Status of KMIP endpoint VMWare KMIP Manager
hs-crypto.kmip.certadd Add Client Certificates to KMIP endpoint for usage of mutual TLS VMWare KMIP Manager
hs-crypto.kmip.certdel Delete Client Certificates from KMIP endpoint for usage of mutual TLS VMWare KMIP Manager
hs-crypto.keyrings.create Create key rings Manager, Writer
hs-crypto.keyrings.delete Delete key rings Manager
hs-crypto.keyrings.list List key rings Manager, Reader, Reader Plus, Writer
hs-crypto.secrets.createalias Create key alias Manager, Writer
hs-crypto.secrets.deletealias Delete key alias Manager, Writer
hs-crypto.config.read Configuration Information Point API access Service Configuration Reader
hs-crypto.secrets.sync Initiate a manual synchronization request to the associated resources of a key. Manager, Writer
hs-crypto.secrets.purge Purge a destroyed encryption key. KMS Key Purge Role
hs-crypto.secrets.patch Update an encryption key Manager
hs-crypto.mtlscert-admin-key.create Create the administrator signature key for the certificate administrator Certificate Manager
hs-crypto.mtlscert-admin-key.update Update the administrator signature key for the certificate administrator Certificate Manager
hs-crypto.mtlscert-admin-key.delete Delete the administrator signature key of the certificate administrator Certificate Manager
hs-crypto.mtlscert-admin-key.read Get the administrator signature key of the certificate administrator Certificate Manager
hs-crypto.mtlscert-cert.set Create or update certificates by the certificate administrator Certificate Manager
hs-crypto.mtlscert-cert.list List all certificates that are managed by the certificate administrator Certificate Manager
hs-crypto.mtlscert-cert.read Get certificates by the certificate administrator Certificate Manager
hs-crypto.mtlscert-cert.delete Delete certificates by the certificate administrator Certificate Manager
hs-crypto.vault-keys.active-deactivate Deactivate an ACTIVE key Key Custodian - Deployer
hs-crypto.vault-keys.active-install Install an ACTIVE key Key Custodian - Deployer, Vault Administrator
hs-crypto.vault-keys.active-uninstall Uninstall an ACTIVE key Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.deactivated-destroy Destroy a DEACTIVATED key Vault Administrator
hs-crypto.vault-keys.deactivated-install Install a DEACTIVATED key Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.deactivated-reactivate Reactivate a DEACTIVATED key Key Custodian - Deployer
hs-crypto.vault-keys.deactivated-uninstall Uninstall a DEACTIVATED key Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.destroyed-remove Remove a DESTROYED key from Vault Vault Administrator
hs-crypto.vault-keys.distribute Distribute key into assigned keystores Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.generate Generate new key material Key Custodian - Creator
hs-crypto.vault-keys.preactivation-activate Activate a PREACTIVE key Key Custodian - Deployer
hs-crypto.vault-keys.preactivation-destroy Destroy a PREACTIVE key Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.read Read managed key details Key Custodian - Creator, Key Custodian - Deployer, Reader, Vault Administrator
hs-crypto.vault-keys.list List managed keys Administrator, Editor, Key Custodian - Creator, Key Custodian - Deployer, Manager, Reader, Vault Administrator, Viewer, Writer
hs-crypto.vault-keys.write Write/edit managed key details Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.delete Delete a managed key Vault Administrator
hs-crypto.vault-keys.write-dates Write key activation/expiration dates Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keys.write-tags Write key tags Key Custodian - Creator, Key Custodian - Deployer
hs-crypto.vault-keystores.read Read target keystore details Key Custodian - Creator, Key Custodian - Deployer, Reader, Vault Administrator
hs-crypto.vault-keystores.list List target keystores Administrator, Editor, Key Custodian - Creator, Key Custodian - Deployer, Manager, Reader, Vault Administrator, Viewer, Writer
hs-crypto.vault-keystores.write Write/edit target keystore details Vault Administrator
hs-crypto.vault-keystores.delete Delete a keystore (internal) / Disconnect a keystore (external) Vault Administrator
hs-crypto.vault-key-templates.read Read key template details Key Custodian - Creator, Key Custodian - Deployer, Reader, Vault Administrator
hs-crypto.vault-key-templates.list List key templates Administrator, Editor, Key Custodian - Creator, Key Custodian - Deployer, Manager, Reader, Vault Administrator, Viewer, Writer
hs-crypto.vault-key-templates.write Write/Edit key templates Key Custodian - Creator, Vault Administrator
hs-crypto.vault-key-templates.delete Delete key templates Vault Administrator
hs-crypto.vaults.read Read Vault details Key Custodian - Creator, Key Custodian - Deployer, Reader, Vault Administrator
hs-crypto.vaults.list List Vaults Administrator, Editor, Key Custodian - Creator, Key Custodian - Deployer, Manager, Reader, Vault Administrator, Viewer, Writer
hs-crypto.vaults.write Write/Edit Vault details Vault Administrator
hs-crypto.vaults.delete Delete a Vault Vault Administrator
hs-crypto.uko.initiate-paid-upgrade Start billing of UKO base price (by using external keystores) Vault Administrator
hs-crypto.uko.add-paid-keystore Create a paid keystore (beyond free amount) Vault Administrator
hs-crypto.secrets-with-policy-overrides.create hs-crypto.secrets-with-policy-overrides.create Manager
hs-crypto.kmip-management.create hs-crypto.kmip-management.create Kmip Adapter Manager, Manager
hs-crypto.kmip-management.list hs-crypto.kmip-management.list Kmip Adapter Manager, Manager
hs-crypto.kmip-management.read hs-crypto.kmip-management.read Kmip Adapter Manager, Manager
hs-crypto.kmip-management.delete hs-crypto.kmip-management.delete Kmip Adapter Manager, Manager

IAM Access Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-access-management for the service name.

Platform roles - IAM Access Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - IAM Access Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-access-management.settings.read Read Access Management account settings Administrator, Editor, Viewer
iam-access-management.user-access-list.read Read User Access list Administrator, Editor
iam-access-management.settings.update Update Access Management account settings Administrator

Role Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-access-management.customRole for the service name.

Platform roles - Role Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Role Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-access-management.customRole.create The ability to create custom roles. Administrator
iam-access-management.customRole.update The ability to edit and update custom roles. Administrator, Editor
iam-access-management.customRole.delete The ability to delete a custom role. Administrator
iam-access-management.customRole.read Retrieve custom roles Administrator, Editor, Operator, Viewer

AM Insights

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-access-management.insight for the service name.

Platform roles - AM Insights
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Service actions - AM Insights
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-access-management.insight.get Read Access Management insights Administrator, Editor

IAM Access Groups

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-groups for the service name.

Platform roles - IAM Access Groups
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can view, create, edit, and delete access groups including adding or removing users from the groups. You can also assign access to the group and manage access for others to work with access groups.
Editor As an editor, you can view, create, edit, and delete access groups including adding or removing users from the groups.
Viewer As a viewer, you can view access groups and its members.
Service roles - IAM Access Groups
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Assignment Administrator Template Assignment Administrator
Groups Service Member Manage This role is used by cloud services to manage members of a group.
Service Configuration Reader The ability to read services configuration for Governance management.
Template Administrator Template Administrator
Service actions - IAM Access Groups
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-groups.groups.create Create an access group Administrator, Editor
iam-groups.groups.read Get an access group Administrator, Editor, Viewer
iam-groups.groups.update Update an access group Administrator, Editor
iam-groups.groups.delete Delete an access group Administrator, Editor
iam-groups.groups.list List access groups Administrator, Editor, Groups Service Member Manage, Viewer
iam-groups.members.add Add members to an access group Administrator, Editor, Groups Service Member Manage
iam-groups.members.read Check membership in an access group Administrator, Editor, Viewer
iam-groups.members.delete Delete member from an access group Administrator, Editor
iam-groups.members.list List access group members Administrator, Editor, Viewer
iam-groups.rules.create Create rule for an access group Administrator, Editor
iam-groups.rules.read Get an access group rule Administrator, Editor, Viewer
iam-groups.rules.update Update an access group rule Administrator, Editor
iam-groups.rules.delete Delete an access group rule Administrator, Editor
iam-groups.rules.list List access group rules Administrator, Editor, Viewer
iam-groups.groups.audit View access groups audit data Administrator, Editor, Viewer
iam-groups.account-settings.read View access groups account settings Administrator, Editor, Viewer
iam-groups.account-settings.update Update access groups account settings Administrator
iam-groups.group-template.create Create an Access Groups Template Template Administrator
iam-groups.group-template.read Get an Access Groups Template Assignment Administrator, Template Administrator
iam-groups.group-template.update Update an Access Groups Template Template Administrator
iam-groups.group-template.delete Delete an Access Groups Template Template Administrator
iam-groups.group-assignment.create Create an Access Groups Template Assignment Assignment Administrator
iam-groups.group-assignment.update Update an Access Groups Template assignment Assignment Administrator
iam-groups.group-assignment.read Get an Access Groups Template assignment Assignment Administrator, Template Administrator
iam-groups.group-assignment.delete Delete an Access Groups Template Assignment Assignment Administrator

IAM Identity Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-identity for the service name.

Platform roles - IAM Identity Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator An Administrator can view, update and delete service IDs and API keys.
Editor An Editor can view and update service IDs and API keys.
Operator An Operator can view, update and delete service IDs and API keys.
Viewer A Viewer can view service IDs and API keys.
Service roles - IAM Identity Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
API key reviewer A Reviewer can list metadata of API keys.
Assignment Administrator A Template Deployment Administrator can manage the deployment of Enterprise Templates
Service Configuration Reader A Config reader can view the settings of the account.
Service ID creator Can create service IDs when the account setting to restrict service ID creation is enabled.
Template Administrator A Template Administrator can manage Enterprise Templates
User API key creator Can create API keys when the account setting to restrict API key creation is enabled.
Service actions - IAM Identity Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-identity.serviceid.get Get the details of an existing service ID. Administrator, Editor, Operator, Viewer
iam-identity.serviceid.create Create a new service ID. Service ID creator
iam-identity.serviceid.update Update the details of an existing service ID. Administrator, Editor, Operator
iam-identity.serviceid.delete Delete a service ID. Administrator, Operator
iam-identity.apikey.manage Manage the API keys of an account. Administrator
iam-identity.apikey.get Get the details of an existing API key. Administrator, Editor, Operator
iam-identity.apikey.list List API keys based on properties. Administrator, Editor, Operator
iam-identity.apikey.review List metadata of API keys based on properties. API key reviewer, Administrator, Editor, Operator, Service Configuration Reader
iam-identity.apikey.create Create a new API key. Administrator, Operator
iam-identity.apikey.update Update the details of an existing API key. Administrator, Editor, Operator
iam-identity.apikey.delete Delete an API key. Administrator, Operator
iam-identity.user-apikey.create Ability to create IBM Cloud API keys associated with a user identity. User API key creator
iam-identity.profile.create Create a new Trusted Profile. Administrator
iam-identity.profile.update Update the details of an existing Trusted Profile. Administrator, Editor, Operator
iam-identity.profile.delete Delete a Trusted Profile. Administrator, Operator
iam-identity.profile.get Get the details of an existing Trusted Profile. Administrator, Editor, Operator, Viewer
iam-identity.profile.get_session Get sessions associated to a Trusted Profile. Administrator, Operator
iam-identity.profile.revoke_session Revoke sessions associated to Trusted Profile Administrator, Operator
iam-identity.profile.linkToResource Link a trusted profile to a resource Administrator, Editor, Operator
iam-identity.idp.get Get the details of an existing Identity Provider configuration. Administrator, Editor, Operator
iam-identity.idp.list List Identity Provider configurations. Administrator, Editor, Operator
iam-identity.idp.create Create a new Identity Provider configuration. Administrator, Operator
iam-identity.idp.update Update an existing Identity Provider configuration. Administrator, Editor, Operator
iam-identity.idp.delete Delete an Identity Provider configuration. Administrator, Operator
iam-identity.idp.test Test an Identity Provider configuration. Administrator, Editor, Operator
iam-identity.account.get Get the account configuration. Administrator, Editor, Operator, Service Configuration Reader, Viewer
iam-identity.account.create Create a new account configuration. Administrator, Operator
iam-identity.account.update Update an existing account configuration. Administrator, Editor, Operator
iam-identity.account.create Create a new account configuration. Administrator, Operator
iam-identity.account.update Update an existing account configuration. Administrator, Editor, Operator
iam-identity.account.enable_idp Enable an Identity Provider configuration for the account. Administrator, Editor, Operator
iam-identity.account.disable_idp Disable an Identity Provider configuration for the account. Administrator, Editor, Operator
iam-identity.account.delete Delete an account configuration. Administrator, Operator
iam-identity.session.manage Manage the user sessions of an account. Administrator
iam-identity.crnmapping.create Create a CRN mapping for an account Administrator
iam-identity.crnmapping.read Read CRN mappings of an account Administrator
iam-identity.crnmapping.delete Delete a CRN mapping for an account Administrator
iam-identity.activity.get Get authentication activity information Administrator, Editor, Operator, Viewer
iam-identity.report.create Trigger report creation for an account Administrator
iam-identity.report.get Get a report for an account Administrator
iam-identity.profile-template.create Create a new Trusted Profile template Template Administrator
iam-identity.profile-template.read Get the details of an existing Trusted Profile template Assignment Administrator, Template Administrator
iam-identity.profile-template.update Update the details of a Trusted Profile template Template Administrator
iam-identity.profile-template.delete Delete a Trusted Profile template Template Administrator
iam-identity.account-settings-template.create Create a new Account Settings template Template Administrator
iam-identity.account-settings-template.read Get the details of an Account Settings template Assignment Administrator, Template Administrator
iam-identity.account-settings-template.update Update an existing Account Settings template Template Administrator
iam-identity.account-settings-template.delete Delete an Account Settings template Template Administrator
iam-identity.mfa-status.get Get MFA Enrollment Status Administrator
iam-identity.profile-assignment.create Assign a Trusted Profile Template to a target Account or AccountGroup Assignment Administrator
iam-identity.profile-assignment.delete Delete an assignment of a trusted profile Assignment Administrator
iam-identity.profile-assignment.read Get the details of a Trusted Profile Assignment Assignment Administrator, Template Administrator
iam-identity.profile-assignment.update Update an assignment of a trusted profile Assignment Administrator
iam-identity.account-settings-assignment.create Assign an Account Settings Template to a target Account or AccountGroup Assignment Administrator
iam-identity.account-settings-assignment.delete Delete an assignment of Account Settings Assignment Administrator
iam-identity.account-settings-assignment.read Get the details of an Account Settings Assignment Assignment Administrator, Template Administrator
iam-identity.account-settings-assignment.update Update an assignment of Account Settings Assignment Administrator
iam-identity.preferences.read Get an identity's preferences Administrator
iam-identity.preferences.update Update an identity's preferences Administrator
iam-identity.serviceid-group.get Get the details of an existing service ID group. Administrator, Editor, Operator, Viewer
iam-identity.serviceid-group.create Create a new service ID group. Administrator, Operator
iam-identity.serviceid-group.update Update the details of an existing service ID group. Administrator, Editor, Operator
iam-identity.serviceid-group.delete Delete a service ID group. Administrator, Operator

Identity and Access Management

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use iam-svcs for the service name.

Platform roles - Identity and Access Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Identity and Access Management
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Identity and Access Management
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
iam-svcs.dashboard.view Administrator, Editor, Operator

Analytics Engine

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use ibmanalyticsengine for the service name.

Platform roles - Analytics Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Analytics Engine
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Analytics Engine
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
ibmae.applications.create Manager, Writer
ibmae.applications.delete Manager, Writer
ibmae.applications.read Manager, Reader, Writer
ibmae.cluster.createlogconfig Administrator, Editor, Manager, Writer
ibmae.cluster.customize Administrator, Editor, Manager, Writer
ibmae.cluster.deletelogconfig Administrator, Editor, Manager, Writer
ibmae.cluster.read Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
ibmae.cluster.resize Administrator, Editor, Manager, Writer
ibmae.cluster.resetpassword Administrator, Manager
ibmae.cluster.updatePrivateEndpointAllowlist Administrator, Editor, Manager, Writer
ibmae.cluster.updatePrivateEndpointWhitelist Administrator, Editor, Manager, Writer
ibmae.cluster.viewpassword Administrator, Editor, Manager, Writer
ibmae.instance-logging.create Manager, Writer
ibmae.instance-logging.delete Manager, Writer
ibmae.instance-logging.patch Manager, Writer
ibmae.instance-logging.read Manager, Reader, Writer
ibmae.instance-logging.update Manager, Writer
ibmae.instances.patch Manager, Writer
ibmae.instances.read Manager, Reader, Writer
ibmae.instances.update Manager, Writer
ibmae.kernels.create Manager, Writer
ibmae.kernels.delete Manager, Writer
ibmae.kernels.read Manager, Reader, Writer
ibmae.livybatch.create Manager, Writer
ibmae.livybatch.delete Manager, Writer
ibmae.livybatch.read Manager, Reader, Writer
ibmae.sparkhistoryserver.create Manager, Writer
ibmae.sparkhistoryserver.delete Manager, Writer
ibmae.sparkhistoryserver.read Manager, Reader, Writer
ibmae.sparkhistoryui.read Manager, Reader, Writer

IBM Cloud Platform

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use ibmcloud-platform for the service name.

Platform roles - IBM Cloud Platform
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Editor null
Operator null
Viewer null
Service actions - IBM Cloud Platform
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
ibmcloud-platform.osbbroker.create Administrator, Editor
ibmcloud-platform.osbbroker.update Administrator, Editor, Operator
ibmcloud-platform.osbbroker.retrieve Administrator, Editor, Operator, Viewer
ibmcloud-platform.osbbroker.delete Administrator, Editor

Human Intelligence

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use insight-specialist-ltd--msp-human-intelligence for the service name.

Platform roles - Human Intelligence
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Human Intelligence
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Human Intelligence
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
insight-specialist-ltd--msp-human-intelligence.dashboard.view Administrator, Editor, Operator

Cloud Internet Services

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use internet-svcs for the service name.

