Add users to the account

As an Administrator of your IBM Cloud account, you can add members of your organization who need access to IBM watsonx to the account. When you're adding users to the account you also assign them the appropriate roles for their tasks. Assign roles based on the tasks that the user performs in IBM watsonx.

You invite users to your IBM Cloud account by sending an email invitation. The invited user must accept the invitation to join the account. Before you send the invitation, you must assign them roles (or access groups) to provide the necessary permissions to work in IBM watsonx.

To be authorized for IBM watsonx, users must have existing IBMids. If the invited user does not have an IBMid, it is created for them when they join the account.

A convenient method for assigning roles is to create access groups and then assign users to one or more access groups.

For more information about access groups, see Setting up IAM access groups. Examples of basic access groups are provided as suggestions for how to get started with access groups. See Example IAM access groups.

You can add two types of users to your IBM Cloud account:

Adding non-administrative users to your IBM Cloud account

Access groups expedite role assignments by grouping permissions for large numbers of users. You create a group and assign policies and rules to the group. When you assign users to an access group, they are awarded access based on the group parameters. All members of an access group have the same access permissions, and all members are updated when the policy is edited.

After creating a set of access groups, follow these steps to add users as members of an access group:

  1. From IBM watsonx, click Administration > Access (IAM) to open the Manage access and users page for your IBM Cloud account.
  2. Click Users > Invite users.
  3. Enter one or more email addresses that are separated by commas, spaces, or line breaks. The limit is 100 email addresses. The role settings apply to all the email addresses that were entered.
  4. Click the Access groups tile and select one or more access groups, then click Add.
  5. Click Invite to send an email invitation to each email address. Users are assigned to access groups when they accept the invitation to join the account.

Alternatively, you can assign minimum permissions to individual users:

  1. From IBM watsonx, click Administration > Access (IAM) to open the Manage access and users page for your IBM Cloud account.
  2. Click Users > Invite users+.
  3. Enter one or more email addresses that are separated by commas, spaces, or line breaks. The limit is 100 email addresses. The role settings apply to all the email addresses that were entered.
  4. Click the Access policy tile.
  5. Select the services that you want to assign access to and then click Next.
  6. Select the resources that you want to assign access to and then click Next.
  7. Optional: for Resource group access, choose Viewer. Click Next.
  8. For Roles and action, choose the following minimum permissions:
    • In the Service access section, select Reader
    • In the Platform access section, select Viewer.
  9. Click Review to review the settings and edit them, if necessary.
  10. Click Add to save the policy.
  11. Click Invite to send an email invitation to each email address. The policies are assigned to the users when they accept the invitation to join the account.

Minimum permissions for non-administrative users

For a baseline role assignment, provide minimum permissions by assigning the following roles to non-administrative users:

Table 1. Minimum access roles for IBM watsonx users
Level Role Description
Resource group access Viewer Can view but not modify resource groups
Service access Reader Can perform read-only actions within a service
Platform access Viewer Can view but not modify service instances

If needed, you can also change a user's role. When you change user's role, their access to services changes. Their ability to complete work in IBM watsonx can be impacted if they do not have the necessary access.

Note: An alternative way to access the **Manage access and users** page is to log in to your IBM Cloud® account and then go to **Manage > Access(IAM) > Users > Invite users > Access policy**.

Adding administrative users to your IBM Cloud account

You can add administrative users with the Administrator role for account management. This role also provides the Manager role for all services in the account.

To add a user as an IBM Cloud account administrator:

  1. Follow the steps to add a non-administrative user, except change these settings for an individual user's roles:
    • In the Service access section, select Manager.
    • In the Platform access section, select Administrator.
  2. Alternatively, create an access group containing these roles and assign the user to the access group.
  3. Click Invite. The new users receive an email invitation to join the account. They must accept the invitation to be added to the account.
  4. After the user joins the account, add account management permissions. Click the user's name, then Access > Assign access under Access policies.
  5. For the service to assign access to, choose All Account Management Services.
  6. Next, in the Platform access section, select Administrator and click Add.
  7. Click Assign.

Next steps

Learn more