Working with IAM access groups
Every IBM watsonx user requires a set of roles that includes IAM roles on IBM Cloud and collaborator roles for workspaces on IBM watsonx. You can expedite the assignment of IAM roles to users by creating IAM access groups on IBM Cloud, assigning roles to the groups, and then adding users to the groups.
To use IAM Access groups as user groups, you must enable account scoping. By setting the resource scope to the current account, users cannot access resources outside of their account, regardless of membership. The scope applies to projects, catalogs, and spaces.
To enable account scoping:
- From the navigation menu, select Administration > Account and billing > Account to open the account settings window.
- Set Resource scope to On.
After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.
- You can assign Viewer, Editor or Admin roles to user groups when you add collaborators to projects and spaces.
- If a member of the group leaves, you can remove the user from the group rather than looking at all of the assets the user has access to.
By assigning users to one or more access groups, you are granting them the permissions they need to work with the services in IBM watsonx. You can assign users to more than one access group to provide the appropriate access.
Access groups provide permissions for Service access and Platform access on IBM Cloud. Since IBM watsonx runs on IBM Cloud, users must be assigned both Service and Platform permissions. Service permissions apply to individual services and define operations permitted within the service. Platform permissions define operations on the cloud platform such as provisioning or deletion of services.
You can also assign roles to individual users, but remember that individually-assigned roles are not updated when access groups are updated. When you assign roles to individual users, you must update each user individually to make changes.
- Required roles
- To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
-
- Account Owner
-
- Administrator or Editor for All Identity and Access enabled services
-
- Administrator or Editor on the IAM Access Groups account management service in the account
-
- Administrator or Editor for the All Account Management services
IBM Cloud IAM limits
IBM Cloud IAM places limits on the number of access groups per account and per user, as well as other limits. If a limit is exceeded, you receive an exception and cannot create any new access groups beyond that limit. For a list of all IAM limits, see IBM Cloud docs: IBM Cloud IAM limits.
Example access groups
The example IAM access groups provide a starting point for providing basic access to IBM watsonx services. You can edit the example access groups as needed for your implementation. For a description of the example access groups and suggested roles, see Using the example access groups.
Learn more
- Setting up access groups
- Using the example access groups
- IBM Cloud docs: Assigning access to resources by using access groups
Parent topic: Setting up the platform