Service roles - Cloud Internet Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Cloud Internet Services
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
internet-svcs.zones.read View all zone settings but can't modify them. Manager, Reader, Service Configuration Reader, Writer
internet-svcs.zones.update Modify all zone settings but can't create or delete them. Manager, Writer
internet-svcs.zones.manage View, Modify, Create, and Delete all zone settings. Manager
internet-svcs.reliability.read View all Reliability settings but can't modify them. Manager, Reader, Service Configuration Reader, Writer
internet-svcs.reliability.update Modify all Reliability settings except for pools and monitors. Manager, Writer
internet-svcs.reliability.manage View, Modify, Create, and Delete all Reliability settings except for pools and monitors. Manager
internet-svcs.security.read View all Security settings except for instance level firewall rules. Manager, Reader, Service Configuration Reader, Writer
internet-svcs.security.update Modify all Security settings except for instance level firewall rules. Manager, Writer
internet-svcs.security.manage View, Modify, Create, and Delete all Security settings except for instance level firewall rules. Manager
internet-svcs.performance.read View all Performance settings but can't modify them. Manager, Reader, Service Configuration Reader, Writer
internet-svcs.performance.update Modify all Performance settings but cannot create or delete. Manager, Writer
internet-svcs.performance.manage View, Modify, Create, and Delete all Performance settings. Manager

Infrastructure Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is for the service name.

No supported roles.

Regional Backup as a Service for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.backup-policy for the service name.

Platform roles - Regional Backup as a Service for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can create, manage, retrieve and delete backup polices and plans, including assigning access policies to other users.
Editor As an editor, you can create, manage, retrieve and delete backup polices and plans except for managing the account and assigning access policies.
Operator As an operator, you can manage and operate backup polices and plans.
Viewer As a viewer, you can retrieve backup polices and plans but you can't modify them.
Service actions - Regional Backup as a Service for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.backup-policy.dashboard.view Administrator, Editor, Operator
is.backup-policy.backup-policy.create IAM action to create backup policy Administrator, Editor
is.backup-policy.backup-policy.read IAM action for reading a policy Administrator, Editor, Operator, Viewer
is.backup-policy.backup-policy.list IAM action for listing all backup policy in an account Administrator, Editor, Operator, Viewer
is.backup-policy.backup-policy.update IAM action for Updating Backup Policy Administrator, Editor
is.backup-policy.backup-policy.delete IAM action for deleting a backup policy Administrator, Editor

Bare Metal Server for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.bare-metal-server for the service name.

Platform roles - Bare Metal Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all functions of an editor and can also assign access policies to other users.
Editor As an editor, you can view, create, edit, delete, update, and perform operator actions on a bare metal server.
Operator As an operator, you can view and perform actions (such as restart) on a bare metal server.
Viewer As a viewer, you can view bare metal servers, but not modify them.
Service roles - Bare Metal Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Bare Metal Advanced Network Operator As an advanced network operator, you will be permitted access to modify IP Spoofing and Infrastructure NAT on bare metal interfaces
Bare Metal Console Admin As a console admin, you will be able to access the bare metal server console.
Service actions - Bare Metal Server for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.bare-metal-server.dashboard.view View Dashboard Administrator, Editor, Operator
is.bare-metal-server.bare-metal-server.read View a Bare Metal Server Administrator, Editor, Operator, Viewer
is.bare-metal-server.bare-metal-server.list List Bare Metal Servers Administrator, Editor, Operator, Viewer
is.bare-metal-server.bare-metal-server.update Update a Bare Metal Server Administrator, Editor
is.bare-metal-server.bare-metal-server.delete Delete a Bare Metal Server Administrator, Editor
is.bare-metal-server.bare-metal-server.create Create a Bare Metal Server Administrator, Editor
is.bare-metal-server.bare-metal-server.operate Operate on a Bare Metal Server Administrator, Editor, Operator
is.bare-metal-server.bare-metal-server.ip-spoofing IP spoofing control for Bare Metal Server Bare Metal Advanced Network Operator
is.bare-metal-server.bare-metal-server.infrastructure-nat NAT control for Bare Metal Server Bare Metal Advanced Network Operator
is.bare-metal-server.bare-metal-server.console Access Bare Metal Server Console Bare Metal Console Admin
is.bare-metal-server.bare-metal-server-firmware.update Update Firmware on a Bare Metal Server Administrator, Editor, Operator
is.bare-metal-server.initialization.update Server initialization on a bare metal server Administrator, Editor

Cluster Network

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.cluster-network for the service name.

Platform roles - Cluster Network
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Cluster Network
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.cluster-network.cluster-network.create Create Cluster Network Administrator, Editor
is.cluster-network.cluster-network.read Read Cluster Network Administrator, Editor, Operator, Viewer
is.cluster-network.cluster-network.list List Cluster Networks Administrator, Editor, Operator, Viewer
is.cluster-network.cluster-network.update Update Cluster Network Administrator, Editor
is.cluster-network.cluster-network.delete Delete Cluster Network Administrator, Editor
is.cluster-network.profile.read Read Cluster Network Profile Administrator, Editor, Operator, Viewer
is.cluster-network.profile.list List Cluster Network Profiles Administrator, Editor, Operator, Viewer
is.cluster-network.interface.create Create Cluster Network Interface Administrator, Editor
is.cluster-network.interface.read Read Cluster Network Interface Administrator, Editor, Operator, Viewer
is.cluster-network.interface.list List Cluster Network Interface Administrator, Editor, Operator, Viewer
is.cluster-network.interface.update Update Cluster Network Interface Administrator, Editor
is.cluster-network.interface.delete Delete Cluster Network Interface Administrator, Editor
is.cluster-network.subnet.create Create Cluster Network Subnet Administrator, Editor
is.cluster-network.subnet.read Read Cluster Network Subnet Administrator, Editor, Operator, Viewer
is.cluster-network.subnet.list List Cluster Network Subnets Administrator, Editor, Operator, Viewer
is.cluster-network.subnet.update Update Cluster Network Subnet Administrator, Editor
is.cluster-network.subnet.delete Delete Cluster Network Subnet Administrator, Editor
is.cluster-network.subnet-reserved-ip.create Create Cluster Network Subnet Reserved IP Administrator, Editor
is.cluster-network.subnet-reserved-ip.read Read Cluster Network Subnet Reserved IP Administrator, Editor, Operator, Viewer
is.cluster-network.subnet-reserved-ip.list List Cluster Network Subnet Reserved IPs Administrator, Editor, Operator, Viewer
is.cluster-network.subnet-reserved-ip.update Update Cluster Network Subnet Reserved IP Administrator, Editor
is.cluster-network.subnet-reserved-ip.delete Delete Cluster Network Subnet Reserved IP Administrator, Editor
is.cluster-network.subnet.operate Operate the cluster network subnet Administrator, Editor, Operator
is.cluster-network.interface.operate Operate Cluster Network Interface Administrator, Editor, Operator

Dedicated Host for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.dedicated-host for the service name.

Platform roles - Dedicated Host for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Dedicated Host for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.dedicated-host.dashboard.view View Dashboard Administrator, Editor, Operator, Viewer
is.dedicated-host.dedicated-host.list List Dedicated Hosts Administrator, Editor, Operator, Viewer
is.dedicated-host.dedicated-host.create Create a Dedicated Host Administrator, Editor
is.dedicated-host.dedicated-host.update Update a Dedicated Host Administrator, Editor
is.dedicated-host.dedicated-host.delete Delete a Dedicated Host Administrator, Editor
is.dedicated-host.dedicated-host.read View a Dedicated Host Administrator, Editor, Operator, Viewer
is.dedicated-host.dedicated-host.provision Provision an Instance on a Dedicated Host Administrator, Editor, Operator
is.dedicated-host.dedicated-host-group.create Create a Dedicated Host Group Administrator, Editor
is.dedicated-host.dedicated-host-group.read View a Dedicated Host Group Administrator, Editor, Operator, Viewer
is.dedicated-host.dedicated-host-group.update Update a Dedicated Host Group Administrator, Editor
is.dedicated-host.dedicated-host-group.delete Delete a Dedicated Host Group Administrator, Editor
is.dedicated-host.dedicated-host-group.append Add a Dedicated Host to a Dedicated Host Group Administrator, Editor
is.dedicated-host.dedicated-host-group.provision Provision an Instance to a Dedicated Host Group Administrator, Editor, Operator
is.dedicated-host.dedicated-host.operate Operate on a Dedicated Host Administrator, Editor, Operator
is.dedicated-host.dedicated-host-group.operate Operate on a Dedicated Host Group Administrator, Editor, Operator
is.dedicated-host.dedicated-host-group.list List Dedicated Host Groups Administrator, Editor, Operator, Viewer

Virtual Private Endpoint for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.endpoint-gateway for the service name.

Platform roles - Virtual Private Endpoint for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator you can create, delete, update and view endpoint gateway service instances, and assign access policies to other users. Administrators can also bind and unbind an endpoint gateway to a reserved IP address.
Editor As an editor you can create, delete, update and view endpoint gateway service instance. Editors can also bind and unbind an endpoint gateway to a reserved IP address.
Operator As an operator you can bind and unbind an endpoint gateway service instance to a reserved IP address. You can also view the properties of endpoint gateways but you cannot modify them.
Viewer As a viewer you can view the properties of endpoint gateway service instances, but you cannot modify them.
Service actions - Virtual Private Endpoint for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.endpoint-gateway.endpoint-gateway.read View Endpoint Gateway Administrator, Editor, Operator, Viewer
is.endpoint-gateway.endpoint-gateway.create Create Endpoint Gateway Administrator, Editor
is.endpoint-gateway.endpoint-gateway.delete Delete Endpoint Gateway Administrator, Editor
is.endpoint-gateway.endpoint-gateway.update Update Endpoint Gateway Administrator, Editor
is.endpoint-gateway.endpoint-gateway.list List Endpoint Gateways Administrator, Editor, Operator, Viewer
is.endpoint-gateway.endpoint-gateway.operate Operate Endpoint Gateway Administrator, Editor, Operator

Floating IP for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.floating-ip for the service name.

Platform roles - Floating IP for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Floating IP for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.floating-ip.floating-ip.create Administrator, Editor
is.floating-ip.floating-ip.delete Administrator, Editor
is.floating-ip.floating-ip.update Administrator, Editor
is.floating-ip.floating-ip.operate Administrator, Editor, Operator
is.floating-ip.floating-ip.read Administrator, Editor, Operator, Viewer
is.floating-ip.floating-ip.list Administrator, Editor, Operator, Viewer

IBM Cloud Flow Logs for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.flow-log-collector for the service name.

Platform roles - IBM Cloud Flow Logs for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - IBM Cloud Flow Logs for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.flow-log-collector.flow-log-collector.read As an administrator, an editor, an operator or a viewer, you can view the details of a flow log collector Administrator, Editor, Operator, Viewer
is.flow-log-collector.flow-log-collector.update As an administrator or an editor, you can update a flow log collector Administrator, Editor
is.flow-log-collector.flow-log-collector.operate As an administrator, an editor or an operator, you can operate on a flow log collector Administrator, Editor, Operator
is.flow-log-collector.flow-log-collector.create As an administrator or an editor, you can create a flow log collector Administrator, Editor
is.flow-log-collector.flow-log-collector.delete As an administrator or an editor, you can delete a flow log collector Administrator, Editor
is.flow-log-collector.flow-log-collector.list List Flow Log Collectors Administrator, Editor, Operator, Viewer

Image Service for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.image for the service name.

Platform roles - Image Service for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Image Service for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Image Service for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.image.image.list List Images Administrator, Editor, Operator, Viewer
is.image.image.read Read Images Administrator, Editor, Operator, Viewer
is.image.image.create Create Images Administrator, Editor
is.image.image.update Update Images Administrator, Editor
is.image.image.delete Delete Images Administrator, Editor
is.image.image.provision Provision Images Administrator, Editor, Operator
is.image.image.operate Operate on Custom Images Administrator, Editor, Operator
is.image.image.config.read IBM Cloud Compliance Configuration Read Service Configuration Reader
is.image.image.export Export on Custom Images Administrator, Editor
is.image.image.obsolete Set an image status to obsolete Administrator, Editor, Manager, Writer
is.image.image.deprecate Set an image status to deprecated Administrator, Editor, Manager, Writer

Virtual Server for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.instance for the service name.

Platform roles - Virtual Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Virtual Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Console Administrator As a console administrator, you can access the virtual server instance console., This role only provides console access and must be combined with another role that has operator access to the virtual server such as Operator, Editor or Administrator.
IP Spoofing Operator As the IP spoofing operator, you can enable or disable the IP spoofing check on virtual server instances. This role should only be granted if necessary.
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Virtual Server for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.instance.instance.list List Virtual Server Instance Administrator, Editor, Operator, Viewer
is.instance.instance.create Create Virtual Server Instance Administrator, Editor
is.instance.instance.read View Virtual Server Instance Administrator, Editor, Operator, Viewer
is.instance.instance.update Update Virtual Server Instance Administrator, Editor
is.instance.instance.delete Delete Virtual Server Instance Administrator, Editor
is.instance.instance.operate As an administrator, an editor or an operator, you can operate on a virtual server instance Administrator, Editor, Operator
is.instance.instance-template.read View Virtual Server Instance Template Administrator, Editor, Operator, Viewer
is.instance.instance-template.create Create Virtual Server Instance Template Administrator, Editor
is.instance.instance-template.update Update Virtual Server Instance Template Administrator, Editor
is.instance.instance-template.delete Delete Virtual Server Instance Template Administrator, Editor
is.instance.instance.ip-spoofing IP spoofing control for Virtual Server Instance IP Spoofing Operator
is.instance.instance.console Access Virtual Server Instance Console Console Administrator
is.instance.instance.config.read IBM Cloud Compliance Configuration Read Service Configuration Reader

Auto Scale for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.instance-group for the service name.

Platform roles - Auto Scale for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Auto Scale for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Auto Scale for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.instance-group.instance-group.read Read an Instance Group Administrator, Editor, Operator, Service Configuration Reader, Viewer
is.instance-group.instance-group.create Create an Instance Group Administrator, Editor
is.instance-group.instance-group.update Update an Instance Group Administrator, Editor
is.instance-group.instance-group.delete Delete an Instance Group Administrator, Editor
is.instance-group.instance-group.list List Instance Groups Administrator, Editor, Operator, Viewer
is.instance-group.instance-group.config.read Configuration Information Point API access Service Configuration Reader

SSH Key for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.key for the service name.

Platform roles - SSH Key for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - SSH Key for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.key.key.list List SSH Keys Administrator, Editor, Operator, Viewer
is.key.key.create Create SSH Key Administrator, Editor
is.key.key.delete Delete SSH Key Administrator, Editor
is.key.key.read View SSH Key Administrator, Editor, Operator, Viewer
is.key.key.update Update SSH Key Administrator, Editor
is.key.artifactattachment.create Create Artifact Attachment Administrator, Editor
is.key.artifactattachment.update Update Artifact Attachment Administrator, Editor
is.key.artifactattachment.delete Delete Artifact Attachment Administrator, Editor
is.key.userdata.list List User Data Administrator, Editor, Operator
is.key.userdata.create Create User Data Administrator, Editor
is.key.userdata.delete Delete User Data Administrator, Editor
is.key.userdata.read Read User Data Administrator, Editor, Operator, Viewer
is.key.artifactattachment.read Read Artifact Attachment Administrator, Editor, Operator, Viewer
is.key.key.operate Operate on Key Administrator, Editor, Operator

Load Balancer for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.load-balancer for the service name.

Platform roles - Load Balancer for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Load Balancer for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Load Balancer for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.load-balancer.load-balancer.view View load balancers Administrator, Editor, Operator, Viewer
is.load-balancer.load-balancer.manage Administrator, Editor
is.load-balancer.config.read Configuration Information Point API access Service Configuration Reader
is.load-balancer.load-balancer.operate Operator permissions for load balancers Administrator, Editor, Operator

Network ACL

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.network-acl for the service name.

Platform roles - Network ACL
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Network ACL
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.network-acl.network-acl.read Administrator, Editor, Operator, Viewer
is.network-acl.network-acl.create Administrator, Editor
is.network-acl.network-acl.update Administrator, Editor
is.network-acl.network-acl.delete Administrator, Editor
is.network-acl.network-acl.list Administrator, Editor, Operator, Viewer
is.network-acl.network-acl.operate Administrator, Editor, Operator

Placement Groups for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.placement-group for the service name.

Platform roles - Placement Groups for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Placement Groups for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.placement-group.dashboard.view View Dashboard Administrator, Editor, Operator
is.placement-group.placement-group.create Create a virtual instance placement group Administrator, Editor
is.placement-group.placement-group.update Update the name of a virtual instance placement group Administrator, Editor
is.placement-group.placement-group.delete Delete a virtual instance placement group Administrator, Editor
is.placement-group.placement-group.operate Add or remove an instance to or from a placement group Administrator, Editor, Operator
is.placement-group.placement-group.read View the details of a virtual instance placement group Administrator, Editor, Operator, Viewer
is.placement-group.placement-group.list List all placements groups associated for this account Administrator, Editor, Operator, Viewer

Private Path Service for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.private-path-service-gateway for the service name.

Platform roles - Private Path Service for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator you can create, delete, update and view private path service gateway service instances, and assign access policies to other users.
Editor As an editor you can create, delete, update and view private path service gateway service instance.
Operator As an operator you can view the properties of private path service gateways but you cannot modify them.
Viewer As a viewer you can view the properties of private path service gateway service instances, but you cannot modify them.
Service actions - Private Path Service for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.private-path-service-gateway.private-path-service-gateway.read [BETA] View Private Path services Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.private-path-service-gateway.list [BETA] List Private Path services Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.private-path-service-gateway.create [BETA] Create Private Path service Administrator, Editor
is.private-path-service-gateway.private-path-service-gateway.delete [BETA] Delete Private Path service Administrator, Editor
is.private-path-service-gateway.private-path-service-gateway.update [BETA] Update Private Path service Administrator, Editor
is.private-path-service-gateway.private-path-service-gateway.operate [BETA] Operate Private Path service Administrator, Editor, Operator
is.private-path-service-gateway.account-policy.read Get Private Path Service Gateway Account Policy Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.account-policy.list List Account Policies Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.account-policy.manage Manage Account Policy Administrator, Editor, Operator
is.private-path-service-gateway.endpoint-gateway-binding.list List Endpoint Gateway Bindings Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.endpoint-gateway-binding.read View Endpoint Gateway Binding Administrator, Editor, Operator, Viewer
is.private-path-service-gateway.endpoint-gateway-binding.manage Manage Endpoint Gateway Binding Administrator, Editor, Operator
is.private-path-service-gateway.private-path-service-gateway.publish Publish Private Path service Administrator, Editor
is.private-path-service-gateway.private-path-service-gateway.unpublish Unpublish Private Path service Administrator, Editor

Public Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.public-gateway for the service name.

