How to set up access privileges in a development team.

One of my favorite IBM Cloud solution tutorials is about building a database-driven Slackbot. It’s a great example of integrating enterprise resources with an AI-backed user interface and utilizing serverless technology for the glue. 

Once you have created the chatbot, the next step is to share this project with coworkers—but how do you proceed? In this blog post, I am going to discuss how to set up privileges for team members so that they can access the project resources in different roles. You’ll learn about IBM Cloud IAM, access groups, and policies, and get some hands-on experience with IBM Cloud security:

Architecture diagram for database-driven Slackbot.

Overview: Database-driven Slackbot

The solution tutorial introduces a chatbot that is integrated with Slack as user interface. IBM Watson Assistant serves as an AI-powered dialog service and calls out to webhooks implemented as IBM Cloud Functions. The serverless actions perform SQL queries against Db2 to store and fetch enterprise data. You can use the same approach to integrate the chatbot with other data source—as simple as with Wikipedia (as shown in this tutorial) or full ERP systems.

In an abstraction, the chatbot consists of the dialog service, the integration layer, and a database system. In the following, we are going to learn how to assign access privileges to all three of these components.

Resource Access Management

On IBM Cloud, Identity and Access Management (IAM) enables the authentication of users and service IDs and the access control to cloud resources. Usually, there is a distinction between platform management and service access privileges (and, hence, roles). The former allow to operate the service instance (e.g., to see or change properties, bind the service, or generate credentials). The service access privileges control how a user can work with resources of that service instance (e.g., a user may only execute a function, but not modify it or create new).

For granting access, you can assign predefined access roles to either a user, a service ID, or to an access group. An access group can be created to organize a set of users and service IDs into a single entity. It makes it easy for you to assign access. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.

In order to grant access to chatbot resources, you could create access groups for different development and administration roles. Not all users might need to modify (develop) the dialog—some might be in charge of developing the serverless actions and others of administrating the Db2 database. 

Access to chatbot components

To organize access to the chatbot components, we need to take a look at specific IAM capabilities on the service level.

Watson Assistant

Watson Assistant offers predefined Reader, Writer, and Manager roles. They allow the user to only see and to try out a skill with its chatbot dialog, or to create new skills and assistants, or to even see logging and other data. This means that you could share a chatbot skill for testing, but not allow modifications to it. When assigning access, it is possible to select only a specific skill and grant read-only access to it. This is shown in the following screenshot:

Assign read-only access to a specific Watson Assistant skill.

IBM Cloud Functions

IBM Cloud Functions uses IAM-controlled namespaces to manage actions, sequences, packages, and more. Therefore, service access roles for Functions deal with either being able to see objects and execute actions available in that namespace, create and modify objects, or even to modify and delete that namespace.

Db2 on Cloud

As a database system, IBM Db2 on Cloud is different from the previous services in terms of authorization. Most of the privileges are managed within the database itself. IAM only controls who has access to Db2 and whether it is as Administrator or User. In a recent blog, I discussed how to increase information security for Db2 on IBM Cloud be leveraging IAM features.

Define access groups

With knowledge of the service-specific privileges in place, you could define access groups related to how your team and development work is organized, following the best practices for assigning access. The following screenshot shows an access group defining Viewer privilege to all three chatbot components and the Reader role to the Watson Assistant skill and the Functions namespace. It could be used for, e.g., quality testers who need to access the chatbot dialog and to execute all the code, but have no need to change anything:

Access group with read access to Watson Assistant, Functions, and Db2 on IBM Cloud.


By making use of IBM Cloud Identity and Access Management features, it is fairly easy and straight-forward to manage access to cloud resources. When you followed one of the solution tutorials, you can later share the created resources and experience with other users, as discussed in this blog. We did not discuss further enhancements, such as making use of custom roles or dynamic rules

To get started with with organizing your account and access to its resources, I recommend reading the following best practices guides:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

More from Cloud

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read

SRG Technology drives global software services with IBM Cloud VPC under the hood

4 min read - Headquartered in Ft. Lauderdale, Florida, SRG Technology LLC. (SRGT) is a software development company supporting the education, healthcare and travel industries. Their team creates data systems that deliver the right data in real time to customers around the globe. Whether those customers are medical offices and hospitals, schools or school districts, government agencies, or individual small businesses, SRGT addresses a wide spectrum of software services and technology needs with round-the-clock innovative thinking and fresh approaches to modern data problems. The…

4 min read