IBM Data and AI Ideas Portal for Customers
Hide about this portal


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Add a new idea Subscribe
Status Future consideration
Workspace Cloud Pak for Data
Components Cloud Pak for Data Platform
Created by Guest
Created on Oct 22, 2024

RELATED IDEAS

Implement a more granular permission structure to better separate duties and manage user roles effectively.

See this idea on ideas.ibm.com

The current permission model combines multiple actions under single permissions, such as the "Administer platform" permission, which encompasses user management and JDBC driver imports. This consolidation makes it challenging to configure user roles with appropriate separation of duties.

Needed By Quarter
  • Admin
    Ragavie Pirabaharan
    Reply
    |     Jan 24, 2025

    Hi Michaela! I will set up a call


  • Guest
    Reply
    |     Jan 23, 2025

    Hello Ragavie,

    thank you for sharing instructions how to create custom roles. The documentation points me to Saas version while we are using on-prem one. However, we use custom roles with specific combination of permissions. Unfortunately, we still cannot configure users properly.

    As you can see in my previous comment, the issue I am reporting is not with user ROLES, but with PERMISSIONS available on the platform. For example, the permission 'Administer platform' is too complex, contains lot of 'actions' which are included in other permissions and/or are not necessarily needed for a person who should manage platform (as described below, one of the situation is management of users). In addition, it contains also 'actions' which are not included in any other permission, therefore we are forced to assign this permission - which gives users too much privileges - also in situations where it is really causing conflict of duties.

    If there is an option to select which 'actions' should be included in a permission, then we could most probably configure our users properly.

    If my description of problematic configuration of users from last comment is not clear, feel free to schedule a meeting, I will be more than happy to explain and maybe also show in our CP4D.

    Thank you.

  • Admin
    Ragavie Pirabaharan
    Reply
    |     Jan 22, 2025

    Hi Michaela. Thank you for your response. Have you tried creating custom roles that only contain certain permissions from Admin Platform permissions? This would allow control over permissions without granting unnecessary privileges.

    This documentation goes over how to create custom roles:
    https://dataplatform.cloud.ibm.com/docs/content/wsj/getting-started/roles-custom.html?context=cpdaas


  • Guest
    Reply
    |     Jan 15, 2025

    Hello, let me provide more details (Ivan created the Idea based on my request).

    The issue I am reporting is with the 'Administer platform' permissions as this one includes multiple different areas of actions.

    We found 2 situations where we cannot successfully configure an user:

    • We need to have an admin on the platform who is able to monitor the platform health. Therefore we grant Manage platform health permission to such user. However, this person doesn't have access to monitor health of projects as this is not included in the permission ('Projects' tab is excluded from Monitoring > Status and use section). So we need to grant 'Administer platform' permission to such user to allow him to see also Projects section on Monitoring page. However, such user is then getting also other privileges, for example to manage users. And this is something what he should not have possibility to perform.

    • Other situation relates to an user who should be responsible for managing of users, roles, groups on the platform. Therefore such user receives permissions: Manage users, Manage users groups and Manage platform roles. However, user with such permissions cannot manage users, groups or roles for users with higher ‘platform level permissions’ (Administer platform, Manage platform health, Manage configurations, Manage platform roles, Manage users groups, Manage users). To be able to manage all users, groups and roles, the permission Administer platform is required. And then we are in the same situation when we are granting to an user who should be responsible only for user management also some other permissions which are included in Administer Platform permission (for example restarting pods or changing some configurations on the platform).

    Based on the above 2 situations, it would be helpful to have Manage users, Manage users groups and Manage platform roles actions excluded from Administer platform permission. If an Admin needs such privileges, then he can have assigned already existing permission Manage users, Manage users groups and Manage platform roles.

    The other situation is for managing the platform health. Management of the project health should be included in Manage platform health permission. If there is an objection (for some other business cases), then project health can be included in a separate permission.

    It would be also good to have clearly separated privileges to Manage platform health (Monitoring) out of Configuration of the platform. In our use case, those are two separate users groups responsible for Monitoring and for Configuration (like branding, home page, announcement...).

    If privileges which are included in Administer Platform permission can be created as separate user permissions, then Administer Platform permission will be no longer needed and we can set our user groups participating in different administration activities on the platform with appropriate separation of duties.

  • Admin
    Ragavie Pirabaharan
    Reply
    |     Jan 14, 2025

    Hi Ivan. Can you clarify your ask a bit more? If you do not want to give users Admin level permissions, you can also create additional roles with assigned separation of duties / permissions.

    This documentation goes over our current permission structure:

    https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=users-predefined-roles-permissions-in-cloud-pak-data

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.