Platform roles - Public Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Public Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.public-gateway.public-gateway.read Administrator, Editor, Operator, Viewer
is.public-gateway.public-gateway.create Administrator, Editor
is.public-gateway.public-gateway.update Administrator, Editor
is.public-gateway.public-gateway.delete Administrator, Editor
is.public-gateway.public-gateway.list Administrator, Editor, Operator, Viewer
is.public-gateway.public-gateway.operate Administrator, Editor, Operator

Reservations for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.reservation for the service name.

Platform roles - Reservations for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions for the reservation resource this role is assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions for a reservation resource except managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate reservation resources, such as viewing the reservations dashboard.
Viewer As a viewer, you can view reservation resources, but you can't modify them.
Service actions - Reservations for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.reservation.reservation.create Create Reservation Administrator, Editor
is.reservation.reservation.read View Reservation Administrator, Editor, Operator, Viewer
is.reservation.reservation.list List Reservations Administrator, Editor, Operator, Viewer
is.reservation.reservation.update Update Reservation Administrator, Editor
is.reservation.reservation.delete Delete Reservation Administrator, Editor
is.reservation.reservation.operate Operate Reservation Administrator, Editor, Operator
is.reservation.reservation.activate Activate Reservation Administrator, Editor
is.reservation.reservation.expire Expire Reservation Administrator, Editor

Security Group for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.security-group for the service name.

Platform roles - Security Group for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Security Group for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.security-group.security-group.create Administrator, Editor
is.security-group.security-group.read Administrator, Editor, Operator, Viewer
is.security-group.security-group.update Administrator, Editor
is.security-group.security-group.delete Administrator, Editor
is.security-group.security-group.operate Administrator, Editor, Operator

File Storage for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.share for the service name.

Platform roles - File Storage for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - File Storage for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Share Broker The role to create and delete the bindings between the real and shadow share.
Share Remote Account Accessor To create cross account accessor from origin share belonging to another account
Service actions - File Storage for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.share.dashboard.view Administrator, Editor, Operator
is.share.share.create Create Share Administrator, Editor
is.share.share.list List Shares Administrator, Editor, Operator, Viewer
is.share.share.read Get Share Administrator, Editor, Operator, Viewer
is.share.share.update Patch Share Administrator, Editor
is.share.share.delete Delete Share Administrator, Editor
is.share.share.config.read Service Configuration Governance Reader Service Configuration Reader
is.share.share.operate Operate Share Administrator, Editor, Operator
is.share.accessor-binding.create Creates an accessor binding for is.share. Administrator, Share Broker
is.share.accessor-binding.delete Deletes the accessor binding of is.share Administrator, Share Broker
is.share.accessor-binding.read Get Share Accessor Binding Administrator, Editor, Operator, Viewer
is.share.accessor-binding.list List Share Accessor Bindings Administrator, Editor, Operator, Viewer
is.share.share.allow-remote-account-access To create accessor share pointing to origin share in another account. Share Remote Account Accessor

Block Storage Snapshots for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.snapshot for the service name.

Platform roles - Block Storage Snapshots for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can create, view, list, modify, delete and restore block storage snapshots, including assigning access policies to other users.
Editor As an editor, you can create, view, list, modify, delete and restore block storage snapshots, except for assigning access policies to other users.
Operator As an operator, you can view, list and restore block storage snapshots, but you can't modify them.
Viewer As a viewer, you can view and list block storage snapshots, but you can't modify them.
Service roles - Block Storage Snapshots for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Snapshot Remote Account Restorer An ability to access snapshot from origin account
Service actions - Block Storage Snapshots for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.snapshot.snapshot.create This action allows the user to create block storage snapshots. Administrator, Editor
is.snapshot.snapshot.read This action allows the user to view block storage snapshots , but not modify them. Administrator, Editor, Operator, Viewer
is.snapshot.snapshot.list This action allows the user to list snapshot resources. Administrator, Editor, Operator, Viewer
is.snapshot.snapshot.update This action allows the user to modify block storage snapshots. Administrator, Editor
is.snapshot.snapshot.delete This action allows the user to delete block storage snapshots. Administrator, Editor
is.snapshot.snapshot.restore This action allows the user to restore block storage snapshots. Administrator, Editor, Operator
is.snapshot.snapshot.operate Operate a snapshot Administrator, Editor, Operator
is.snapshot.snapshot.config.read Configuration Governance endpoint Service Configuration Reader
is.snapshot.snapshot-clone.create Create clones of block storage snapshots for fast restoration Administrator, Editor
is.snapshot.clone.read View the clones of block storage snapshots Administrator, Editor, Operator, Viewer
is.snapshot.snapshot-clone.delete Delete clones of block storage snapshots Administrator, Editor
is.snapshot.snapshot.allow-remote-account-restore Allows remote account snapshot restore Snapshot Remote Account Restorer

Multi Volume Snapshots for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.snapshot-consistency-group for the service name.

Platform roles - Multi Volume Snapshots for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can create, view, list, modify, and delete snapshot consistency group, including assigning access policies to other users.
Editor As an editor, you can create, view, list, modify, and delete snapshot consistency group, except for assigning access policies to other users.
Operator As an operator, you can view and list snapshot consistency group, but you can't modify them.
Viewer As a viewer, you can view and list snapshot consistency group, but you can't modify them.
Service actions - Multi Volume Snapshots for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.snapshot-consistency-group.snapshot-consistency-group.create This action allows the user to create snapshot consistency group Administrator, Editor
is.snapshot-consistency-group.snapshot-consistency-group.read This action allows the user to view snapshot consistency group , but not modify them. Administrator, Editor, Operator, Viewer
is.snapshot-consistency-group.snapshot-consistency-group.list This action allows the user to list snapshot consistency group resources. Administrator, Editor, Operator, Viewer
is.snapshot-consistency-group.snapshot-consistency-group.update This action allows the user to modify snapshot consistency group properties Administrator, Editor
is.snapshot-consistency-group.snapshot-consistency-group.delete This action allows the user to delete Snapshot Consistency Group Administrator, Editor

Subnet

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.subnet for the service name.

Platform roles - Subnet
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Subnet
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.subnet.subnet.create Administrator, Editor
is.subnet.subnet.read Administrator, Editor, Operator, Viewer
is.subnet.subnet.update Administrator, Editor
is.subnet.subnet.delete Administrator, Editor
is.subnet.subnet.list Administrator, Editor, Operator, Viewer
is.subnet.subnet.operate Administrator, Editor, Operator

Virtual Network Interface

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.virtual-network-interface for the service name.

Platform roles - Virtual Network Interface
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As a Virtual Network Interface administrator, you can Read, List, Attach, Detach, Create, Update, and Delete Virtual Network resources on the account and provide policies to other users on the account.
Editor As a Virtual Network Interface editor, you can Read, List, Attach, Detach, Create, Update, and Delete Virtual Network resources.
Operator As a Virtual Network Interface operator, you can Read, List, Attach, and Detach Virtual Network resources.
Viewer As a Virtual Network Interface viewer, you can Read, and List Virtual Network resources.
Service actions - Virtual Network Interface
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.virtual-network-interface.virtual-network-interface.read Read Virtual Network Interface Administrator, Editor, Operator, Viewer
is.virtual-network-interface.virtual-network-interface.list List Virtual Network Interfaces Administrator, Editor, Operator, Viewer
is.virtual-network-interface.virtual-network-interface.update Update Virtual Network Interface Administrator, Editor
is.virtual-network-interface.virtual-network-interface.operate Operate Virtual Network Interfaces Administrator, Editor, Operator
is.virtual-network-interface.virtual-network-interface.create Create Virtual Network Interface Administrator, Editor
is.virtual-network-interface.virtual-network-interface.delete Delete Virtual Network Interface Administrator, Editor
is.virtual-network-interface.virtual-network-interface.manage-infrastructure-nat Infrastructure NAT for Virtual Network Interface Administrator
is.virtual-network-interface.virtual-network-interface.manage-ip-spoofing IP Spoofing for Virtual Network Interface Administrator
is.virtual-network-interface.virtual-network-interface.manage-protocol-state-filtering-mode Configure Protocol State Filtering for Virtual Network Interface Administrator, Editor

Block Storage for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.volume for the service name.

Platform roles - Block Storage for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Block Storage for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Restore Volume From Remote Account Snapshot To create cross account snapshot restore
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Block Storage for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.volume.profile.view Administrator, Editor, Operator, Viewer
is.volume.volume.create Administrator, Editor
is.volume.volume.list Administrator, Editor, Operator, Viewer
is.volume.volume.read Administrator, Editor, Operator, Viewer
is.volume.volume.update Administrator, Editor
is.volume.volume.delete Administrator, Editor
is.volume.volume.config.read Configuration Governance endpoint Service Configuration Reader
is.volume.volume.operate Operate a volume Administrator, Editor, Operator
is.volume.volume.allow-remote-account-snapshot-restore Allow remote account snapshot restore Restore Volume From Remote Account Snapshot

Virtual Private Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.vpc for the service name.

Platform roles - Virtual Private Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Virtual Private Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
DNS Binding Connector DNS Binding Connector role is required to create and remove DNS resolution bindings.
Service actions - Virtual Private Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.vpc.vpc.read View a Virtual Private Cloud (VPC) Administrator, DNS Binding Connector, Editor, Operator, Viewer
is.vpc.vpc.create Create a Virtual Private Cloud (VPC) Administrator, Editor
is.vpc.vpc.delete Delete a Virtual Private Cloud (VPC) Administrator, Editor
is.vpc.vpc.update Update a Virtual Private Cloud (VPC) Administrator, Editor
is.vpc.vpc.list List Virtual Private Clouds (VPC) Administrator, Editor, Operator, Viewer
is.vpc.vpc.operate Operate a Virtual Private Clouds (VPC) Administrator, Editor, Operator
is.vpc.routing-table.list List Routing Tables Administrator, Editor, Operator, Viewer
is.vpc.routing-table.read Read Routes/Details of Routing Table Administrator, Editor, Operator, Viewer
is.vpc.routing-table.create Create a Route Table Administrator, Editor
is.vpc.routing-table.update Update Routing Table and Routes Administrator, Editor
is.vpc.routing-table.delete Delete Route Table Administrator, Editor
is.vpc.routing-table.operate Configure Subnet Attachment to Route Table Administrator, Editor, Operator
is.vpc.routing-table.advertise Enable or disable route advertisement of non-VPC address prefixes and routes to Transit Gateway and Direct Link Administrator, Editor
is.vpc.dns-resolution-binding.create Create DNS resolution binding Administrator, Editor
is.vpc.dns-resolution-binding.delete Delete DNS resolution binding Administrator, Editor
is.vpc.dns-resolution-binding.update Update the name of a DNS resolution binding Administrator, Editor
is.vpc.dns-resolution-binding.read Get details of a DNS resolution binding Administrator, Editor, Operator, Viewer
is.vpc.dns-resolution-binding.list List DNS resolution bindings Administrator, Editor, Operator, Viewer
is.vpc.dns-resolution-binding.connect Connect DNS resolution binding between two VPCs DNS Binding Connector
is.vpc.dns-resolution-binding.disconnect Disconnect DNS resolution binding between two VPCs DNS Binding Connector

VPN for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.vpn for the service name.

Platform roles - VPN for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - VPN for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - VPN for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.vpn.vpn.create Administrator, Editor
is.vpn.vpn.update Administrator, Editor
is.vpn.vpn.delete Administrator, Editor
is.vpn.vpn.read Administrator, Editor, Operator, Viewer
is.vpn.vpn.list Administrator, Editor, Operator, Viewer
is.vpn.dashboard.view Administrator, Editor, Operator, Viewer
is.vpn.config.read Configuration Information Point API access Service Configuration Reader

VPN Server for VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use is.vpn-server for the service name.

Platform roles - VPN Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - VPN Server for VPC
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
VPN Client Users of the VPN server need this role to connect to the VPN server
Service actions - VPN Server for VPC
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
is.vpn-server.dashboard.view View Dashboard Administrator, Editor, Operator, Viewer
is.vpn-server.vpn-server.create Create VPN server
Administrator, Editor
is.vpn-server.vpn-server.delete Delete VPN server
Administrator, Editor
is.vpn-server.vpn-server.operate Operate VPN server
Administrator, Editor, Operator
is.vpn-server.vpn-server.read View VPN server
Administrator, Editor, Operator, Viewer
is.vpn-server.vpn-server.update Update VPN server
Administrator, Editor
is.vpn-server.vpn-server.connect Connect to VPN server VPN Client
is.vpn-server.config.read Configuration Information Point API access Service Configuration Reader

IBM Key Protect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use kms for the service name.

Service roles - IBM Key Protect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
KeyPurge Role for purging key.
KmipAdapterManager Key Protect role that controls read and write access to REST resources associated with Key Protect Native KMIP support. It also allows read access to list Keys and Key Rings.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
ReaderPlus As a reader plus, you can perform read-only actions within Key Protect such as viewing service-specific resources. You can also access key material for standard keys.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Key Protect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
kms.secrets.create Create an encryption key. Manager, Writer
kms.secrets.read Retrieve an encryption key. Manager, ReaderPlus, Writer
kms.secrets.list Retrieve a list of encryption keys. KmipAdapterManager, Manager, Reader, ReaderPlus, Writer
kms.secrets.delete Delete an encryption key. Manager
kms.secrets.wrap Wrap an encryption key. Manager, Reader, ReaderPlus, Writer
kms.secrets.unwrap Unwrap an encryption key. Manager, Reader, ReaderPlus, Writer
kms.secrets.rotate Rotate an encryption key. Manager, Writer
kms.lockers.read Read lockers Manager, Writer
kms.lockers.create Create lockers Manager, Writer
kms.lockers.list List lockers Manager, Writer
kms.policies.read Retrieve policies for an encryption key. Manager
kms.policies.write Set policies for an encryption key. Manager
kms.secrets.rewrap Rewrap an encryption key. Manager, Reader, ReaderPlus, Writer
kms.importtoken.read Retrieve an import token. Manager, Writer
kms.importtoken.create Create an import token. Manager, Writer
kms.registrations.list Retrieve a list of registrations. Manager, Reader, ReaderPlus, Writer
kms.registrations.listforkey Retrieve a list of registrations for a given encryption key. Manager, Reader, ReaderPlus, Writer
kms.registrations.delete Delete a registration. Manager, Reader, ReaderPlus, Writer
kms.registrations.merge Update the details of an existing registration. Manager, Reader, ReaderPlus, Writer
kms.registrations.write Replace an existing registration. Manager, Reader, ReaderPlus, Writer
kms.registrations.create Create a registration between an encryption key and a cloud resource. Manager, Reader, ReaderPlus, Writer
kms.registrations.deactivate Move a suspended registration to the deactivated state Manager, Reader, ReaderPlus, Writer
kms.instancepolicies.read Retrieve instance level policies. Manager
kms.instancepolicies.write Add or update instance level policies. Manager
kms.secrets.setkeyfordeletion Set or prepare an encryption key for deletion. Manager, Writer
kms.secrets.unsetkeyfordeletion Unset an encryption key for deletion. Manager, Writer
kms.secrets.readmetadata Retrieve the details of an encryption key. Manager, Reader, ReaderPlus, Writer
kms.secrets.listkeyversions Retrieve a list of versions that are associated with an encryption key. Manager, Reader, ReaderPlus, Writer
kms.keyversions.list Retrieve a list of versions that are associated with an encryption key. Manager, Reader, ReaderPlus, Writer
kms.secrets.restore Restore a previously deleted encryption key. Manager
kms.secrets.disable Disable operations for an encryption key. Manager
kms.secrets.enable Enable operations for an encryption key. Manager
kms.secrets.eventack Acknowledge a key lifecycle event Manager, Reader, ReaderPlus, Writer
kms.instance.readipwhitelistport Retrieve port associated with instance level ip whitelist policy. Manager
kms.instance.readallowedipport Retrieve port associated with instance level allowed IP policy. Manager
kms.secrets.sync Initiate a manual data synchronization request to the associated resources of a key. Manager, Writer
kms.secrets.createalias Create an alias for an encryption key. Manager, Writer
kms.secrets.deletealias Delete an alias for an encryption key. Manager, Writer
kms.governance.configread Retrieve current configuration of the queried resources. Service Configuration Reader
kms.keyrings.list Retrieve a list of key rings in the instance. KmipAdapterManager, Manager, Reader, ReaderPlus, Writer
kms.keyrings.create Create a key ring in the instance. Manager, Writer
kms.keyrings.delete Delete a key ring in the instance. Manager
kms.secrets.purge Purge an encryption key. KeyPurge
kms.secrets.patch Patch attributes of an encryption key. Manager
kms.secrets-with-policy-overrides.create Create an encryption key with policy overrides. Manager
kms.secrets-migration-intent.read Retrieves a migration intent for an encryption key. Manager, Reader, ReaderPlus, Writer
kms.secrets-migration-intent.create Create a migration intent for an encryption key. Manager
kms.secrets-migration-intent.delete Delete a migration intent for an encryption key. Manager
kms.kmip-management.create Creates a KMIP management resource KmipAdapterManager, Manager
kms.kmip-management.list Lists a KMIP management resource KmipAdapterManager, Manager
kms.kmip-management.read Reads a KMIP management resource KmipAdapterManager, Manager
kms.kmip-management.delete Deletes a KMIP management resource KmipAdapterManager, Manager

Knowledge Studio

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use knowledge-studio for the service name.

Platform roles - Knowledge Studio
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Knowledge Studio
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Knowledge Studio
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
knowledge-studio.dashboard.view Administrator, Editor, Manager, Reader, Viewer, Writer

IBM Lakehouse

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use lakehouse for the service name.

