Managing users on IBM Cloud
Access to watsonx Orchestrate service instances for users in your account is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the watsonx Orchestrate service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to watsonx Orchestrate.
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by the watsonx Orchestrate as operations that are allowed to be performed on the service. Each action is mapped to an IAM platform or service role that you can assign to a user.
For more information about IAM access groups and access policies, see IAM access concepts.
IBM watsonx Orchestrate currently does not support custom roles.
IAM access policies enable access to be granted at different levels. Some of the options include the following:
Access across all instances of the service in your account
Access to an individual service instance in your account
Access to a specific resource within an instance
Review the following tables that outline what types of tasks each role allows for when you're working with the watsonx Orchestrate service. Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access to the service, create or delete instances, and bind instances to applications. Service access roles enable users access to watsonx Orchestrate and the ability to call the watsonx Orchestrate's API. For information about the exact actions that are mapped to each role, see Actions mapped to roles.
Platform role | Description of actions |
|---|---|
Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. |
Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. |
Viewer | As a viewer, you can view service instances, but you can't modify them. |
Service role | Description of actions |
|---|---|
Manager | As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources. |
Service Configuration Reader | The ability to read services configuration for Governance management. |
WXO User | As a user, you have permission to interact with assistants. |
Writer | As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources. |
Actions mapped to roles
Actions | Description | Roles |
|---|---|---|
| Can run skill | Manager, WXO User, Writer |
| Can perform authoring methods for a workspace through v1 APIs. | Manager |
| Can create, rename, edit or delete a skill. | Manager, Writer |
| Can open and view a skill. | Manager, Writer |
| Can rename, edit or delete an assistant. | Manager, Writer |
| Can open and view an assistant. | Manager, Writer |
| Can list assistant or skill | Manager, Writer |
| Default access for Assistant | Manager, Writer |
| Can view skill analytics and access user conversation logs. | Manager |
| Can rename, edit or delete an environment | Manager, Writer |
| Can open and view an environment | Manager, Writer |
| Can create or delete a Release for an Assistant | Manager |
| Can view dashboard | Administrator, Editor, Manager, Operator, Service Configuration Reader, Viewer, WXO User, Writer |
| Can assign and set credentials | Manager |
Assigning access to watsonx Orchestrate in the console
There are two common ways to assign access in the console:
Access policies per user. You can manage access policies per user from the Manage > Access (IAM) > Users page in the console. For information about the steps to assign IAM access, see Managing access to resources in the console.
Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the console. For more information, see Assigning access to a group in the console.
Assigning access to watsonx Orchestrate in the CLI
For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the CLI. The following example shows a command for assigning the Writer role for watsonx Orchestrate:
Tip: Use watsonx-orchestrate for the service name. Also, use quotations around role names that are more than one word like the example here.
ibmcloud iam user-policy-create USER@EXAMPLE.COM --service-name watsonx-orchestrate --roles "Writer"Assigning access to watsonx Orchestrate by using the API
For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the API or the Create a policy API docs. Role cloud resource names (CRN) in the following table are used to assign access with the API.
Role name | Role CRN |
|---|---|
Viewer |
|
Operator |
|
Editor |
|
Administrator |
|
Service Configuration Reader |
|
Writer |
|
Manager |
|
WXO User |
|
The following example is for assigning the WXO User role for watsonx-orchestrate:
Tip: Use watsonx-orchestrate for the service name, and refer to the Role ID values table to ensure that you're using the correct value for the CRN.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "WXO User role for watsonx Orchestrate",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "watsonx-orchestrate"
}
]
}
]
}'SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value("IBMid-123453user")
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value("ACCOUNT_ID")
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceName")
.value("watsonx-orchestrate")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: 'IBMid-123453user',
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: 'ACCOUNT_ID',
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceName',
value: 'watsonx-orchestrate',
operator: 'stringEquals',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value='IBMid-123453user')])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value='ACCOUNT_ID')
service_name_resource_attribute = ResourceAttribute(
name='serviceName', value='watsonx-orchestrate')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: core.StringPtr("IBMid-123453user"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr("ACCOUNT_ID"),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceName"),
Value: core.StringPtr("watsonx-orchestrate"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute}
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))