Levels of user access roles in IBM watsonx

Every user of IBM watsonx has multiple levels of roles with the corresponding permissions, or actions. The permissions determine what actions a user can perform on the platform or within a service. Some roles are set in IBM Cloud, and others are set in IBM watsonx.

The IBM Cloud account owner or administrator sets the Identity and Access (IAM) Platform and Service access roles in the IBM Cloud account. Workspace administrators in watsonx set the collaborator roles for workspaces, for example, projects and deployment spaces.

Familiarity with the IBM Cloud IAM feature, Access groups, Platform roles, and Service roles is required to configure user access for IBM watsonx. See IBM Cloud docs: IAM access for a description of IBM Cloud IAM Platform and Service roles.

This illustration shows the different levels of roles assigned to each user so that they can work in IBM watsonx.

The levels of roles are:

IAM Platform access roles determine your permissions for the IBM Cloud account. At least the Viewer role is required to work with services.
IAM Service access roles determine your permissions within services.
Workspace collaborator roles determine what actions you have permission to perform within workspaces in IBM watsonx.

IAM Platform access roles

The IAM Platform access roles are assigned and managed in the IBM Cloud account.

IAM Platform access roles provide permissions to manage the IBM Cloud account and to access services within IBM watsonx. The Platform access roles are Viewer, Operator, Editor, and Administrator. The Platform roles are available to all services on IBM Cloud.

The Viewer role has minimal, view-only permissions. Users need at least Viewer role to see the services in IBM watsonx. A Viewer can:

View, but not modify, available service instances and assets
Associate services with projects.
Become collaborator in projects or deployment spaces.
Create projects and deployment spaces if assigned appropriate permissions for Cloud Object Storage.

The Operator role has permissions to configure existing service instances.

The Editor role provides access to these actions:

All Viewer role permissions.
Provision instances of services.
Update plans for service instances.

The Administrator role provides the same permissions as the Owner role for the account. With Administrator role, you can:

All Viewer, Operator, and Editor permissions.
Perform all management actions for services.
Add users to the IBM Cloud account and assign roles
Perform administrative tasks in IBM watsonx
Manage services for IBM watsonx

To understand IAM Platform access roles, see IBM Cloud docs: What is IBM Cloud Identity and Access Management?.

IAM Service access roles

Service roles apply to individual services and define actions permitted within the service. IBM Cloud Object Storage has its own set of Service access roles. See Setting up IBM Cloud Object Storage for use with IBM watsonx.

Workspace collaborator roles

Your role in a specific workspace determines what actions you can perform in that workspace. Your IAM roles do not affect your role within a workspace. For example, you can be the Administrator of the Cloud account, but this does not automatically make you an administrator for a project or catalog. The Admin collaborator role for a project (or other workspace) must be explicitly assigned. Similarly, roles are specific to each project. You may have Admin role in a project, which gives you full control of the contents of that project, including managing collaborators and assets. But you can have the Viewer role in another project, which allows you to only view the contents of that project.

Projects and deployment spaces have these roles:

Admin: Control assets, collaborators, and settings in the workspace.
Editor: Control assets in the workspace.
Viewer: View the workspace and its contents.

The permissions that are associated with each role are specific to the type of workspace:

Learn more

Parent topic: Adding users to the account