Platform roles - IBM Lakehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Lakehouse
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
DataAccess DataAccess
MetastoreAdmin Grant metastore access
MetastoreViewer MetastoreViewer
Service actions - IBM Lakehouse
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
lakehouse.dashboard.view Description Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Viewer
lakehouse.metastore.admin Allowing metastore access Administrator, MetastoreAdmin
lakehouse.uservpc.manage Provides ability to create and manage a deployment in a user owned VPC Administrator, Editor, Operator
lakehouse.data.access Allows data access for other services. DataAccess
lakehouse.metastore.view Allow metastore view MetastoreViewer

Language Translator

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use language-translator for the service name.

Service roles - Language Translator
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Language Translator
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /language-translator Manager, Reader, Writer
POST /language-translator Manager, Reader, Writer
DELETE /language-translator Manager, Writer

IBM Log Analysis with LogDNA

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use logdna for the service name.

Platform roles - IBM Log Analysis with LogDNA
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - IBM Log Analysis with LogDNA
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you can manage resources, configure views, dashboards and alerts, export data, search, filter, and view all data.
Reader As a reader, you can perform read-only actions such as monitor data through views and dashboards.
Standard Member As a member, you can configure views, dashboards and alerts, export data, search, filter, and view all data.
Service actions - IBM Log Analysis with LogDNA
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
logdna.dashboard.view View LogDNA Dashboard Administrator, Manager, Reader, Standard Member
logdna.dashboard.read Access LogDNA dashboard without any edit permission Reader
logdna.dashboard.member Access LogDNA dashboard with limited edit capabilities Standard Member
logdna.dashboard.manage Access and manage LogDNA dashboard without any limitation Administrator, Manager

IBM Cloud Activity Tracker with LogDNA

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use logdnaat for the service name.

Platform roles - IBM Cloud Activity Tracker with LogDNA
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - IBM Cloud Activity Tracker with LogDNA
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you can manage resources, configure views, dashboards and alerts, export data, search, filter, and view all data.
Reader As a reader, you can perform read-only actions such as monitor data through views and dashboards.
Standard member As a member, you can configure views, dashboards and alerts, export data, search, filter, and view all data.
Service actions - IBM Cloud Activity Tracker with LogDNA
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
logdnaat.dashboard.view View LogDNA Dashboard Administrator, Manager, Reader, Standard member
logdnaat.dashboard.read Access LogDNA dashboard without any edit permission Reader
logdnaat.dashboard.member Access LogDNA dashboard with limited edit capabilities Standard member
logdnaat.dashboard.manage Access and manage LogDNA dashboard without any limitation Administrator, Manager

Cloud Logs

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use logs for the service name.

Service roles - Cloud Logs
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Data Access Reader With data access reader permissions, you can access log data that is defined by specific rules. These rules are set using the Data Access Rule attribute.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions such as managing data usage metrics, data access rules, TCO policies, enrichments, events to metrics, and version benchmark tags.
Reader As a reader, you can perform read-only actions on the data such as querying logs and viewing dashboards.
Sender As a sender, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs.
Writer As a writer, you have permissions beyond the reader role such as the ability to manage actions, alerts and incidents, dashboards and views, enrichments, parsing rules, and webhooks or the ability to view analytics, data access rules, and TCO policies.
Service actions - Cloud Logs
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
logs.data-usage.read View Instance Data Usage Metrics. Manager, Reader, Writer
logs.data-usage.manage Manage Instance Data Usage Metrics. Manager
logs.data-usage.export Export data usage. Manager, Writer
logs.team-members.read Read the list of users. Manager
logs.data-access-rule.read Read data access rules. Manager, Writer
logs.data-access-rule.manage Manage data access rules. Manager
logs.data-access.read Access restricted data defined by associated rules. Use attribute dataAccessRule to specify the rule. Data Access Reader
logs.shared-action.read Read shared actions. Manager, Reader, Writer
logs.shared-action.manage Manage shared actions. Manager, Writer
logs.shared-action.execute Run shared actions. Manager, Reader, Writer
logs.private-action.read Read private actions. Manager, Writer
logs.private-action.manage Manage private actions. Manager, Writer
logs.private-action.execute Run private actions. Manager, Writer
logs.alert-config.read Read alert definitions. Manager, Reader, Writer
logs.alert-config.manage Manage alert definitions. Manager, Writer
logs.alert.snooze Snooze or Unsnooze an Alert. Manager, Writer
logs.logs-alert.read Read logs alerts definitions. Manager, Reader, Writer
logs.logs-alert.manage Manage logs alerts definitions. Manager, Writer
logs.metrics-alert.read Read metrics alerts definitions. Manager, Reader, Writer
logs.metrics-alert.manage Define and modify metrics alerts settings. Manager, Writer
logs.alerts-map.read View visualized alerts in alerts Map. Manager, Reader, Writer
logs.shared-view.read Read shared views. Manager, Reader, Writer
logs.shared-view.manage Manage shared views. Manager, Writer
logs.private-view.read Read private views. Manager, Writer
logs.private-view.manage Manage private views. Manager, Writer
logs.shared-dashboard.read View custom shared Dashboard widgets. Manager, Reader, Writer
logs.shared-dashboard.manage Manage custom shared Dashboard widgets. Manager, Writer
logs.data-map.read Read DataMap configurations. Manager, Reader, Writer
logs.data-map.manage Manage DataMap configurations. Manager, Writer
logs.logs-tco-policy.read View existing logs TCO policies. Manager, Writer
logs.logs-tco-policy.manage View and modify existing logs TCO policies, and create new ones. Manager
logs.geo-enrichment.read Read Geo-Enrichment configuration. Manager, Writer
logs.geo-enrichment.manage Manage Geo-Enrichment configuration. Manager
logs.security-enrichment.read Read security enrichment configuration. Manager, Writer
logs.security-enrichment.manage Manage security enrichment configuration. Manager
logs.custom-enrichment.read Read custom enrichment configuration. Manager, Writer
logs.custom-enrichment.manage Manage custom enrichment configuration. Manager, Writer
logs.custom-enrichment-data.read Read data for custom enrichment configuration. Manager, Reader, Writer
logs.custom-enrichment-data.manage Manage data for custom enrichment configuration. Manager, Writer
logs.incident.read View events in Triggered Alerts. Manager, Reader, Writer
logs.incident.acknowledge Acknowledge events in Triggered Alerts. Manager, Writer
logs.incident.snooze Snooze events in Triggered Alerts. Manager, Writer
logs.incident.assign Assign an event in Triggered Alerts. Manager, Writer
logs.incident.close Manually resolve events in Triggered Alerts. Manager, Writer
logs.extension.read View extension packages. Manager, Writer
logs.extension.manage Deploy, undeploy, and update extension packages. Manager, Writer
logs.livetail.read Read Livetail data. Manager, Reader, Writer
logs.logs-data-analytics-high.read Read analytics data for logs in high-tier (frequent search). Manager, Writer
logs.logs-data-analytics-low.read Read analytics data for logs in low-tier (archive). Manager, Writer
logs.metrics-data-analytics-high.read Read analytics of metrics in the form of Mapping Statistics in the high-tier (frequent search). Manager, Writer
logs.metrics-data-analytics-low.read Read analytics of metrics in the form of Mapping Statistics in the low-tier (archive). Manager, Writer
logs.logs-data-api-high.read Query logs in the high-tier (frequent search). Manager, Reader, Writer
logs.logs-data-api-low.read Query logs in the low-tier (archive). Manager, Reader, Writer
logs.metrics-data-api-high.read Query metrics in the high-tier (frequent search). Manager, Reader, Writer
logs.metrics-data-api-low.read Query metrics in the low-tier (archive). Manager, Reader, Writer
logs.data-ingress.send Send logs data. Manager, Sender, Writer
logs.parsing-rule.read Read parsing rules. Manager, Writer
logs.parsing-rule.manage Create, modify, and remove parsing rules. Manager, Writer
logs.events2metrics.read View Events2Metrics configuration when the source input is logs. Manager, Writer
logs.events2metrics.manage Configure or modify the configuration for Events2Metrics, when the source input is logs. Manager
logs.version-benchmark-tags.manage Manage version benchmark tags. Manager
logs.version-benchmark-tags.read Read version benchmark tags. Manager, Reader, Writer
logs.version-benchmark-report.read Read version benchmark reports. Manager, Reader, Writer
logs.suppression-rule.read Read Suppression-Rules. Manager, Reader, Writer
logs.suppression-rule.manage Manage Suppression-Rules. Manager, Writer
logs.webhook.read View Generic Outbound Webhooks configuration. Manager, Reader, Writer
logs.webhook.manage Create and modify the configuration for Outbound Webhooks. Manager, Writer
logs.legacy-archive-query.execute Query data from the archive. Manager, Reader, Writer
logs.logs-stream-setup.read View logs stream settings. Manager, Writer
logs.logs-stream-setup.manage Manage logs stream settings. Manager

IBM Cloud Logs Routing

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use logs-router for the service name.

Platform roles - IBM Cloud Logs Routing
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - IBM Cloud Logs Routing
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Logs Routing
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
logs-router.dashboard.view Administrator, Editor, Operator
logs-router.tenant.create This action allows a user to board a new tenant to the Logs Router. Manager
logs-router.tenant.delete Allows a user to offboard (delete) and existing Logs Router tenant. Manager
logs-router.tenant.update Allows a user to update the current configuration of a boarded Logs Router tenant. Manager
logs-router.tenant.read Allows user to view current configuration for a boarded Logs Router tenant Manager, Reader
logs-router.event.send Allows the delivery of events to the Logs Router ingestion API Writer

Managed Solutions

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use managed-solutions for the service name.

Platform roles - Managed Solutions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Managed Solutions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Managed Solutions
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
managed-solutions.overview.view View the Managed Solutions dashboard. Administrator, Editor, Operator, Viewer
managed-solutions.support.view-dashboard View the Support Dashboard. Administrator, Editor, Operator, Viewer
managed-solutions.onboarding.link-services Link Managed Solutions to your IBM Cloud Account. Administrator
managed-solutions.sap-landscapes.view View SAP Landscapes Administrator, Editor, Operator, Reader, Viewer
managed-solutions.support.view View Support Artifacts Administrator, Editor, Operator, Viewer
managed-solutions.support.manage Add/Edit Support Cases Administrator, Editor, Operator
managed-solutions.sap-systems.view View SAP Systems Administrator, Editor, Operator, Viewer
managed-solutions.sap-servers.view View SAP Servers Administrator, Editor, Operator, Viewer
managed-solutions.health-alerts.view View Health Alerts Administrator, Editor, Operator, Viewer
managed-solutions.support.manage-settings Managed Support Settings Administrator
managed-solutions.oracle-applications.view View Oracle Applications Viewer
managed-solutions.support.manage-change-approvers Manages who can approve cases for a solution. Administrator, Manager
managed-solutions.support.manage-subscriptions Manage Support API Subscriptions Administrator, Editor
managed-solutions.platform.view Allows access to view Managed Solutions that are not IAM enabled. Administrator, Editor, Operator, Viewer
managed-solutions.solution.view View Managed Solutions, but not necessarily data associated with the solutions. Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
managed-solutions.support.manage-cases Managed Support Cases for a Solution Manager, Writer
managed-solutions.solution.enable-iam Allows enable Access Control (IAM) for Solutions. Administrator, Editor
managed-solutions.support.view-cases Allows viewing support cases for a solution. Manager, Reader, Writer
managed-solutions.platform.operate Allows access to operate Managed Solutions that are not IAM enabled. Administrator, Editor, Operator
managed-solutions.platform.administrate Perform administrative functions on non-IAM enabled solutions. Administrator
managed-solutions.sap-instances.view View SAP Instances Administrator, Editor, Operator, Viewer
managed-solutions.health.view-alerts View Alerts Manager, Reader, Writer
managed-solutions.core.manage-host-credentials Manage credentials on the host. Administrator, Manager

Master Data Connect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use mdm-oc for the service name.

Platform roles - Master Data Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Master Data Connect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Configurator Manager As a Configurator Manager, you can perform manage actions in the Configurator microservice.
Configurator Reader As a Configurator Reader, you can perform read actions in the Configurator microservice.
Data Engineer As a Data Engineer you have full access to all microservices.
Data Manager As a Data Manager, you can perform read, write and manage actions in the Data microservice.
Data Reader As a Data Reader, you can perform read only actions in the Data microservice.
Data Steward As a Data Steward, you can add or delete rules from the matching microservice.
Data Writer As a Data Writer, you can perform read and write actions in the Data microservice.
Entity Viewer As a Entity Viewer you can perform read actions in both the model and data microservice.
Job Reader As a Job Reader, you can perform read actions in the Job microservice.
Job Writer As a Job Writer, you can perform read and write actions in the Job microservice.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Matching Manager As a Matching Manager, you can perform read, write and manage actions in the Matching microservice.
Matching Reader As a Matching Reader, you can perform read actions in the Matching microservice.
Matching Writer As a Matching Writer, you can perform read and write actions in the Matching microservice.
Model Manager As a Model Manager, you can perform manage actions in the Model microservice.
Model Reader As a Model Reader, you can perform read actions in the Model microservice.
Model Writer As a Model Writer you can perform write actions in the Model microservice.
Pair Analysis Reader As a Pair Analysis Reader, you can perform read actions in the Pair Analysis microservice.
Pair Analysis Writer As a Pair Analysis Writer, you can perform read and write actions in the Pair Analysis microservice.
Publisher User As a Publisher User you can perform manage actions in the data and model service.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Master Data Connect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
mdm-oc.dashboard.view View Dashboard Administrator, Configurator Manager, Configurator Reader, Data Engineer, Data Manager, Data Reader, Data Steward, Data Writer, Editor, Entity Viewer, Job Reader, Job Writer, Manager, Matching Manager, Matching Reader, Matching Writer, Model Manager, Model Reader, Model Writer, Operator, Pair Analysis Reader, Pair Analysis Writer, Publisher User, Reader, Viewer, Writer
mdm-oc.data.read Read access to the Master Data Management Data microservice. Administrator, Data Engineer, Data Manager, Data Reader, Data Steward, Data Writer, Editor, Entity Viewer, Manager, Operator, Publisher User, Reader, Viewer, Writer
mdm-oc.data.write Write access to the Master Data Management Data microservice. Administrator, Data Engineer, Data Manager, Data Steward, Data Writer, Manager, Publisher User, Writer
mdm-oc.data.manage Manage access to the Master Data Management Data microservice. Administrator, Data Engineer, Data Manager, Manager, Publisher User
mdm-oc.matching.read Read access to the Master Data Management Matching microservice. Administrator, Data Engineer, Data Steward, Editor, Entity Viewer, Manager, Matching Manager, Matching Reader, Matching Writer, Operator, Reader, Viewer, Writer
mdm-oc.matching.write Write access to the Master Data Management Matching microservice. Administrator, Data Engineer, Data Steward, Manager, Matching Manager, Matching Writer, Writer
mdm-oc.matching.manage Manage access to the Master Data Management Matching microservice. Administrator, Data Engineer, Manager, Matching Manager
mdm-oc.model.read Read access to the Master Data Management Model microservice. Administrator, Data Engineer, Data Steward, Editor, Entity Viewer, Manager, Model Manager, Model Reader, Model Writer, Operator, Publisher User, Reader, Viewer, Writer
mdm-oc.model.write Write access to the Master Data Management Model microservice. Administrator, Data Engineer, Manager, Model Manager, Model Writer, Publisher User, Writer
mdm-oc.configurator.read Read access to the Master Data Management Configurator microservice. Administrator, Configurator Manager, Configurator Reader, Data Engineer, Editor, Manager, Operator, Viewer, Writer
mdm-oc.configurator.manage Manage access to the Master Data Management Configurator microservice. Administrator, Configurator Manager, Data Engineer, Manager
mdm-oc.pairs-analysis.read Read access to the Master Data Management Pair Analysis microservice. Administrator, Data Engineer, Data Steward, Editor, Manager, Operator, Pair Analysis Reader, Pair Analysis Writer, Reader, Viewer, Writer
mdm-oc.pairs-analysis.write Write access to the Master Data Management Pair Analysis microservice. Administrator, Data Engineer, Data Steward, Manager, Pair Analysis Writer, Writer
mdm-oc.job.write Write access to the Master Data Management Job microservice. Administrator, Data Engineer, Job Writer, Manager, Publisher User, Writer
mdm-oc.job.read Read access to the Master Data Management Job microservice. Administrator, Data Engineer, Data Steward, Editor, Entity Viewer, Job Reader, Job Writer, Manager, Operator, Publisher User, Reader, Viewer, Writer
mdm-oc.model.manage Manage access to the Master Data Management Model microservice. Administrator, Data Engineer, Manager, Model Manager, Publisher User
mdm-oc.matching.datasteward Data Steward access to the Master Data Management. Administrator, Data Engineer, Data Steward, Manager

Event Streams

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use messagehub for the service name.

Service roles - Event Streams
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Event Streams
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
messagehub.topic.read Allow an app to read messages from all topics, or if applied to a named topic, then just that single topic. Manager, Reader, Writer
messagehub.topic.write Allow an app to write messages to all topics, or if applied to a named topic, then just that single topic. Manager, Writer
messagehub.topic.manage Allow an app or user to create or delete topic. If applied to a named topic, then only topics of that name can be created or deleted. Manager
messagehub.cluster.read Allow an app to connect to a service instance and read its state, including listing consumer groups, topics and offsets and describing consumer groups, topics and broker configurations. Manager, Reader, Writer
messagehub.group.read Allow an app to join and commit offsets in a consumer group. Manager, Reader, Writer
messagehub.group.manage Allow an app or user to delete a Consumer Group. If applied to a group ID, then only the consumer group with that ID can be deleted. Manager
messagehub.txnid.write Allow an app to produce messages transactionally. Manager, Writer
messagehub.schema.read Read a schema/schema version Manager, Reader, Writer
messagehub.schema.write Create a schema/schema version Manager, Writer
messagehub.schema.manage Delete a schema/schema version Manager
messagehub.cluster.manage Manage the configuration of an Event Streams instance Manager
messagehub.config.read Configuration Information Point API access Manager, Reader, Service Configuration Reader, Writer

Messages for RabbitMQ

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use messages-for-rabbitmq for the service name.

