June 11, 2020 By Henrik Loeser 4 min read

How to set up access privileges in a development team.

One of my favorite IBM Cloud solution tutorials is about building a database-driven Slackbot. It’s a great example of integrating enterprise resources with an AI-backed user interface and utilizing serverless technology for the glue. 

Once you have created the chatbot, the next step is to share this project with coworkers—but how do you proceed? In this blog post, I am going to discuss how to set up privileges for team members so that they can access the project resources in different roles. You’ll learn about IBM Cloud IAM, access groups, and policies, and get some hands-on experience with IBM Cloud security:

Architecture diagram for database-driven Slackbot.

Overview: Database-driven Slackbot

The solution tutorial introduces a chatbot that is integrated with Slack as user interface. IBM watsonx Assistant serves as an AI-powered dialog service and calls out to webhooks implemented as IBM Cloud Functions. The serverless actions perform SQL queries against Db2 to store and fetch enterprise data. You can use the same approach to integrate the chatbot with other data source—as simple as with Wikipedia (as shown in this tutorial) or full ERP systems.

In an abstraction, the chatbot consists of the dialog service, the integration layer, and a database system. In the following, we are going to learn how to assign access privileges to all three of these components.

Resource Access Management

On IBM Cloud, Identity and Access Management (IAM) enables the authentication of users and service IDs and the access control to cloud resources. Usually, there is a distinction between platform management and service access privileges (and, hence, roles). The former allow to operate the service instance (e.g., to see or change properties, bind the service, or generate credentials). The service access privileges control how a user can work with resources of that service instance (e.g., a user may only execute a function, but not modify it or create new).

For granting access, you can assign predefined access roles to either a user, a service ID, or to an access group. An access group can be created to organize a set of users and service IDs into a single entity. It makes it easy for you to assign access. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.

In order to grant access to chatbot resources, you could create access groups for different development and administration roles. Not all users might need to modify (develop) the dialog—some might be in charge of developing the serverless actions and others of administrating the Db2 database. 

Access to chatbot components

To organize access to the chatbot components, we need to take a look at specific IAM capabilities on the service level.

watsonx Assistant

watsonx Assistant offers predefined Reader, Writer, and Manager roles. They allow the user to only see and to try out a skill with its chatbot dialog, or to create new skills and assistants, or to even see logging and other data. This means that you could share a chatbot skill for testing, but not allow modifications to it. When assigning access, it is possible to select only a specific skill and grant read-only access to it. This is shown in the following screenshot:

Assign read-only access to a specific watsonx Assistant skill.

IBM Cloud Functions

IBM Cloud Functions uses IAM-controlled namespaces to manage actions, sequences, packages, and more. Therefore, service access roles for Functions deal with either being able to see objects and execute actions available in that namespace, create and modify objects, or even to modify and delete that namespace.

Db2 on Cloud

As a database system, IBM Db2 on Cloud is different from the previous services in terms of authorization. Most of the privileges are managed within the database itself. IAM only controls who has access to Db2 and whether it is as Administrator or User. In a recent blog, I discussed how to increase information security for Db2 on IBM Cloud be leveraging IAM features.

Define access groups

With knowledge of the service-specific privileges in place, you could define access groups related to how your team and development work is organized, following the best practices for assigning access. The following screenshot shows an access group defining Viewer privilege to all three chatbot components and the Reader role to the watsonx Assistant skill and the Functions namespace. It could be used for, e.g., quality testers who need to access the chatbot dialog and to execute all the code, but have no need to change anything:

Access group with read access to watsonx Assistant, Functions, and Db2 on IBM Cloud.


By making use of IBM Cloud Identity and Access Management features, it is fairly easy and straight-forward to manage access to cloud resources. When you followed one of the solution tutorials, you can later share the created resources and experience with other users, as discussed in this blog. We did not discuss further enhancements, such as making use of custom roles or dynamic rules

To get started with with organizing your account and access to its resources, I recommend reading the following best practices guides:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Was this article helpful?

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters