Managing users on IBM Cloud

Access to watsonx Orchestrate service instances for users in your account is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the watsonx Orchestrate service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to watsonx Orchestrate.

The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by the watsonx Orchestrate as operations that are allowed to be performed on the service. Each action is mapped to an IAM platform or service role that you can assign to a user.

For more information about IAM access groups and access policies, see IAM access concepts.

Important: IBM watsonx Orchestrate currently does not support custom roles.

IAM access policies enable access to be granted at different levels. Some of the options include the following:

  • Access across all instances of the service in your account
  • Access to an individual service instance in your account
  • Access to a specific resource within an instance

Review the following tables that outline what types of tasks each role allows for when you're working with the watsonx Orchestrate service. Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access to the service, create or delete instances, and bind instances to applications. Service access roles enable users access to watsonx Orchestrate and the ability to call the watsonx Orchestrate's API. For information about the exact actions that are mapped to each role, see Actions mapped to roles.

Platform role Description of actions
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service role Description of actions
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Service Configuration Reader The ability to read services configuration for Governance management.
WXO User As a user, you have permission to interact with assistants.
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Important: A user must have at least one platform role alongside a service role.

Actions mapped to roles

Actions Description Roles
watsonx-orchestrate.skill.run Can run skill Manager, WXO User, Writer
watsonx-orchestrate.assistant.legacy Can perform authoring methods for a workspace through v1 APIs. Manager
watsonx-orchestrate.skill.write Can create, rename, edit or delete a skill. Manager, Writer
watsonx-orchestrate.skill.read Can open and view a skill. Manager, Writer
watsonx-orchestrate.assistant.write Can rename, edit or delete an assistant. Manager, Writer
watsonx-orchestrate.assistant.read Can open and view an assistant. Manager, Writer
watsonx-orchestrate.assistant.list Can list assistant or skill Manager, Writer
watsonx-orchestrate.assistant.default Default access for Assistant Manager, Writer
watsonx-orchestrate.logs.read Can view skill analytics and access user conversation logs. Manager
watsonx-orchestrate.environment.write Can rename, edit or delete an environment Manager, Writer
watsonx-orchestrate.environment.read Can open and view an environment Manager, Writer
watsonx-orchestrate.release.write Can create or delete a Release for an Assistant Manager
watsonx-orchestrate.dashboard.view Can view dashboard Administrator, Editor, Manager, Operator, Service Configuration Reader, Viewer, WXO User, Writer
watsonx-orchestrate.credentials.write Can assign and set credentials Manager

Assigning access to watsonx Orchestrate in the console

There are two common ways to assign access in the console:

  • Access policies per user. You can manage access policies per user from the Manage > Access (IAM) > Users page in the console. For information about the steps to assign IAM access, see Managing access to resources in the console.
  • Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the console. For more information, see Assigning access to a group in the console.

Assigning access to watsonx Orchestrate in the CLI

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the CLI. The following example shows a command for assigning the Writer role for watsonx Orchestrate:

Tip: Use watsonx-orchestrate for the service name. Also, use quotations around role names that are more than one word like the example here.

ibmcloud iam user-policy-create USER@EXAMPLE.COM --service-name watsonx-orchestrate --roles "Writer"

Assigning access to watsonx Orchestrate by using the API

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the API or the Create a policy API docs. Role cloud resource names (CRN) in the following table are used to assign access with the API.

Table 2. Role ID values for API use
Role name Role CRN
Viewer crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Viewer
Operator crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Operator
Editor crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Editor
Administrator crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Administrator
Service Configuration Reader crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:ServiceConfigurationReader
Writer crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Writer
Manager crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:Manager
WXO User crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser

The following example is for assigning the WXO User role for watsonx-orchestrate:

Tip: Use watsonx-orchestrate for the service name, and refer to the Role ID values table to ensure that you're using the correct value for the CRN.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "WXO User role for watsonx Orchestrate",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "watsonx-orchestrate"
        }
      ]
    }
  ]
}'

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
      .name("iam_id")
      .value("IBMid-123453user")
      .build();

PolicySubject policySubjects = new PolicySubject.Builder()
      .addAttributes(subjectAttribute)
      .build();

PolicyRole policyRoles = new PolicyRole.Builder()
      .roleId("crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser")
      .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
      .name("accountId")
      .value("ACCOUNT_ID")
      .operator("stringEquals")
      .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
      .name("serviceName")
      .value("watsonx-orchestrate")
      .operator("stringEquals")
      .build();

PolicyResource policyResources = new PolicyResource.Builder()
      .addAttributes(accountIdResourceAttribute)
      .addAttributes(serviceNameResourceAttribute)
      .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
      .type("access")
      .subjects(Arrays.asList(policySubjects))
      .roles(Arrays.asList(policyRoles))
      .resources(Arrays.asList(policyResources))
      .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: 'IBMid-123453user',
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: 'ACCOUNT_ID',
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceName',
  value: 'watsonx-orchestrate',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='IBMid-123453user')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value='ACCOUNT_ID')
service_name_resource_attribute = ResourceAttribute(
  name='serviceName', value='watsonx-orchestrate')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_name_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("IBMid-123453user"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:watsonx-orchestrate::::serviceRole:WXOUser"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr("ACCOUNT_ID"),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceName"),
  Value:    core.StringPtr("watsonx-orchestrate"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute}
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

Parent topic:

Managing users