Platform roles - Messages for RabbitMQ
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions including assigning access policies to other users.
Editor As an editor, you can perform all platform actions (including making configuration changes and managing credentials) except for managing the account and assigning access policies.
Operator As an operator, you can view database instances and make configuration changes including managing database credentials.
Viewer As a viewer, you can view database instances but you can't make configuration changes.
Service roles - Messages for RabbitMQ
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Messages for RabbitMQ
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
GET /2017-12/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
DELETE /2017-12/:platform/deployments/:deployment_id Remove a Deployment Administrator, Editor, Operator
GET /2017-12/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /2017-12/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /2017-12/:platform/clusters/:cluster_id/deployments Create a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v4/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v4/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v4/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
POST /v4/:platform/deployments/:deployment_id/users Create a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id Read a DeploymentUser Administrator, Editor, Operator, Viewer
PATCH /v4/:platform/deployments/:deployment_id/users/:user_id Update a DeploymentUser Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/users/:user_id Remove a DeploymentUser Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v4/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v4/:platform/deployments/:deployment_id/users/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v4/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployables Read Deployables Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/regions Read Discover available regions Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/tasks/:task_id Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id Update a Deployment Administrator, Editor, Operator
GET /v5/:platform/deployables/:deployable_id/groups Read deployable group Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/point_in_time_recovery_data Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/tasks Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/backups Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/backups Create an on-demand backup Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/remotes Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/remotes Update a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/promotion Promote a remote replica Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/remotes/resync Resync remote replica Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/management/database_connections Kill all database connections Administrator, Editor, Operator
PATCH /v5/:platform/deployments/:deployment_id/configuration Update deployment configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/configuration/schema Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/network Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/deployments/:deployment_id/groups Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id Update a Group Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
PATCH /v5/:platform/deployments/:deployment_id/groups/:group_id/autoscaling Update autoscaling configuration Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Read Whitelisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Create a Whitelisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses/:ip_address_id Remove a Whitelisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/whitelists/ip_addresses Bulk whitelist IP addresses Administrator, Editor, Operator
POST /v5/:platform/capability/:capability_id Discover a supported capability Administrator, Editor, Operator
POST /v5/:platform/deployments/:deployment_id/users/:user_type Create a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Read a type of user Administrator, Editor, Operator, Viewer
PATCH /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Update a type of user Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id Delete a type of user Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Read deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Read deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections Create deployment user connections Administrator, Editor, Operator, Viewer
POST /v5/:platform/deployments/:deployment_id/users/:user_type/:user_id/connections/:endpoint_type Create deployment user connections Administrator, Editor, Operator, Viewer
GET /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
POST /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Create a Allowlisted IP Addresses Administrator, Editor, Operator
DELETE /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses/:ip_address_id Remove a Allowlisted IP Addresses Administrator, Editor, Operator
PUT /v5/:platform/deployments/:deployment_id/allowlists/ip_addresses Bulk allowlist IP addresses Administrator, Editor, Operator
GET /v5/:platform/deployments/:deployment_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
GET /v5/:platform/backups/:backup_id/capability/:capability_id Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
task.read Read a Task Administrator, Editor, Operator, Service Configuration Reader, Viewer
backup.read Read a Backup Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.read Read a Deployment Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment.update Update a Deployment Administrator, Editor, Operator
deployment-point-in-time-recovery-data.list Read all deployment point-in-time-recovery data Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-task.list Read all deployment tasks Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.list Read all deployment backups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-backup.create Create an on-demand backup Administrator, Editor, Operator
deployment-remote.list Read all deployment remotes Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-remote.update Update a remote replica Administrator, Editor, Operator
deployment-remote.create Promote a remote replica Administrator, Editor, Operator
deployment-remote-resync.create Resync remote replica Administrator, Editor, Operator
deployment-database-connection.bulkdelete Kill all database connections Administrator, Editor, Operator
deployment-configuration.update Update deployment configuration Administrator, Editor, Operator
deployment-configuration-schema.read Read deployment configuration schema Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-network.read Read deployment network Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.list Read Groups Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group.update Update a Group Administrator, Editor, Operator
deployment-group-autoscaling.read Read autoscaling configuration Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-group-autoscaling.update Update autoscaling configuration Administrator, Editor, Operator
capability.create Discover a supported capability Administrator, Editor, Operator
deployment-user.create Create a type of user Administrator, Editor, Operator
deployment-user.read Read a type of user Administrator, Editor, Operator, Viewer
deployment-user.update Update a type of user Administrator, Editor, Operator
deployment-user.delete Delete a type of user Administrator, Editor, Operator
deployment-user-connection.list Read deployment user connections Administrator, Editor, Operator, Viewer
deployment-user-connection.create Create deployment user connections Administrator, Editor, Operator, Viewer
deployment-ip-address.list Read Allowlisted IP Addresses Administrator, Editor, Operator, Service Configuration Reader, Viewer
deployment-ip-address.create Create a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-ip-address.delete Remove a Allowlisted IP Addresses Administrator, Editor, Operator
deployment-allowlist-ip-addresses.update Bulk allowlist IP addresses Administrator, Editor, Operator
deployment-capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer
capability.read Read a capability Administrator, Editor, Operator, Service Configuration Reader, Viewer

Metrics Router

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use metrics-router for the service name.

Platform roles - Metrics Router
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Metrics Router
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
metrics-router.target.read Read target Administrator, Editor, Operator, Viewer
metrics-router.target.create Create target Administrator, Editor
metrics-router.target.update Update target Administrator, Editor
metrics-router.target.delete Delete target Administrator, Editor
metrics-router.target.list List the targets Administrator, Editor, Operator, Viewer
metrics-router.route.read Read route Administrator, Editor, Operator, Viewer
metrics-router.route.create Create route Administrator, Editor
metrics-router.route.update Update route Administrator, Editor
metrics-router.route.delete Delete route Administrator, Editor
metrics-router.route.list List routes Administrator, Editor, Operator, Viewer
metrics-router.onboarding.modify Modify onboarding for services only. Administrator
metrics-router.onboarding.get Get onboarding for services only. Administrator, Editor, Operator, Viewer
metrics-router.onboarding.delete Delete onboarding for services only. Administrator
metrics-router.setting.update Update settings Administrator
metrics-router.setting.get Get settings Administrator, Editor, Operator, Viewer
metrics-router.onboarding.create Create onboarding config for services only. Administrator
metrics-router.onboarding.list List onboarding config for services only. Viewer
metrics-router.onboarding.update Update onboarding config for services only. Administrator
metrics-router.destination.search Search for target destinations. Administrator, Editor, Operator, Viewer

Migration Services for IBM Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use migrationtool-from-wanclds for the service name.

Platform roles - Migration Services for IBM Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Migration Services for IBM Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Migration Services for IBM Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
migrationtool-from-wanclds.dashboard.view Administrator, Editor, Operator

Minio

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use minio for the service name.

Platform roles - Minio
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Minio
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Minio
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
minio.dashboard.view Administrator, Editor, Operator

IBM Cloud Monitoring Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use monitoring for the service name.

Platform roles - IBM Cloud Monitoring Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - IBM Cloud Monitoring Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
monitoring.domain.write Administrator, Editor, Operator
monitoring.domain.render Administrator, Editor, Operator, Viewer
monitoring.domain.find Administrator, Editor, Operator, Viewer
monitoring.domain.alarm_write Administrator, Editor
monitoring.domain.alarm_read Administrator, Editor, Viewer
monitoring.domain.notify_write Administrator, Editor
monitoring.domain.notify_read Administrator, Editor, Viewer
monitoring.domain.dashboard_write Administrator, Editor, Operator
monitoring.domain.dashboard_read Administrator, Editor, Viewer
monitoring.domain.uptime_write Administrator, Editor
monitoring.domain.uptime_read Administrator, Editor, Viewer

IBM MQ

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use mqcloud for the service name.

Platform roles - IBM MQ
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM MQ
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM MQ
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
mqcloud.instance.use Users can get access to service instances and their queue managers. Administrator, Editor, Manager, Viewer, Writer

Natural Language Understanding

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use natural-language-understanding for the service name.

Platform roles - Natural Language Understanding
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Natural Language Understanding
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Natural Language Understanding
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
natural-language-understanding.dashboard.view Administrator, Editor, Operator
GET /natural-language-understanding Manager, Reader, Writer
POST /natural-language-understanding Manager, Reader, Writer
DELETE /natural-language-understanding Manager, Reader, Writer
PUT /natural-language-understanding PUT /natural-language-understanding Manager, Reader, Writer

NeuralSeek

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use neuralseek for the service name.

Platform roles - NeuralSeek
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - NeuralSeek
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - NeuralSeek
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
neuralseek.dashboard.view Administrator, Editor, Operator

OpenPages with Watson

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use openpages for the service name.

Platform roles - OpenPages with Watson
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can complete all platform actions for IBM OpenPages, including the ability to assign access policies to other users. As an application administrator, you have complete access to all objects, folders, application permissions and security groups and users in IBM OpenPages. You can log in to the IBM OpenPages application as an administrator.
Editor As an Editor, you can create, modify, and delete IBM OpenPages service instances, but you can't assign access policies to other users. You can also log in to the IBM OpenPages application and further access is defined in the application.
Operator As an operator, you can complete platform actions that are required to configure and operate IBM OpenPages service instances. You can also log in to the IBM OpenPages application and further access is defined in the application.
Viewer As a Viewer, you can view IBM OpenPages service instances, but you can't modify them. You can also log in to the IBM OpenPages application and further access is defined in the application.
Service roles - OpenPages with Watson
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
OpenPages User As an OpenPages user, you can log in to the IBM OpenPages application but you do not have access to the service instance on IBM Cloud console. Further access is defined in IBM OpenPages.
Service actions - OpenPages with Watson
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
openpages.service.administer The ability to administer OpenPages Service. Administrator
openpages.service.login The ability to login to OpenPages service. Administrator, Editor, OpenPages User, Operator, Viewer

Personality Insights

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use personality-insights for the service name.

Platform roles - Personality Insights
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Editor null
Operator null
Service roles - Personality Insights
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager null
Reader null
Writer null
Service actions - Personality Insights
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
personality-insights.dashboard.view Administrator, Editor, Operator
GET /personality-insights Manager, Reader, Writer
POST /personality-insights Manager, Reader, Writer

Planning Analytics

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use planning-analytics for the service name.

Platform roles - Planning Analytics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Planning Analytics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Planning Analytics User Planning Analytics User
Service actions - Planning Analytics
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
planning-analytics.dashboard.view View Dashboard Administrator, Editor, Operator, Viewer
planning-analytics.access Planning Analytics Access Administrator, Planning Analytics User

Watson Machine Learning

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use pm-20 for the service name.

Platform roles - Watson Machine Learning
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Service roles - Watson Machine Learning
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Writer As a writer, you can perform all actions on the WML instance this role is being assigned.
Service actions - Watson Machine Learning
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
pm-20.instances.admin Administrator
pm-20.instances.write Editor, Manager, Writer

Portworx Enterprise

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use portworx for the service name.

Platform roles - Portworx Enterprise
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Portworx Enterprise
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
portworx.dashboard.view Administrator, Editor, Operator

Portworx Test

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use portworx-test for the service name.

Platform roles - Portworx Test
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Portworx Test
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
portworx-test.dashboard.view Administrator, Editor, Operator

PowerAI

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-ai for the service name.

Platform roles - PowerAI
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator null
Editor null
Operator null
Service actions - PowerAI
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
power-ai.dashboard.view Administrator, Editor, Operator

Power Systems Virtual Server

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas for the service name.

Service roles - Power Systems Virtual Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service actions - Power Systems Virtual Server
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
power-iaas.dashboard.view The ability to view the dashboard Manager, Reader
power-iaas.cloud-instance.modify The ability to modify a cloud instance Manager
power-iaas.cloud-instance.read The ability to get a cloud instance Manager, Reader
power-iaas.pod-capacity.view The ability to view infrastructure capacity details Manager
power-iaas.cloud-connection-vpc.list The ability to list VPC cloud connections for a cloud instance Manager, Reader
power-iaas.cloud-connection.read The ability to get a cloud connection for a cloud instance Manager, Reader
power-iaas.cloud-connection.list The ability to list cloud connections for a cloud instance Manager, Reader
power-iaas.cloud-connection.create The ability to create a cloud connection for a cloud instance Manager
power-iaas.cloud-connection.update The ability to update a cloud connection for a cloud instance Manager
power-iaas.cloud-connection.delete The ability to delete a cloud connection for a cloud instance Manager
power-iaas.cloud-connection-network.update The ability to attach a network to a cloud connection Manager
power-iaas.cloud-connection-network.delete The ability to delete a network from a cloud connection Manager
power-iaas.cloud-instance.list The ability to read status of a cloud instance Manager, Reader
power-iaas.cos-image.read The ability to get a cos-image import job of a cloud instance Manager, Reader
power-iaas.cos-image.create The ability to create a cos-image import job for a cloud instance Manager
power-iaas.event.read The ability to get a corresponding event Manager, Reader
power-iaas.event.list The ability to list corresponding events Manager, Reader
power-iaas.image-export.create The ability to create an image export job Manager
power-iaas.image-export.read The ability to read an image export job Manager, Reader
power-iaas.stock-image.read The ability to read information for a stock image Manager, Reader
power-iaas.stock-image.list The ability to list stock images in a cloud instance Manager, Reader
power-iaas.cloud-instance-image.read The ability to read information for an image in a cloud instance Manager, Reader
power-iaas.cloud-instance-image.list The ability to list images in a cloud instance Manager, Reader
power-iaas.cloud-instance-image.create The ability to create (copies) an image into a cloud instance Manager
power-iaas.cloud-instance-image.delete The ability to delete an image from a cloud instance Manager
power-iaas.job.read The ability to get the details of a job Manager, Reader
power-iaas.job.list The ability to list recent jobs initiated by the cloud instance Manager, Reader
power-iaas.job.delete The ability to delete the requested job Manager
power-iaas.network-port.delete The ability to delete a port on a network Manager
power-iaas.network-port.read The ability to get the details of a network port Manager, Reader
power-iaas.network-port.list The ability to list the information of all ports of a network Manager, Reader
power-iaas.network-port.create The ability to create a network port Manager
power-iaas.network-port.update The ability to update a network port Manager
power-iaas.network.delete The ability to delete a network Manager
power-iaas.network.read The ability to get a network Manager, Reader
power-iaas.network.list The ability to list all networks in a cloud instance Manager, Reader
power-iaas.network.create The ability to create a network Manager
power-iaas.network.update The ability to update a network Manager
power-iaas.pvm-instance-console.create The ability to get the console url for an instance Manager
power-iaas.pvm-instance-console.read The ability to get console languages for an instance Manager, Reader
power-iaas.pvm-instance-console.update The ability to update an instance console required codepage Manager
power-iaas.pvm-instance-network.delete The ability to delete a network from a pvm instance Manager
power-iaas.pvm-instance-network.read The ability to get network information of a pvm instance Manager, Reader
power-iaas.pvm-instance-network.list The ability to list all networks on a pvm instance Manager, Reader
power-iaas.pvm-instance-network.create The ability to add a network to a pvm instance Manager
power-iaas.pvm-instance.read The ability to get a pvm instance Manager, Reader
power-iaas.pvm-instance.delete The ability to delete a pvm instance Manager
power-iaas.pvm-instance.list The ability to list all pvm instances Manager, Reader
power-iaas.pvm-instance.create The ability to create a pvm instance Manager
power-iaas.pvm-instance.update The ability to update a pvm instance Manager
power-iaas.pvm-instance.action The ability to perform an action on an pvm instance Manager
power-iaas.pvm-instance.operation The ability to perform an operation on a pvm instance Manager
power-iaas.pvm-instance-capture.create The ability to create a pvm instance capture job Manager
power-iaas.pvm-instance-capture.read The ability to get the latest pvm instance capture job Manager, Reader
power-iaas.pvm-instance-clone.create The ability to clone a pvm instance Manager
power-iaas.pvm-instance-snapshot.create The ability to create a snapshot of a pvm instance Manager
power-iaas.pvm-instance-snapshot.list The ability to list all snapshots for a pvm instance Manager, Reader
power-iaas.pvm-instance-snapshot.restore The ability to restores a snapshot for a pvm instance Manager
power-iaas.placement-group.read The ability to get a placement group Manager, Reader
power-iaas.placement-group.list The ability to list all placement groups from a cloud instance Manager, Reader
power-iaas.placement-group.delete The ability to delete a placement group Manager
power-iaas.placement-group.create The ability to create a placement group Manager
power-iaas.placement-group-member.create The ability to add a server to a placement group Manager
power-iaas.placement-group-member.delete The ability to delete a server from a placement group Manager
power-iaas.shared-processor-pool.create The ability to create a shared processor pool Manager
power-iaas.shared-processor-pool.delete The ability to delete a shared processor pool Manager
power-iaas.shared-processor-pool.list The ability to list all shared processor pools for a cloud instance Manager, Reader
power-iaas.shared-processor-pool.read The ability to get a shared processor pool Manager, Reader
power-iaas.shared-processor-pool.update The ability to update a shared processor pool Manager
power-iaas.spp-placement-group.create The ability to create a spp placement group Manager
power-iaas.spp-placement-group.read The ability to get a spp placement group Manager, Reader
power-iaas.spp-placement-group.list The ability to list all spp placement groups for a cloud instance Manager, Reader
power-iaas.spp-placement-group-member.create The ability to add spp placement group members Manager
power-iaas.spp-placement-group-member.delete The ability to delete spp placement group members Manager
power-iaas.spp-placement-group.delete The ability to delete a spp placement group Manager
power-iaas.sap.read The ability to get a sap profile Manager, Reader
power-iaas.sap.list The ability to list all sap profiles Manager, Reader
power-iaas.sap.create The ability to create a sap pvm instance Manager
power-iaas.dhcp-service.read The ability to get a DHCP server Manager, Reader
power-iaas.dhcp-service.list The ability to list all DHCP servers in a cloud instance Manager, Reader
power-iaas.dhcp-service.delete The ability to delete a DHCP server Manager
power-iaas.dhcp-service.create The ability to create a DHCP server Manager
power-iaas.cloud-instance-snapshot.read The ability to get the details of a snapshot in a cloud instance Manager, Reader
power-iaas.cloud-instance-snapshot.list The ability to list all snapshots in a cloud instance Manager, Reader
power-iaas.cloud-instance-snapshot.update The ability to update a cloud instance snapshot Manager
power-iaas.cloud-instance-snapshot.delete The ability to delete a cloud instance snapshot Manager
power-iaas.storage-capacity-type.list The ability to get the storage capacity for all supported storage types for a region Manager, Reader
power-iaas.storage-capacity-type.read The ability to get the storage capacity for a region supported storage type Manager, Reader
power-iaas.storage-capacity-pool.list The ability to list the storage capacity for all storage pools for a region Manager, Reader
power-iaas.storage-capacity-pool.read The ability to get the storage capacity for a storage pools for a region Manager, Reader
power-iaas.storage-tier.read The ability to get the supported storage tiers for a datacenter Manager, Reader
power-iaas.system-pool.list The ability to list available system pools within a datacenter Manager, Reader
power-iaas.task.read The ability to get the details of a task Manager, Reader
power-iaas.task.delete The ability to delete a task Manager
power-iaas.volume-clone.create The ability to create a volume clone Manager
power-iaas.volume-clone.read The ability to get the details of a volume clone request Manager, Reader
power-iaas.volume-clone.list The ability to list all volume clone requests Manager, Reader
power-iaas.volume-clone.start The ability to perform start action for a volume clone request Manager
power-iaas.volume-clone.execute The ability to perform execute action for a volume clone request Manager
power-iaas.volume-clone.cancel The ability to perform cancel action for a volume clone request Manager
power-iaas.volume-clone.delete The ability to delete a volume clone request Manager
power-iaas.cloud-instance-volume.create The ability to create a data volume into a cloud instance Manager
power-iaas.pvm-instance-volume.delete The ability to detach volumes from a pvm instance Manager
power-iaas.volume-group.list The ability to list all volume groups in cloud instance Manager, Reader
power-iaas.volume-group.read The ability to get a volume group in a cloud instance Manager, Reader
power-iaas.volume-group.delete The ability to delete a volume group Manager
power-iaas.volume-group.create The ability to create a volume group Manager
power-iaas.volume-group.update The ability to update a volume group Manager
power-iaas.volume-group.action The ability to perfoms action on a volume group Manager
power-iaas.volume-group-remote-copy.read The ability to get list of remote copy volume relationships Manager, Reader
power-iaas.volume-group-storage.read The ability to get storage details of volume group Manager, Reader
power-iaas.volume-onboarding.list The ability to list all volume onboardings in a cloud instance Manager, Reader
power-iaas.volume-onboarding.read The ability to get a volume onboarding operation information Manager, Reader
power-iaas.volume-onboarding.create The ability to create a volume onboarding operation Manager
power-iaas.cloud-instance-volume.read The ability to get information of a volume in a cloud instance Manager, Reader
power-iaas.cloud-instance-volume.list The ability to list all volumes in a cloud instance Manager, Reader
power-iaas.cloud-instance-volume.update The ability to update a volume in a cloud instance Manager
power-iaas.cloud-instance-volume.delete The ability to delete a volume from a cloud instance Manager
power-iaas.pvm-instance-volume.list The ability to list all the volumes attached to a pvm instance Manager, Reader
power-iaas.pvm-instance-volume.read The ability to get the details of a volume attached to a pvm instance Manager, Reader
power-iaas.pvm-instance-volume.create The ability to attach volumes to a pvm instance Manager
power-iaas.pvm-instance-volume.update The ability to update a volume attached to a pvm instance Manager
power-iaas.pvm-instance-boot-volume.update The ability to set a pvm instance volume as the boot volume Manager
power-iaas.volume-remote-copy.read The ability to get the details of remote copy volume Manager, Reader
power-iaas.volume-flash-copy.read The ability to get the flash copy mappings of a volume Manager, Reader
power-iaas.vpn-connection-network.delete The ability to detach a local subnet from a vpn connection Manager
power-iaas.vpn-connection-network.read The ability to list all local subnets attached to a vpn connection Manager, Reader
power-iaas.vpn-connection-network.update The ability to attach a local subnet to a vpn connection Manager
power-iaas.vpn-connection-peer-subnet.delete The ability to detach a peer subnet from a vpn connection Manager
power-iaas.vpn-connection-peer-subnet.read The ability to list all peer subnets attached to a vpn connection Manager, Reader
power-iaas.vpn-connection-peer-subnet.update The ability to attach a peer subnet to a vpn connection Manager
power-iaas.vpn-connection-ike-policy.delete The ability to delete an IKE policy in a cloud instance Manager
power-iaas.vpn-connection-ike-policy.read The ability to get an IKE policy in a cloud instance Manager, Reader
power-iaas.vpn-connection-ike-policy.list The ability to list all IKE policies in a cloud instance Manager, Reader
power-iaas.vpn-connection-ike-policy.create The ability to create an IKE policy in a cloud instance Manager
power-iaas.vpn-connection-ike-policy.update The ability to update an IKE policy in a cloud instance Manager
power-iaas.vpn-connection-ipsec-policy.delete The ability to delete an IPSec policy in a cloud instance Manager
power-iaas.vpn-connection-ipsec-policy.read The ability to get an IPSec policy in a cloud instance Manager, Reader
power-iaas.vpn-connection-ipsec-policy.list The ability to list all IPSec policies in a cloud instance Manager, Reader
power-iaas.vpn-connection-ipsec-policy.create The ability to create an IPSec policy in a cloud instance Manager
power-iaas.vpn-connection-ipsec-policy.update The ability to update an IPSec policy in a cloud instance Manager
power-iaas.vpn-connection.delete The ability to delete a VPN connection in a cloud instance Manager
power-iaas.vpn-connection.read The ability to get a VPN connection in a cloud instance Manager, Reader
power-iaas.vpn-connection.list The ability to list all VPN connections in a cloud instance Manager, Reader
power-iaas.vpn-connection.create The ability to create a VPN connection for a cloud instance Manager
power-iaas.vpn-connection.update The ability to update a VPN connection for a cloud instance Manager
power-iaas.disaster-recovery.read The ability to get the disaster recovery location details of a cloud instance Manager, Reader
power-iaas.available-hosts.list The ability to get a list of available hosts Manager, Reader
power-iaas.host-group.create The ability to create a new hostgroup Manager
power-iaas.host-group.list The ability to list all the hostgroups accessible from the workspace Manager, Reader
power-iaas.host-group.read The ability to get the details about a specific hostgroup Manager, Reader
power-iaas.cloud-instance-volume.action The ability to perform an action on a volume Manager
power-iaas.tenant-sshkey.list The ability to list all of a tenants ssh keys Manager, Reader
power-iaas.tenant-sshkey.create The ability to add a new ssh key to the tenant Manager
power-iaas.tenant-sshkey.read The ability to get a tenant ssh key Manager, Reader
power-iaas.tenant-sshkey.update The ability to update a tenant ssh key Manager
power-iaas.tenant-sshkey.delete The ability to delete a tenant ssh key Manager
power-iaas.tenant.read The ability to get the status of a tenant Manager, Reader
power-iaas.tenant.update The ability to updates a tenant Manager
power-iaas.host-group.update The ability to update the sharing status of a hostgroup Manager
power-iaas.host.create The ability to add a host to an existing hostgroup Manager
power-iaas.host.delete The ability to delete the host from its hostgroup Manager
power-iaas.host.list The ability to list all the hosts the workspace has access to Manager, Reader
power-iaas.host.read The ability to get the details about a host Manager, Reader
power-iaas.host.update The ability to update the display name of a host Manager
power-iaas.per-connection.migrate The ability to perform power edge router actions on a workspace Manager
power-iaas.snapshot.list The ability to get a list of all snapshots on a workspace Manager, Reader
power-iaas.snapshot.read The ability to get the details of a snapshot Manager, Reader
power-iaas.network-address-group.create The ability to create a network address group Manager
power-iaas.network-address-group.list The ability to list network address groups for a workspace Manager, Reader
power-iaas.network-address-group.read The ability to get the details of a network address group Manager, Reader
power-iaas.network-address-group.update The ability to update a network address group Manager
power-iaas.network-address-group.delete The ability to delete a network address group Manager
power-iaas.network-security-group.list The ability to list network security groups for a workspace Manager, Reader
power-iaas.network-security-group.create The ability to create network security group Manager
power-iaas.network-security-group.enable The ability to perform a network security groups action Manager
power-iaas.network-security-group.delete The ability to delete a network security group from a workspace Manager
power-iaas.network-security-group.read The ability to get the details of a network security group Manager, Reader
power-iaas.network-security-group.update The ability to update a network security group Manager
power-iaas.network-interfaces.list The ability to list network interfaces for a network Manager, Reader
power-iaas.network-interfaces.create The ability to create a network interface Manager
power-iaas.network-interfaces.delete The ability to delete a network interface Manager
power-iaas.network-interfaces.read The ability to get information of a network interface Manager, Reader
power-iaas.network-interfaces.update The ability to update information of a network interface Manager

Power Virtual Server Dedicated Host

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.dedicated-host for the service name.

No supported roles.

Power Virtual Server Image

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.image for the service name.

No supported roles.

PowerVS Network

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.network for the service name.

No supported roles.

Power Virtual Server Network Interface

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.network-interface for the service name.

No supported roles.

Power Virtual Server Network Security Group

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.network-security-group for the service name.

No supported roles.

PowerVS VM

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.pvm-instance for the service name.

No supported roles.

Power Virtual Server Shared Processor Pool

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.shared-processor-pool for the service name.

Platform roles - Power Virtual Server Shared Processor Pool
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Power Virtual Server Shared Processor Pool
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
power-iaas.shared-processor-pool.dashboard.view Administrator, Editor, Operator

PowerVS Snapshot

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.snapshot for the service name.

No supported roles.

PowerVS Volume

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.volume for the service name.

No supported roles.

Workspace for Power Systems Virtual Server

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use power-iaas.workspace for the service name.

No supported roles.

HDM Workload Migrator

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use primaryio-hdm-workload-migrator for the service name.

Platform roles - HDM Workload Migrator
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - HDM Workload Migrator
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - HDM Workload Migrator
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
primaryio-hdm-workload-migrator.dashboard.view Administrator, Editor, Operator

Privileged Access Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use privileged-access-gateway for the service name.

Platform roles - Privileged Access Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Privileged Access Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Privileged Access Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
privileged-access-gateway.dashboard.view View the PAG UI dashboard. Administrator, Editor, Operator
privileged-access-gateway.certificate.create this action is going to create a user certificate for the user that is needed to login to the session Manager, Writer
privileged-access-gateway.public-ca-key.get retrieves the public CA key Manager, Reader, Writer
privileged-access-gateway.ssh.login ssh login Manager, Writer
privileged-access-gateway.kube.login kube login action that allows users to get kube config details of a cluster Manager, Writer
privileged-access-gateway.rdp.login privileged-access-gateway.ssh.login Manager, Writer
privileged-access-gateway.session-all.list list all the active sessions Manager
privileged-access-gateway.instance.upgrade Perform a software update of the gateway associated an instance. Administrator, Editor, Operator
privileged-access-gateway.info get PAG Info Manager, Reader, Writer
privileged-access-gateway.certificate-all.list privileged-access-gateway.certificate.list.all Manager
privileged-access-gateway.certificate.revoke privileged-access-gateway.certificate.revoke Manager
privileged-access-gateway.gateway.start Starting customer gateway for restart operation Manager
privileged-access-gateway.gateway.stop Stop Customer gateway for restart operation Manager
privileged-access-gateway.gateway.reset Reset customer gateway disk to recover functionality Manager
privileged-access-gateway.certificate.get privileged-access-gateway.certificate.get Manager
privileged-access-gateway.break-glass-certificate.revoke revoke a breakglass certificate of a user Manager
privileged-access-gateway.break-glass-certificate.create create a breakglass certificate Manager, Writer
privileged-access-gateway.break-glass-certificate-all.list list breakglass certificates of all users Manager
privileged-access-gateway.break-glass-certificate.get get breakglass certificate info of the user Manager, Writer
privileged-access-gateway.pagtoken.create create a pagtoken for given breakglass certificate Manager, Writer
privileged-access-gateway.break-glass-cluster.add add breakglass cluster config Manager, Writer
privileged-access-gateway.break-glass-cluster.remove remove a breakglass cluster config Manager, Writer
privileged-access-gateway.break-glass-cluster-all.list privileged-access-gateway.break-glass-cluster-all.list Manager
privileged-access-gateway.https.login privileged-access-gateway.https.login Manager, Writer
privileged-access-gateway.https.logout privileged-access-gateway.https.logout Manager, Writer
privileged-access-gateway.https.add privileged-access-gateway.https.add Manager, Writer
privileged-access-gateway.https.remove privileged-access-gateway.https.remove Manager, Writer
privileged-access-gateway.https.enable privileged-access-gateway.https.enable Manager, Writer
privileged-access-gateway.https.disable privileged-access-gateway.https.disable Manager, Writer
privileged-access-gateway.https.all.list privileged-access-gateway.https.all.list Manager
privileged-access-gateway.https.get privileged-access-gateway.https.get Manager, Writer
privileged-access-gateway.https.update privileged-access-gateway.https.update Manager, Writer
privileged-access-gateway.pagtoken.revoke privileged-access-gateway.pagtoken.revoke Manager, Writer

Product Lifecycle

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use product-lifecycle for the service name.

Platform roles - Product Lifecycle
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Product Lifecycle
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
product-lifecycle.dashboard.view Administrator, Editor, Operator
product-lifecycle.offering.create Create an onboarding offering in the account Administrator, Editor
product-lifecycle.offering.edit Edit an onboarding offering in the account. Administrator, Editor
product-lifecycle.offering.read Read values of an offering Administrator, Editor
product-lifecycle.registration.read Read onboarding registration Administrator, Editor
product-lifecycle.registration.create Create onboarding registration Administrator, Editor

Project

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use project for the service name.

Platform roles - Project
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Project
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Project
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
project.environment.delete The ability to delete a project environment. Administrator
project.config.delete The ability to delete a project config. Administrator
project.config.create The ability to create a project config. Administrator, Editor
project.config.retrieve The ability to view a project config. Administrator, Editor, Operator, Viewer
project.config.force-approve The ability to force the approval of a project config. Administrator
project.config.approve The ability to approve a project config. Administrator, Editor
project.config.validate The ability to validate a project config. Administrator, Editor, Operator
project.config.deploy The ability to deploy a project config. Administrator, Editor
project.config.manual-tag The ability to add tags to manually created resource. Administrator, Editor
project.config.create-stack-definition The ability to create a project config stack definition. Administrator, Editor
project.config.retrieve-stack-definition The ability to retrieve a project config stack definition. Administrator, Editor, Operator, Viewer
project.config.update-stack-definition The ability to update a project config stack definition. Administrator, Editor, Operator
project.config.export-stack-definition The ability to publish a project config stack definition. Administrator, Editor, Operator
project.environment.retrieve The ability to view a project environment. Administrator, Editor, Operator, Viewer
project.environment.create The ability to create a project environment. Administrator, Editor
project.instance.retrieve-all The ability to view a projects. Administrator, Editor, Operator, Service Configuration Reader, Viewer
project.instance.sync The ability to sync a project. Administrator, Editor, Operator
project.compliance.retrieve The ability to view compliance instances. Administrator, Editor, Operator, Viewer
project.compliance.retrieve-profiles The ability to view a compliance instance profiles. Administrator, Editor, Operator, Viewer
project.compliance.retrieve-attachments The ability to view a compliance profile's attachments. Administrator, Editor, Operator, Viewer
project.compliance-profiles.retrieve The ability to view compliance profiles. Administrator, Editor, Operator, Viewer
project.compliance-profiles.retrieve-attachments The ability to view compliance profile attachments. Administrator, Editor, Operator, Viewer
project.environment.retrieve-all The ability to view project environments. Administrator, Editor, Operator, Viewer
project.environment.retrieve-account The ability to view project environments across account. Administrator, Editor, Operator, Viewer
project.environment.update The ability to update a project environment. Administrator, Editor, Operator
project.config.retrieve-all The ability to view a project's configs. Administrator, Editor, Operator, Viewer
project.config.retrieve-diff The ability to view a project config diff. Administrator, Editor, Operator, Viewer
project.config.retrieve-job The ability to view a project config job. Administrator, Editor, Operator, Viewer
project.config.retrieve-cost The ability to view a project config cost estimate. Administrator, Editor, Operator, Viewer
project.config.retrieve-resources The ability to view project config resources. Administrator, Editor, Operator, Viewer
project.config.retrieve-all-version The ability to view all project config versions. Administrator, Editor, Operator, Viewer
project.config.retrieve-version The ability to view a project config version. Administrator, Editor, Operator, Viewer
project.config.retrieve-version-last-validated The ability to view a project config version that is the last validated. Administrator, Editor, Operator, Viewer
project.config.retrieve-version-last-deployed The ability to view a project config version that is the last deployed. Administrator, Editor, Operator, Viewer
project.config.retrieve-version-last-undeployed The ability to view a project config version that is the last undeployed. Administrator, Editor, Operator, Viewer
project.config.update The ability to update a project config. Administrator, Editor, Operator
project.config.sync The ability to sync a config. Administrator, Editor, Operator
project.config.delete-version The ability to delete a project config version. Administrator
project.config.undeploy The ability to undeploy resources for a project config. Administrator, Editor
project.notifications.create The ability to send project notifications. Administrator
project.event-notifications.create The ability to create a Project and Event Notifications integration. Administrator
project.event-notifications.create-test The ability to test a Project and Event Notifications integration. Administrator
project.notifications.retrieve The ability to view project notifications. Administrator, Editor, Operator, Viewer
project.event-notifications.retrieve The ability to view a Project and Event Notifications integration. Administrator, Editor, Operator, Viewer
project.event-notifications.delete The ability to delete a Project and Event Notifications integration. Administrator
project.spending.retrieve-all The ability to view project spending. Administrator, Editor, Operator, Viewer
project.resources.retrieve-all The ability to view project resources. Administrator, Editor, Operator, Viewer
project.resources.update The ability to update project resources. Administrator, Editor, Operator
project.available-resources.retrieve-all The ability to view project available resources. Administrator, Editor, Operator, Viewer
project.job.create Ability to create a project job Administrator, Editor
project.job.retrieve-all The ability to view a project's jobs. Administrator, Editor, Operator, Viewer
project.job.retrieve The ability to view a project job. Administrator, Editor, Operator, Viewer
project.job.update The ability to update a project job. Administrator, Editor, Operator
project.job.delete The ability to delete a project job. Administrator

PX-Backup By Portworx

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use px-backup for the service name.

