As an Administrator, you can add the people in your organization who need access to IBM watsonx to the IBM Cloud account and then assign them the appropriate roles for their tasks.
- Add nonadministrative users to the IBM Cloud account and assign access groups or roles so that they can work in IBM watsonx. The new users receive an email invitation to join the account. They must accept the invitation to be added to the account.
- Set up access groups to simplify permissions and role assignment.
- Optional: Add administrative users to the IBM Cloud account.
Add nonadministrative users to your IBM Cloud account
You invite users to your IBM Cloud account by sending an email invitation. The user accepts the invitation to join the account. You must assign them roles (or access groups) to provide the necessary permissions to work in IBM watsonx. For a baseline role assignment, you can provide minimum permissions by assigning the following roles in the Manage > Access(IAM) > Users > Invite users > Access policy screen in IBM Cloud:
Level | Role | Description |
---|---|---|
Service | All Identity and Access enabled services | Can access all services that use IAM for access management; usually assigned only to administrators in a production environment |
Resources | All resources | Scope of resources for which user has access |
Resource group access | Viewer | Can view but not modify resource groups |
Service access | Reader | Can perform read-only actions within a service |
Platform access | Viewer | Can view but not modify service instances |
IBM account membership
To be authorized for IBM watsonx, users must have existing IBMids. If the invited user does not have an IBMid, it is created for them when they join the account.
Assigning roles
To assign minimum permissions to individual users:
-
From IBM watsonx, click Administration > Access (IAM) to open the Manage access and users page for your IBM Cloud account.
-
Click Users > Invite users+.
-
Enter one or more email addresses that are separated by commas, spaces, or line breaks. The limit is 100 email addresses. The settings apply to all the email addresses.
-
Click the Access policy tile.
-
Select All Identity and Access enabled services, then click Next to assign Resource access.
-
For Resources, choose All resources. Click Next.
-
For Resource group access, choose Viewer. Click Next
-
For Roles and action, choose the following minimum permissions:
- In the Service access section, select Reader
- In the Platform access section, select Viewer.
-
Review the settings and edit if necessary.
-
Click Add to save the policy.
-
Click Invite to send an email invitation to each email address. The policies are assigned to the users when they accept the invitation to join the account.
Modifying a user's role
When you change a user's role, their access to services changes. Their ability to complete work in IBM watsonx can be impacted if they do not have the necessary access.
Optional: Add administrative users to your IBM Cloud account
You can add administrative users with the Administrator role for account management. This role also provides the Manager role for all services in the account.
To add a user as an IBM Cloud account administrator:
- Follow the steps to add a non-administrative user, except change these settings for an individual user's roles:
- In the Service access section, select Manager.
- In the Platform access section, select Administrator.
- Alternatively, create an access group containing these roles and assign the user to the access group.
- Click Invite. The new users receive an email invitation to join the account. They must accept the invitation to be added to the account.
- After the user joins the account, add account management permissions. Click the user's name, then Access > Assign access under Access policies.
- For the service to assign access to, choose All Account Management Services.
- Next, in the Platform access section, select Administrator and click Add.
- Click Assign.
Next steps
- Finish setting up the platform.
- Upgrade your service instances to billable plans.
Learn more
- Roles in IBM watsonx
- IBM Cloud docs: Account types
- IBM Cloud docs: IAM access
- IBM Cloud docs: What is IBM Cloud Identity and Access Management
- IBM Cloud docs: Setting up access groups
- IBM Cloud docs: Giving access to resources in resource groups
Parent topic: Managing users and access