Example IAM access groups
The example access groups provide a basic configuration for a data fabric implementation that includes watsonx.ai Studio, watsonx.ai Runtime, IBM watsonx.data intelligence, Data Virtualization, DataStage, and IBM Master Data Management services. You can modify the examples to grant the necessary permissions for your provisioned services.
After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.
- You can assign Viewer, Editor or Admin roles to user groups when you add collaborators to projects and spaces.
- If a member of the group leaves, the IBM Cloud account administrator can remove the user from the group rather than looking at all of the assets the user has access to.
Access groups overview
The example IAM access groups, their purpose, and typical tasks are:
| Access group | Purpose | Typical tasks |
|---|---|---|
| Account-Administrator | Created by the account Owner to delegate full account administration to one or more people. Members of the Account-Administrator group have full control over the account and services except for account ownership. | • Provision service instances in IBM watsonx • Provision secondary services, for example, Cloud Object Storage • Create IAM access groups and invite users to groups. • Assign individual permissions to users. •Manage model gateway configurations and deployments |
| COS-Cat-Proj | Provides appropriate access to Cloud Object Storage for users to create projects and catalogs when Storage Delegation is disabled. | Create projects, deployment spaces, and catalogs. |
| COS-Admin | Provides appropriate access to Cloud Object Storage for users who create projects and catalogs. Not needed if Storage Delegation is enabled. | Create projects and catalogs. |
| AI-Runtime | Provide access to watsonx.ai Runtime. | • Create deployment spaces • Create and view watsonx.ai Runtime instances |
Role assignments for the example access groups
The suggested Service and Platform role assignments for the example access groups are:
| Access group | Service names | Service roles | Platform role |
|---|---|---|---|
| Account-Administrator | • All Identity and Access enabled services • All Account Management services |
• Manager • Not applicable |
•Administrator • Editor |
| COS-Cat-Proj | Cloud Object Storage | Manager | Administrator |
| COS-Admin | Cloud Object Storage | Manager | Administrator |
| AI-Runtime | • watsonx.ai Runtime • Cloud Object Storage |
• Writer • Manager |
•Administrator •Administrator |
Roles for collaborating in IBM watsonx workspaces
Access control extends beyond the IAM access groups to the workspaces within IBM watsonx. Workspaces include Projects, Catalogs, Categories, and Deployment spaces. to work in IBM watsonx, users must create workspaces or be assigned collaborator roles to the workspaces. Collaborator roles provide levels of access such as Viewer, Editor, or Administrator. See the following topics for information about collaborator roles for each type of workspace: