0 / 0
Setting up IAM access groups
Last updated: Nov 27, 2024
Setting up IAM access groups

IAM access groups are created and managed entirely on IBM Cloud. Access groups expedite the assignment of IAM roles to IBM watsonx users. Familiarity with the IBM Cloud IAM component, access groups, Platform roles, and Service roles is required to assign IAM roles with appropriate access rights to work with IBM watsonx services.

Required roles
To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
  • Account owner
  • Administrator or Editor for All Identity and Access enabled services
  • Administrator or Editor on the IAM Access Groups account management service in the account
  • Administrator or Editor for the All Account Management services

To use IAM Access groups as user groups, you must enable account scoping. By setting the resource scope to the current account, users cannot access resources outside of their account, regardless of membership. The scope applies to projects, catalogs, and spaces.

To enable account scoping:

  1. From the navigation menu, select Administration > Account and billing > Account to open the account settings window.
  2. Set Resource scope to On.

To create an access group:

The following instructions describe how to create the Account-Administrator access group, one of the example groups described in the Using the example access groups topic.

  1. From IBM watsonx, click Administration > Access (IAM) to open the Manage access and users page in your IBM Cloud account.
  2. Select Access groups to see a list of available groups. All accounts have the default Public Access group, which contains all users and Service IDs in the account.
  3. Click Create to create a new access group. Enter Account-Administrator for the name (or the name you choose for the group) and a description. Access group names must be unique. A description helps you remember the purpose of the access group.
  4. Create the group.
  5. Click Access>Assign access to add access policies to the group.
  6. For Service, select All Identity and Access enabled services (or the service the group will access) and click Next. Access to All Identity and Access enabled services is usually assigned only to Administrators.
  7. For Resources, select All resources for the scope and click Next.
  8. For Resource group access, select Administrator and click Next.
  9. For Roles and actions, select the following to assign access for the example Account-Administrator group:
    • Manager for Service access
    • Administrator for Platform access
  10. Review the parameters, then click Add and Assign.

To add users to an access group:

  1. From IBM watsonx, click Administration > Access (IAM). The Manage access and users page in your IBM Cloud account opens in a separate window.
  2. Select Access groups to see a list of available groups.
  3. Select the access group that you want to populate with users.
  4. Checkmark one or more users to add as members of the access group and click Add users.

You have successfully created the Account-Administrator access group and populated it with members. Repeat these steps for each example access group to create a baseline set of access groups. See Using the example access groups for the suggested roles to assign to each example access group.

After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.

  • You can assign ViewerEditor or Admin roles to user groups when you add collaborators to projects and spaces.
  • If a member of the group leaves, the IBM Cloud account administrator can remove the user from the group rather than looking at all of the assets the user has access to.

Modifying access groups

You can modify an access group after you create it. You can add and delete members, add and delete access policies, and make other modifications as needed. When you modify the access policies, the new policies are immediately applied to all members of the group.

Learn more

Parent topic: Working with IAM access groups

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more