Platform roles - PX-Backup By Portworx
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - PX-Backup By Portworx
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - PX-Backup By Portworx
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
px-backup.dashboard.view Administrator, Editor, Operator

Quantum Services

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use quantum-computing for the service name.

Service roles - Quantum Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Quantum Services
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
quantum-computing.program.read Read a program definition Manager, Reader, Writer
quantum-computing.program.delete Delete a program Manager, Writer
quantum-computing.job.create Create a job to run a program Manager, Writer
quantum-computing.job.read User ability to read a job Manager, Reader, Writer
quantum-computing.job.delete Delete a Job Manager, Writer
quantum-computing.job.cancel Cancel a Job Manager, Writer
quantum-computing.device.read Read information about a quantum device Manager, Reader, Writer
quantum-computing.user.logout Clears authorization cache Manager, Reader, Writer
quantum-computing.job.update Update a job. Manager, Writer
quantum-computing.session.read Read session details. Manager, Reader, Writer
quantum-computing.session.update Update a session. Manager, Writer
quantum-computing.instance.configuration.read Instance configuration read Manager
quantum-computing.instance.configuration.update Instance configuration update Manager
quantum-computing.instance.usage.read Instance usage read Manager, Reader, Writer
quantum-computing.instance.read Instance read Manager, Reader, Writer
quantum-computing.session.create Create a Session Manager, Writer
quantum-computing.account-configuration.read Read Account Configuration. Must be granted by a policy that does not specify service instance. Manager
quantum-computing.workload.read Access to read workload which includes sessions and jobs Manager, Reader, Writer
quantum-computing.workload.list Access to list workloads (sessions and jobs) Manager, Reader, Writer
quantum-computing.account-analytics-usage.read Read usage for analytics. Must be granted by a policy that provides access to all resources in the account. Manager, Reader, Writer
quantum-computing.account-analytics-filter.read Read usage filters for analytics. Must be granted by a policy that provides access to all resources in the account. Manager, Reader, Writer

Raxak Protect

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use raxak-protect for the service name.

Platform roles - Raxak Protect
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Raxak Protect
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
raxak-protect.dashboard.view Administrator, Editor, Operator

Robin CNS

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use robin-storage for the service name.

Platform roles - Robin CNS
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Robin CNS
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Robin CNS
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
robin-storage.dashboard.view Administrator, Editor, Operator

IBM Cloud Satellite

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use satellite for the service name.

Platform roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Deployer This role allow the user to deploy satellite-config managed contents to managed clusters
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Satellite Cluster Creator As a Satellite Cluster Creator you have the ability create new Red Hat OpenShift on IBM Cloud OpenShift Clusters in the Satellite Location
Satellite Link Administrator The Satellite Link Administrator is able to create, edit, update, and delete Satellite Link Endpoints and Sources
Satellite Link Source Access Controller Allows the subject to enable access to Link Endpoint from a Link Source
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
satellite.dashboard.view Administrator, Editor, Operator
satellite.config-configuration.create create configuration for the satellite config. You can create one or more configurations for your org. Administrator, Manager
satellite.config-configuration.read list all the configurations for your org, or get details about one configuration Manager, Reader
satellite.config-configuration.update updates fields in configuration Manager, Writer
satellite.config-configuration.delete delete a configuration Administrator, Manager
satellite.config-configuration.manageversion change your configuration version Manager, Writer
satellite.config-subscription.create create a subscription for a configuration Deployer, Manager
satellite.config-subscription.read read subscriptions for your org Deployer, Manager, Reader
satellite.config-subscription.update update subscription name and other relevant fields Deployer, Manager
satellite.config-subscription.delete delete a subscription Deployer, Manager
satellite.config-subscription.setversion set the configuration version on this subscription Deployer, Manager
satellite.config-cluster.attach attach cluster to a cluster group Administrator, Manager, Satellite Cluster Creator
satellite.config-cluster.read read cluster list for for an org or details about a given cluster Administrator, Manager, Reader
satellite.link.create Create Link instance for the Satellite Location. Administrator
satellite.config-organization.read allow to access the organization info Administrator, Deployer, Manager, Reader, Satellite Cluster Creator
satellite.config-organization.manage allow to read the org_key for an organization Manager
satellite.resource.get read resource under a cluster or from a cluster group Administrator, Manager, Reader
satellite.api.globalaccess global access satellite api for special users Administrator, Manager
satellite.config-cluster.register register cluster to the satellite config Administrator, Manager, Satellite Cluster Creator
satellite.config-cluster.detach detach cluster Administrator, Manager
satellite.config-clustergroup.read read cluster group for all its resources Administrator, Manager, Reader
satellite.config-clustergroup.manage create or delete a cluster group Administrator, Manager
satellite.location.create create satellite location to be added to the existing locations Administrator
satellite.location.read read satellite location Administrator, Editor, Operator, Satellite Cluster Creator, Satellite Link Administrator, Viewer
satellite.location.update edit an existing satellite location information Administrator, Editor, Operator
satellite.location.delete delete a satellite location belonged to you Administrator, Operator
satellite.config-clustergroup.setversion set the configuration version on this cluster group Administrator, Deployer, Manager
satellite.resource.servicelevelread Service level read of resources Administrator, Manager
satellite.link.get Get configuration and status of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link.delete Delete a Link instance of a Satellite Location. Administrator, Operator
satellite.link-endpoints.list List all Link Endpoints of a Satellite Location. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoints.create Create a Link Endpoint with specified configuration. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.get Get configuration and status of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoints.update Modify configuration of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.delete Delete a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.get Get certificate/key of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.upload Upload certificate/key for a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.delete Delete certificate/key of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-sources.list List all ACL Sources of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-sources.create Create a ACL Source for a Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-sources.delete Delete a ACL Source of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-sources.list List ACL Sources used by a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoint-sources.update Update ACL Sources enable/disable state of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Source Access Controller
satellite.link-sources.update Modify IP address/subnets list of a ACL Source configured for the specified Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.config-cluster.update Update cluster registration Manager
satellite.location.cluster-create Enables the user to create Red Hat OpenShift on IBM Cloud clusters in the Satellite Location Administrator, Satellite Cluster Creator
satellite.link-endpoints.import Import Endpoint from previous export. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.export Export Endpoint configuration to an archive file. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-source-endpoints.list List Source status for all Endpoints. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-source-endpoints.update Update Source status for listed Endpoints. Administrator, Editor, Operator, Satellite Link Source Access Controller

Satellite Infrastructure Services

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use satellite-iaas for the service name.

Platform roles - Satellite Infrastructure Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Satellite Infrastructure Services
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Satellite IS Request Handler Satellite IS Request Handler
Service actions - Satellite Infrastructure Services
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
satellite-iaas.dashboard.view Administrator, Editor, Operator
satellite-iaas.request.create Create a location request Administrator, Manager, Satellite IS Request Handler
satellite-iaas.request.update Update Satellite request Satellite IS Request Handler
satellite-iaas.request.delete Delete Location Request Satellite IS Request Handler

Schematics

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use schematics for the service name.

Platform roles - Schematics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Schematics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Schematics
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
schematics.workspace.create Manager
schematics.workspace.update Manager, Writer
schematics.workspace.delete Manager
schematics.workspace.read Read workspace details Manager, Reader, Writer
schematics.presets.create Create new presets for the Account Manager
schematics.presets.update Update the preset values Manager, Writer
schematics.presets.delete Delete the preset from Account Manager
schematics.presets.read Read the preset variable, value and metadata Manager, Reader, Writer
schematics.action.create Create an Action definition Manager
schematics.action.update Update the Action definition Manager, Writer
schematics.action.read Read the Action definition Manager, Reader, Writer
schematics.action.delete Delete the Action definition Manager
schematics.settings-kms.discover Discover KMS instances for Schematics settings Administrator
schematics.settings-kms.read Read the Schematics KMS settings Administrator, Editor, Manager, Operator, Reader, Service Configuration Reader, Viewer, Writer
schematics.settings-kms.update Update the Schematics KMS settings Administrator
schematics.environment.create Create an Environment Manager
schematics.environment.update Update the Environment Manager, Writer
schematics.environment.delete Delete an Environment Manager
schematics.environment.read Read the Environment details Manager, Reader, Writer
schematics.agents.read Work with agent jobs Operator
schematics.settings-connection.read Read the connection settings for external data or template Manager, Reader, Writer
schematics.settings-connection.create Create connection settings for external data and template Manager
schematics.settings-connection.update Update connection settings for external data and template Manager, Writer
schematics.settings-connection.delete Delete the connection settings for external data and template Manager
schematics.datasets.create Create new datasets for the Account Manager
schematics.datasets.update Update the dataset values Manager, Writer
schematics.datasets.delete Delete the dataset from Account Manager
schematics.datasets.read Read the dataset variable, value and metadata Manager, Reader, Writer
schematics.settings-agent.delete Unregister the Schematics Agent configuration setting Manager
schematics.settings-agent.update Update the Schematics Agent configuration setting Manager, Writer
schematics.settings-agent.read Read Schematics Agent configuration setting Manager, Reader, Writer
schematics.settings-agent.register Register the schematics agent instance Manager
schematics.settings-agent.create Create the schematics agent instance Manager

Secrets Manager

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use secrets-manager for the service name.

Platform roles - Secrets Manager
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Secrets Manager
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions, such as managing secret groups, configuring secret engines, and managing secrets policies.
Reader As a reader, you can perform read-only actions within Secrets Manager, such as viewing service-specific resources. Readers can access only the metadata that is associated with a secret.
SecretsReader As a secrets reader, you can perform read-only actions, and you can also access the secret data that is associated with a secret. A secrets reader can't create secrets or modify the value of an existing secret.
Writer As a writer, you have permissions beyond the secrets reader role, including the ability to create and edit secrets. Writers can't create secret groups, manage the rotation policies of a secret, or configure secrets engines.
Service actions - Secrets Manager
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
secrets-manager.dashboard.view View the Secrets Manager dashboard. Administrator, Editor, Operator
secrets-manager.secret-group.create Create secret groups to organize your secrets for access control. Manager
secrets-manager.secret-group.update Update a secret group. Manager
secrets-manager.secret-group.delete Delete a secret group. Manager
secrets-manager.secret-group.read View the details of a secret group. Manager, Reader, SecretsReader, Writer
secrets-manager.secret-groups.list List the secret groups in your instance. Manager, Reader, SecretsReader, Writer
secrets-manager.secret.create Create a secret. Manager, Writer
secrets-manager.secret.import Import a secret. Manager, Writer
secrets-manager.secret.read View the details of a secret. Manager, SecretsReader, Writer
secrets-manager.secret.delete Delete a secret. Manager
secrets-manager.secrets.list List the secrets in your instance. Manager, Reader, SecretsReader, Writer
secrets-manager.secret.rotate Rotate a secret. Manager, Writer
secrets-manager.secret-metadata.update Update a secret. Manager, Writer
secrets-manager.secret-metadata.read View the metadata of a secret. Manager, Reader, SecretsReader, Writer
secrets-manager.secret-policies.set Set secret policies. Manager
secrets-manager.secret-policies.get Get secret policies. Manager
secrets-manager.secret-engine-config.set Set secrets engine configuration. Manager
secrets-manager.secret-engine-config.get Get secrets engine configuration. Manager
secrets-manager.secret-versions.list List secret versions. Manager, Reader, SecretsReader, Writer
secrets-manager.endpoints.view Get service instance endpoints. Manager, Reader, SecretsReader, Writer
secrets-manager.vault-token.create Create a Vault token. Manager
secrets-manager.notifications-registration.create Register a Secrets Manager instance as a source in Event Notifications. Manager
secrets-manager.notifications-registration.read Get the registration details between a Secrets Manager and Event Notifications instance. Manager, Reader, SecretsReader, Writer
secrets-manager.notifications-registration.delete Unregister or remove a Secrets Manager instance as a source in Event Notifications. Manager
secrets-manager.notifications-registration.test Send a test event to the registered Event Notifications service instance. Manager, Reader, SecretsReader, Writer
secrets-manager.secret.revoke Revoke a secret Manager
secrets-manager.secret-lock.create Create a lock on a secret version to prevent it from being updated or deleted. Manager, Writer
secrets-manager.secret-lock.delete Delete a secret lock. Manager
secrets-manager.secret-locks.list List the locks that exist for secret and its versions. Manager, Reader, SecretsReader, Writer
secrets-manager.locks.list List the locks that are exist in your service instance. Manager, Reader, SecretsReader, Writer
secrets-manager.secret-action.create Create a secret action Manager, Writer
secrets-manager.secret-version.create Create a new secret version. Manager, Writer
secrets-manager.secret-version.read View the details of a secret version. Manager, SecretsReader, Writer
secrets-manager.secret-version-metadata.read View the metadata of a secret version. Manager, Reader, SecretsReader, Writer
secrets-manager.secret-version-action.create Create a secret version action. Manager, Writer
secrets-manager.configuration.create Create a new configuration Manager
secrets-manager.configuration-action.create Create a new configuration action Manager
secrets-manager.configurations.list List configurations Manager, Reader, Writer
secrets-manager.configuration.read View the details of a configuration. Manager
secrets-manager.configuration.update Update a configuration Manager
secrets-manager.configuration.delete Delete a configuration Manager
secrets-manager.secret-locks.create Create secret locks. Manager, Writer
secrets-manager.secret-locks.delete Delete secret locks. Manager
secrets-manager.secret-version-locks.create Create secret version locks. Manager, Writer
secrets-manager.secret-version-locks.list List secret version locks Manager, Reader, SecretsReader, Writer
secrets-manager.secret-version-locks.delete Delete secret version locks. Manager
secrets-manager.secrets-locks.list List secrets locks. Manager, Reader, SecretsReader, Writer

Secure Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use securegateway for the service name.

Platform roles - Secure Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Secure Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
securegateway.dashboard.view Administrator, Editor, Operator

IBM Verify

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use security-verify for the service name.

Platform roles - IBM Verify
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Verify
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - IBM Verify
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
security-verify.dashboard.view Administrator, Editor, Operator

Simulated Instruments Analytics API

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use sia for the service name.

Platform roles - Simulated Instruments Analytics API
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Simulated Instruments Analytics API
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Service actions - Simulated Instruments Analytics API
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
sia.dashboard.view Administrator, Editor, Operator
sia.instrument.read Reader

Skytap On IBM Cloud

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use skytap for the service name.

Platform roles - Skytap On IBM Cloud
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - Skytap On IBM Cloud
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
skytap.dashboard.view Administrator, Editor, Operator

Software Billing

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use software-billing for the service name.

Platform roles - Software Billing
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Software Billing
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Software Billing
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
software-billing.dashboard.view Administrator, Editor, Operator

Speech to Text

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use speech-to-text for the service name.

Platform roles - Speech to Text
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Speech to Text
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Speech to Text
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
speech-to-text.dashboard.view Administrator, Editor, Operator
GET /speech-to-text Manager, Reader, Writer
POST /speech-to-text Manager, Writer
DELETE /speech-to-text Manager, Writer
HEAD /speech-to-text Manager, Reader, Writer
PUT /speech-to-text Manager, Writer

sql-query

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use sql-query for the service name.

Service roles - sql-query
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - sql-query
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
sql-query.api.submit Submit SQL jobs that read and write data, including catalog metadata , such as table definitions. Manager, Writer
sql-query.api.getalljobs Retrieve a list of recent job submissions and their outcome status. Manager, Reader, Writer
sql-query.api.getjobinfo Retrieve the detailed status of a job based on provided jobid. Manager, Reader, Writer
sql-query.api.managecatalog Manage the catalog and indexes. For example, submit DDL statements to create, alter and drop tables, views and indexes. Manager
sql-query.api.readcatalog Introspect the catalog. For example, list the definitions of tables, views and indexes. Manager, Reader, Writer

streaming-analytics

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use streaming-analytics for the service name.

Service roles - streaming-analytics
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
null null
null null
Service actions - streaming-analytics
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
streaming-analytics.instances.query null
streaming-analytics.instances.read null, null
streaming-analytics.instances.update null
streaming-analytics.instances.start null, null
streaming-analytics.jobs.query null, null
streaming-analytics.jobs.create null, null
streaming-analytics.jobs.read null, null
streaming-analytics.jobs.delete null, null
streaming-analytics.builds.query null, null
streaming-analytics.builds.create null, null
streaming-analytics.builds.read null, null
streaming-analytics.builds.delete null, null
streaming-analytics.artifacts.query null, null
streaming-analytics.artifacts.read null, null
streaming-analytics.artifacts.download null, null

Support Center

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use support for the service name.

Platform roles - Support Center
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator View, search, create, and update support cases
Editor View, search, create, and update support cases
Viewer View and search support cases
Service actions - Support Center
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
support.case.create The ability to create a case. Administrator, Editor
support.case.update The ability to update a case. Administrator, Editor
support.case.read The ability to search cases. Administrator, Editor, Viewer
support.case.list The ability to view cases. Administrator, Editor, Viewer

IBM Cloud Monitoring with Sysdig

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use sysdig-monitor for the service name.

