Watson OpenScale Identity and Access Management

Access to IBM Watson OpenScale service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the Watson OpenScale service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Identity and Access Management roles and actions

Policies enable access to be granted at different levels. Some of the options include the following:

  • Access across all instances of the service in your account
  • Access to an individual service instance in your account
  • Access to a specific resource within an instance

After you define the scope of the access policy, you assign a role which determines the user’s level of access. Review the following tables which outline what actions each role allows within the Watson OpenScale service.

With platform management roles, users can be assigned varying levels of permission for performing platform actions within the account and on a service. For example, platform management roles that are assigned for catalog resources enable users to complete actions such as creating, deleting, editing, and viewing service instances. And, the platform management roles that are assigned for account management services enable users to complete actions such as inviting and removing users, working with resource groups, and viewing billing information. For more information about the account management services, see Assigning access to account management services.

Select all roles that apply when creating a policy. Each role allows separate actions to be completed and doesn’t inherit the actions of the lesser roles.

The following table provides examples for some of the platform management actions that users can take within the context of catalog resources and resource groups. See the documentation for each catalog offering to understand how the roles apply to users within the context of the service that is being used.

  One or all IAM-enabled services Selected service in a resource group Selected resource group
Viewer/Operator role View instances, aliases, bindings, and credentials View only specified instances in the resource group View resource group
Operator role View instances and manage aliases, bindings, and credentials Not applicable Not applicable
Editor role Create, delete, edit, and view instances. Manage aliases, bindings, and credentials Create, delete, edit, suspend, resume, view, and bind only specified instances in the resource group View and edit name of resource group
Administrator role All management actions for services All management actions for the specified instances in the resource group View, edit, and manage access for the resource group
Cluster administrator role (specific to IBM Watson OpenScale for IBM Cloud Pak for Data only) Has complete access to platform Has complete access to the specified instances in the resource group The following actions can be completed by the cluster administrator only: Connect to an LDAP directory, add users and assign them the IAM roles, manage workloads, infrastructure, and applications across all namespaces, create namespaces, assign quotas, add pod security policies, add an internal Helm repository, delete an internal Helm repository, add Helm charts to the internal Helm repository, remove Helm charts from the internal Helm repository, and synchronize internal and external Helm repositories

Users and roles for Watson OpenScale

For Watson OpenScale, the Operator and Viewer roles are equivalent.

Operations Admin role Editor role Viewer/Operator role
Add machine learning engine configuration    
Remove machine learning engine configuration    
Update machine learning configuration    
View machine learning configuration    
Add database configuration    
Remove database configuration    
Update database configuration    
View database configuration    
IBM OpenPages configuration    
Model approval  
Evaluation  
View users and roles    
Add subscription to dashboard  
Remove subscription from dashboard  
View subscription
Configure monitoring condition  
View monitoring condition
Upload payload logging record  
Upload feedback data  
Upload training data CSV file in model risk management  
Run auto setup    
API calls to update the system  
API calls to query the subscriptions and monitoring

Steps

  1. To add the access policy to existing users, from the IBM Cloud dashboard click Manage > Access (IAM) > Users > Manage user > Access policies.
  2. To invite new users, from the IBM Cloud dashboard click Manage > Access (IAM) > Users > Invite user.

To find your Watson OpenScale datamart ID, from the Configuration tab, go to the Endpoints tab for a deployment.

Next steps

For service access roles, which enable user access to Watson OpenScale as well as the ability to call the REST API, Watson OpenScale defers to the platform management roles that are listed in the preceding table. For information about assigning user roles in the UI, see Managing access to resources.