This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,
Post an idea
Upvote ideas that matter most to you
Get feedback from the IBM team to refine your idea
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
IBM Employees should enter Ideas at https://ideas.ibm.com
See this idea on ideas.ibm.com
The current permission model combines multiple actions under single permissions, such as the "Administer platform" permission, which encompasses user management and JDBC driver imports. This consolidation makes it challenging to configure user roles with appropriate separation of duties.
Needed By | Quarter |
By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.
Hi Michaela! I will set up a call
Hello Ragavie,
thank you for sharing instructions how to create custom roles. The documentation points me to Saas version while we are using on-prem one. However, we use custom roles with specific combination of permissions. Unfortunately, we still cannot configure users properly.
As you can see in my previous comment, the issue I am reporting is not with user ROLES, but with PERMISSIONS available on the platform. For example, the permission 'Administer platform' is too complex, contains lot of 'actions' which are included in other permissions and/or are not necessarily needed for a person who should manage platform (as described below, one of the situation is management of users). In addition, it contains also 'actions' which are not included in any other permission, therefore we are forced to assign this permission - which gives users too much privileges - also in situations where it is really causing conflict of duties.
If there is an option to select which 'actions' should be included in a permission, then we could most probably configure our users properly.
If my description of problematic configuration of users from last comment is not clear, feel free to schedule a meeting, I will be more than happy to explain and maybe also show in our CP4D.
Thank you.
Hi Michaela. Thank you for your response. Have you tried creating custom roles that only contain certain permissions from Admin Platform permissions? This would allow control over permissions without granting unnecessary privileges.
This documentation goes over how to create custom roles:
https://dataplatform.cloud.ibm.com/docs/content/wsj/getting-started/roles-custom.html?context=cpdaas
Hello, let me provide more details (Ivan created the Idea based on my request).
The issue I am reporting is with the 'Administer platform' permissions as this one includes multiple different areas of actions.
We found 2 situations where we cannot successfully configure an user:
We need to have an admin on the platform who is able to monitor the platform health. Therefore we grant Manage platform health permission to such user. However, this person doesn't have access to monitor health of projects as this is not included in the permission ('Projects' tab is excluded from Monitoring > Status and use section). So we need to grant 'Administer platform' permission to such user to allow him to see also Projects section on Monitoring page. However, such user is then getting also other privileges, for example to manage users. And this is something what he should not have possibility to perform.
Other situation relates to an user who should be responsible for managing of users, roles, groups on the platform. Therefore such user receives permissions: Manage users, Manage users groups and Manage platform roles. However, user with such permissions cannot manage users, groups or roles for users with higher ‘platform level permissions’ (Administer platform, Manage platform health, Manage configurations, Manage platform roles, Manage users groups, Manage users). To be able to manage all users, groups and roles, the permission Administer platform is required. And then we are in the same situation when we are granting to an user who should be responsible only for user management also some other permissions which are included in Administer Platform permission (for example restarting pods or changing some configurations on the platform).
Based on the above 2 situations, it would be helpful to have Manage users, Manage users groups and Manage platform roles actions excluded from Administer platform permission. If an Admin needs such privileges, then he can have assigned already existing permission Manage users, Manage users groups and Manage platform roles.
The other situation is for managing the platform health. Management of the project health should be included in Manage platform health permission. If there is an objection (for some other business cases), then project health can be included in a separate permission.
It would be also good to have clearly separated privileges to Manage platform health (Monitoring) out of Configuration of the platform. In our use case, those are two separate users groups responsible for Monitoring and for Configuration (like branding, home page, announcement...).
If privileges which are included in Administer Platform permission can be created as separate user permissions, then Administer Platform permission will be no longer needed and we can set our user groups participating in different administration activities on the platform with appropriate separation of duties.
Hi Ivan. Can you clarify your ask a bit more? If you do not want to give users Admin level permissions, you can also create additional roles with assigned separation of duties / permissions.
This documentation goes over our current permission structure:
https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=users-predefined-roles-permissions-in-cloud-pak-data