Platform roles - IBM Cloud Monitoring with Sysdig
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions according to the resource for which this role is assigned, including assigning access policies to other users and managing Sysdig team membership.
Service roles - IBM Cloud Monitoring with Sysdig
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role. You are a member of every Sysdig Team with administrative permissions and are able to create, delete and configure all team definitions.
Reader As a reader, you have read access to the environment within the defined Sysdig Team scope, but cannot create, edit or delete dashboards, alerts or other content.
Supertenant Metrics Publisher This role permits IBM services to publish platform metrics to your account
Writer As a writer, you have read and write access to the environment within the defined Sysdig Team scope and can create, edit and delete dashboards, alerts and other content.
Service actions - IBM Cloud Monitoring with Sysdig
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
sysdig-monitor.launch.user As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources. Administrator, Manager, Writer
sysdig-monitor.launch.admin As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources. Administrator, Manager
sysdig-monitor.launch.viewer As a reader, you can perform read-only actions within a service such as viewing service-specific resources. Administrator, Manager, Reader, Writer
sysdig-monitor.secure.manager Admin for Sysdig Secure Administrator
sysdig-monitor.secure.user User for Sysdig Secure Administrator
sysdig-monitor.secure.viewer Viewer for Sysdig Secure Administrator
sysdig-monitor.agent-installation.read Agent Installation (read) Administrator, Manager, Reader, Writer
sysdig-monitor.agent.cli.agent-network-calls-to-remote-pods Agent CLI (network calls) Administrator, Manager, Reader, Writer
sysdig-monitor.agent.cli.agent-status Agent CLI (agent status) Administrator, Manager, Reader, Writer
sysdig-monitor.agent.cli.view Agent CLI (view) Administrator, Manager, Reader, Writer
sysdig-monitor.agent.cli.view-configuration Agent CLI (view configuration) Administrator, Manager, Reader, Writer
sysdig-monitor.alert-events.edit Alert Events (edit) Administrator, Manager, Writer
sysdig-monitor.alert-events.read Alert Events (read) Administrator, Manager, Reader, Writer
sysdig-monitor.alerts.edit Alerts (edit) Administrator, Manager, Writer
sysdig-monitor.alerts.read Alerts (read) Administrator, Manager, Reader, Writer
sysdig-monitor.api-token.edit API Token (edit) Administrator, Manager, Reader, Writer
sysdig-monitor.api-token.read API Token (read) Administrator, Manager, Reader, Writer
sysdig-monitor.captures.edit Captures (edit) Administrator, Manager, Writer
sysdig-monitor.captures.read Captures (read) Administrator, Manager, Reader, Writer
sysdig-monitor.captures.view Captures (view) Administrator, Manager, Reader, Writer
sysdig-monitor.custom-events.edit Custom Events (edit) Administrator, Manager, Writer
sysdig-monitor.custom-events.read Custom Events (read) Administrator, Manager, Reader, Writer
sysdig-monitor.dashboard-metrics-data.read Dashboard metrics (read) Administrator, Manager, Reader, Writer
sysdig-monitor.dashboards.edit Dashboards (edit) Administrator, Manager, Writer
sysdig-monitor.dashboards.read Dashboards (read) Administrator, Manager, Reader, Writer
sysdig-monitor.datastream.read Datastream (read) Administrator, Manager, Reader, Writer
sysdig-monitor.downtimes.read Downtimes (read) Administrator, Manager, Reader, Writer
sysdig-monitor.events-forwarder.read Events Forwarder (read) Administrator, Manager, Reader, Writer
sysdig-monitor.explore.edit Explore (edit) Administrator, Manager
sysdig-monitor.explore.read Explore (read) Administrator, Manager, Reader, Writer
sysdig-monitor.file-storage-config.read File Storage Config (read) Administrator, Manager, Reader, Writer
sysdig-monitor.global.notification-channels.read Global Notification Channels (read) Administrator, Manager, Reader, Writer
sysdig-monitor.groupings.edit Groupings (edit) Administrator, Manager, Reader, Writer
sysdig-monitor.groupings.read Groupings (read) Administrator, Manager, Reader, Writer
sysdig-monitor.helmsrenderer.read Helms Renderer (read) Administrator, Manager, Reader, Writer
sysdig-monitor.infrastructure.read Infrastructure (read) Administrator, Manager, Reader, Writer
sysdig-monitor.integrations.read Integrations (read) Administrator, Manager, Reader, Writer
sysdig-monitor.manual-integrations.edit Manual Integrations (edit) Administrator, Manager, Writer
sysdig-monitor.manual-integrations.read Manual Integrations (read) Administrator, Manager, Reader, Writer
sysdig-monitor.memberships.edit Memberships (edit) Administrator
sysdig-monitor.memberships.read Memberships (read) Administrator
sysdig-monitor.metrics-data.read Metrics data (read) Administrator, Manager, Reader, Writer
sysdig-monitor.metrics-descriptors.read Metrics descriptors (read) Administrator, Manager, Reader, Writer
sysdig-monitor.notification-channels.edit Notification Channels (edit) Administrator, Manager, Writer
sysdig-monitor.notification-channels.read Notification Channels (read) Administrator, Manager, Reader, Writer
sysdig-monitor.overviews.read Overviews (read) Administrator, Manager, Reader, Writer
sysdig-monitor.promcat.integrations.edit PromCat Integrations (edit) Administrator, Manager, Writer
sysdig-monitor.promcat.integrations.read PromCat Integrations (read) Administrator, Manager, Reader, Writer
sysdig-monitor.promcat.integrations.validate PromCat Integrations (validate) Administrator, Manager, Reader, Writer
sysdig-monitor.promql-metadata.read PromQL Metadata (read) Administrator, Manager, Reader, Writer
sysdig-monitor.providers.read Providers (read) Administrator, Manager, Reader, Writer
sysdig-monitor.spotlight.read Spotlight (read) Administrator, Manager, Reader, Writer
sysdig-monitor.sysdig-storage.read Sysdig Storage (read) Administrator, Manager, Reader, Writer
sysdig-monitor.team.sharing.groupings.toggle Team Sharing Toggle Administrator, Manager
sysdig-monitor.teams.manage Teams (manage) Administrator, Manager
sysdig-monitor.teams.read Teams (read) Administrator
sysdig-monitor.token.view Token (view) Administrator, Manager, Reader, Writer
sysdig-monitor.users.read Users (read) Administrator
sysdig-monitor.system-role.admin System administrator role Administrator, Manager
sysdig-monitor.platform-metrics.publish Permit publishing of platform metrics to Sysdig Supertenant Metrics Publisher

IBM Cloud Security

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use sysdig-secure for the service name.

Platform roles - IBM Cloud Security
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Service roles - IBM Cloud Security
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Security
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
sysdig-secure.launch.admin As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources. Administrator, Manager
sysdig-secure.launch.user As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources. Administrator, Manager, Writer
sysdig-secure.launch.viewer As a reader, you can perform read-only actions within a service such as viewing service-specific resources. Administrator, Manager, Reader, Writer

Text to Speech

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use text-to-speech for the service name.

Platform roles - Text to Speech
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Text to Speech
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Text to Speech
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
text-to-speech.dashboard.view Administrator, Editor, Operator
GET /text-to-speech Manager, Reader, Writer
POST /text-to-speech Manager, Writer
DELETE /text-to-speech Manager, Writer
HEAD /text-to-speech Manager, Reader, Writer
PUT /text-to-speech Manager, Writer

Toolchain

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use toolchain for the service name.

Platform roles - Toolchain
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - Toolchain
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
EventSender Send custom toolchain events.
PipelineRunner Run Tekton or Classic pipelines.
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Toolchain
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
toolchain.dashboard.view View instances of the Toolchain service. Administrator, Editor, Operator
toolchain.instance.read-properties Read toolchain properties. Administrator, Editor, Viewer
toolchain.instance.update-properties Update toolchain properties. Administrator, Editor
toolchain.instance.create-bindings Add a tool integration to a toolchain within a resource group. Administrator, Editor
toolchain.instance.delete-bindings Remove a tool integration from a toolchain within a resource group. Administrator, Editor
toolchain.instance.list-bindings View the tool integrations that are contained in a toolchain within a resource group. Administrator, Editor, Viewer
toolchain.config.read Configuration Information Point API access for Security and Compliance Center Integration (SCC) Service Configuration Reader
toolchain.pipeline-run.create Run the selected pipeline. Administrator, Editor, Operator, PipelineRunner
toolchain.event.send Send a custom toolchain event Administrator, Editor, EventSender, Operator

Transit Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use transit for the service name.

Service roles - Transit Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
Service actions - Transit Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
transit.transit.manage Transit service manager Manager
transit.config.read Configuration Information Point API Access Service Configuration Reader

Transit Gateway

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use transit.gateway for the service name.

Platform roles - Transit Gateway
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service actions - Transit Gateway
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
transit.gateway.view The ability to view transit gateways and connections. Administrator, Editor, Operator, Viewer
transit.gateway.edit The ability to create, change, view and delete transit gateways and connections. Administrator, Editor

IBM Cloud Platform User Management Service

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use user-management for the service name.

Platform roles - IBM Cloud Platform User Management Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can view, invite, and update users. You can also view and update user profile settings.
Editor As an editor, you can view, invite, and update users. You can also view and update profile settings.
Operator As an operator, you can view users in the account and view profile settings.
Viewer As a viewer, you can view users in the account and view profile settings.
Service roles - IBM Cloud Platform User Management Service
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
VPN Administrator As a VPN administrator, you can configure classic infrastructure VPN settings for users.
Service actions - IBM Cloud Platform User Management Service
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
user-management.user.create Administrator, Editor
user-management.user.update Administrator, Editor
user-management.user.state-change Administrator, Editor
user-management.user.delete Remove user from account Administrator, Editor
user-management.user.retrieve Administrator, Editor, Operator, Viewer
user-management.invitation-email.create Administrator, Editor
user-management.preference.update Administrator, Editor
user-management.preference.retrieve Administrator, Editor, Operator, Viewer
user-management.user-setting.update Administrator, Editor
user-management.user-setting.retrieve Administrator, Editor, Operator, Viewer
user-management.vpn.update Update user VPN settings VPN Administrator

VMware Solutions on VPC

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use vmware for the service name.

No supported roles.

VMware Solutions

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use vmware-solutions for the service name.

Platform roles - VMware Solutions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - VMware Solutions
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Director Backup User As a backup user within the vCloud Director console, you can manage Veeam backup jobs.
Director Catalog Author As a catalog author within the vCloud Director console, you can create and publish catalogs.
Director Console User As a console user within the vCloud Director console, you can view the VM state, properties, and use the Guest OS.
Director Full Viewer As a full viewer within the vCloud Director console, you have All View Access to every component in vCloud Director.
Director Network Admin As a network administrator within the vCloud Director console, you can create, view, edit, delete the subnet, the static route, and troubleshoot routing.
Director Security Admin As a security administrator within the vCloud Director console, you can view and edit the edge firewall or view and edit the distributed firewall.
Director vApp Author As a vApp author within the vCloud Director console, you can use catalogs and create vApps.
Director vApp User As a vApp user within the vCloud Director console, you can use existing vApps.
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - VMware Solutions
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
vmware-solutions.instances.create Create IBM Cloud for VMware Solutions instances Administrator, Manager
vmware-solutions.instances.delete Delete IBM Cloud for VMware Solutions instances Administrator, Manager
vmware-solutions.instances.view List or view IBM Cloud for VMware Solutions instances Administrator, Director Backup User, Director Catalog Author, Director Console User, Director Full Viewer, Director Network Admin, Director Security Admin, Director vApp Author, Director vApp User, Editor, Manager, Operator, Reader, Viewer, Writer
vmware-solutions.instances.update Update IBM Cloud for VMware Solutions instances Administrator, Editor, Manager, Writer
vmware-solutions.account.update Update account settings for IBM Cloud for VMware Solutions Administrator, Manager
vmware-solutions.directorsite.administrator Director Administrator Administrator
vmware-solutions.directorsite.vappauthor Director vApp Author Director vApp Author
vmware-solutions.directorsite.vappuser Director vApp User Director vApp User
vmware-solutions.directorsite.fullviewer Director Full Viewer Director Full Viewer
vmware-solutions.directorsite.catalogauthor Director Catalog Author Director Catalog Author
vmware-solutions.directorsite.writer Director Writer Writer
vmware-solutions.directorsite.manager Director Manager Manager
vmware-solutions.directorsite.reader Director Reader Reader
vmware-solutions.directorsite.networkadmin Director Network Admin Director Network Admin
vmware-solutions.directorsite.consoleuser Director Console User Director Console User
vmware-solutions.directorsite.securityadmin Director Security Admin Director Security Admin
vmware-solutions.directorsite.backupuser Director Backup User Director Backup User
vmware-solutions.directorsite.editor Director Editor Editor
vmware-solutions.directorsite.viewer Viewer in Director Viewer
vmware-solutions.directorsite.operator Director Operator Operator

VMware Cloud Director

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use vmware.directorsite for the service name.

Platform roles - VMware Cloud Director
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - VMware Cloud Director
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
VCFaaS Director Backup User As a backup user within the vCloud Director console, you can manage Veeam backup jobs.
VCFaaS Director Catalog Author As a catalog author within the vCloud Director console, you can create and publish catalogs.
VCFaaS Director Console User As a console user within the vCloud Director console, you can view the VM state, properties, and use the Guest OS.
VCFaaS Director Full Viewer As a full viewer within the vCloud Director console, you have All View Access to every component in vCloud Director.
VCFaaS Director Network Admin As a network administrator within the vCloud Director console, you can create, view, edit, delete the subnet, the static route, and troubleshoot routing.
VCFaaS Director Security Admin As a security administrator within the vCloud Director console, you can view and edit the edge firewall or view and edit the distributed firewall.
VCFaaS Director vApp Author As a vApp author within the vCloud Director console, you can use catalogs and create vApps.
VCFaaS Director vApp User As a vApp user within the vCloud Director console, you can use existing vApps.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - VMware Cloud Director
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
vmware.directorsite.infrastructure.create Create vCloud Director Administrator, Editor
vmware.directorsite.infrastructure.delete Delete a single-tenant VMware Director instance Administrator, Editor
vmware.directorsite.infrastructure.view View a single-tenant VMware Director instance Administrator, Editor, Operator, Viewer
vmware.directorsite.infrastructure.update Update a single-tenant VMware Director instance Administrator, Editor, Operator
vmware.directorsite.director.create Create Director virtual datacenters Administrator, Editor, Manager
vmware.directorsite.director.delete Delete Director virtual datacenters Administrator, Manager
vmware.directorsite.director.update Edit Director virtual datacenters Administrator, Editor, Manager, Operator, Writer
vmware.directorsite.director.view View Director virtual datacenters Administrator, Editor, Manager, Operator, Reader, Viewer, Writer
vmware.directorsite.director.account Reset the Director Admin password Administrator, Manager
vmware.directorsite.administrator Director Administrator Administrator
vmware.directorsite.editor Director Editor Editor
vmware.directorsite.operator Director Operator Operator
vmware.directorsite.viewer Viewer in Director Viewer
vmware.directorsite.manager Director Manager Manager
vmware.directorsite.writer Director Writer Writer
vmware.directorsite.reader Director Reader Reader
vmware.directorsite.fullviewer Director Full Viewer VCFaaS Director Full Viewer
vmware.directorsite.vappauthor Director vApp Author VCFaaS Director vApp Author
vmware.directorsite.vappuser Director vApp User VCFaaS Director vApp User
vmware.directorsite.catalogauthor Director Catalog Author VCFaaS Director Catalog Author
vmware.directorsite.networkadmin Director Network Admin VCFaaS Director Network Admin
vmware.directorsite.consoleuser Director Console User VCFaaS Director Console User
vmware.directorsite.backupuser Director Backup User VCFaaS Director Backup User
vmware.directorsite.securityadmin Director Security Admin VCFaaS Director Security Admin

Organization Virtual Data Center

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use vmware.vdc for the service name.

No supported roles.

Voice Agent with Watson

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use voiceagent for the service name.

Platform roles - Voice Agent with Watson
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Voice Agent with Watson
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Voice Agent with Watson
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
voiceagent.agent.manage Manage all aspects of a Voice Agent with Watson instance. Manager, Reader, Writer
voiceagent.agent.view View configurations for all agents of a Voice Agent with Watson instance. Reader
voiceagent.usage.view View usage for all agents of a Voice Agent with Watson instance. Reader
voiceagent.log.view View all failure logs for all agents of a Voice Agent with Watson instance. Reader
voiceagent.sms.send Use the SMS gateway API to send SMS messages for a Voice Agent with Watson instance. Administrator, Editor, Manager, Operator, Writer
voiceagent.voice.inbound Authenticate inbound calls for a Voice Agent with Watson instance using SIPS. Manager, Writer
voiceagent.voice.outbound Use the outbound calling API to start outbound calls for a Voice Agent with Watson instance. Manager, Writer

watsonx Orchestrate

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use watsonx-orchestrate for the service name.

Platform roles - watsonx Orchestrate
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - watsonx Orchestrate
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
WO User As a user, you have permission to interact with assistants.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - watsonx Orchestrate
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
watsonx-orchestrate.skill.run Can run skill Manager, WO User, Writer
watsonx-orchestrate.assistant.legacy Can perform authoring methods for a workspace through v1 APIs. Manager
watsonx-orchestrate.skill.write Can create, rename, edit or delete a skill. Manager, Writer
watsonx-orchestrate.skill.read Can open and view a skill. Manager, Writer
watsonx-orchestrate.assistant.write Can rename, edit or delete an assistant. Manager, Writer
watsonx-orchestrate.assistant.read Can open and view an assistant. Manager, Writer
watsonx-orchestrate.assistant.list Can list assistant or skill Manager, Writer
watsonx-orchestrate.assistant.default Default access for Assistant Manager, Writer
watsonx-orchestrate.logs.read Can view skill analytics and access user conversation logs. Manager
watsonx-orchestrate.environment.write Can rename, edit or delete an environment Manager, Writer
watsonx-orchestrate.environment.read Can open and view an environment Manager, Writer
watsonx-orchestrate.release.write Can create or delete a Release for an Assistant Manager
watsonx-orchestrate.dashboard.view Can view dashboard Administrator, Editor, Manager, Operator, Service Configuration Reader, Viewer, WO User, Writer
watsonx-orchestrate.credentials.write Can assign and set credentials Manager

WebSphere Application Server

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use websphereappsvr for the service name.

Platform roles - WebSphere Application Server
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service actions - WebSphere Application Server
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
websphereappsvr.dashboard.view Administrator, Editor, Operator

Annotator for Clinical Data

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use wh-acd for the service name.

Platform roles - Annotator for Clinical Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Service roles - Annotator for Clinical Data
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - Annotator for Clinical Data
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
wh-acd.dashboard.view View Dashboard Administrator, Editor, Operator
GET /wh-acd ACD Dev Deadbolt API GET Manager, Reader, Writer
PUT /wh-acd ACD Dev Deadbolt API PUT Manager, Writer
POST /wh-acd ACD Dev Deadbolt API POST Manager, Writer
DELETE /wh-acd ACD Dev Deadbolt API DELETE Manager
wh-acd.cartridge.manage Cartridge manage Manager, Writer
wh-acd.flows.manage Manage flows Manager, Writer
wh-acd.profiles.manage Manage profiles Manager, Writer
wh-acd.analyze Analyze Manager, Reader, Writer