Today, when I use the myibm website (https://myibm.ibm.com/dashboard/) or the Developer API https://developer.ibm.com/api/view/id-511:title-IBM_SaaS_User_and_Subscription_Management allow a user to be created both in the graphical user interface as well as programmatically. However, when a user is created the role (e.g. privilege) provided is not the privilege of the SaaS product (e.g. Watson Knowledge Studio or Watson Analytics), but rather a MyIBM role (either Admin or User - 2 roles). This additional abstract user role is confusing to my client's system administrators (Cisco Systems), makes their job more manual, driving cost up when managing the IBM operation and prohibits automation.
Rather they require exposing the underlying SaaS application's privileges directly within the GUI and API above thereby removing the admin/user role of MyIBM today. If a user is an administrator within Watson Analytics then they should be an Administrator of the Watson Analytics service within MyIBM and likewise should be able to call the developer API and perform admin functions (e.g. setting other user's privileges). This means Cisco requires using the developer API and MyIBM GUI to set the Watson Analytics user's roles to Administrator and Creator directly within the GUI and API. Similarly, they require setting the roles for Watson Knowledge Studio (Super User, Master Annotator, SME - lowest role name) directly from the MyIBM GUI and developer API. No abstraction privileges are to be used. Ultimately, Cisco wishes to write scripts that will fetch roles from their AD user directly and call the developer API directly to keep the AD groups sync'd with the IBM SaaS roles. Today, this isn't possible because no API exists to do that for Watson Analytics or Watson Knowledge Studio.
NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "email@example.com" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions