0 / 0
Watson OpenScale Identity and Access Management

Watson OpenScale Identity and Access Management

Access to IBM Watson OpenScale service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that performs model evaluation in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Identity and Access Management roles and actions

Policies enable access to be granted at different levels. Included are some of the following options:

  • Access across all instances of the service in your account
  • Access to an individual service instance in your account
  • Access to a specific resource within an instance

After you define the scope of the access policy, you assign a role that determines the user's level of access. Review the following tables that outline what actions each role allows.

With platform management roles, users can be assigned varying levels of permission for performing platform actions within the account and on a service. For example, platform management roles that are assigned for catalog resources enable users to complete actions such as creating, deleting, editing, and viewing service instances. And, the platform management roles that are assigned for account management services enable users to complete actions such as inviting and removing users, working with resource groups, and viewing billing information. For more information about the account management services, see Assigning access to account management services.

Select all roles that apply when you create a policy. Each role allows separate actions to be completed and doesn't inherit the actions of the lesser roles.

The following table provides examples for some of the platform management actions that users can take within the context of catalog resources and resource groups. See the documentation for each catalog offering to understand how the roles apply to users within the context of the service that is being used.

Table 1. Example platform management roles and actions for services in an account
The first row of the table describes separate options that you can choose from when creating a policy, and the first column describes the selected roles for the policy. The remaining cells map to which role is selected from the first column, and which type of policy has been selected from the options in the first row.
One or all IAM-enabled services Selected service in a resource group Selected resource group
Viewer/Operator role View instances, aliases, bindings, and credentials View only specified instances in the resource group View resource group
Operator role View instances and manage aliases, bindings, and credentials Not applicable Not applicable
Editor role Create, delete, edit, and view instances. Manage aliases, bindings, and credentials Create, delete, edit, suspend, resume, view, and bind only specified instances in the resource group View and edit name of resource group
Administrator role All management actions for services All management actions for the specified instances in the resource group View, edit, and manage access for the resource group
Cluster administrator role (specific to IBM Watson OpenScale for IBM Cloud Pak for Data only) Has complete access to platform Has complete access to the specified instances in the resource group The following actions can be completed by the cluster administrator only: Connect to an LDAP directory, add users and assign them the IAM roles, manage workloads, infrastructure, and applications across all namespaces, create namespaces, assign quotas, add pod security policies, add an internal Helm repository, delete an internal Helm repository, add Helm charts to the internal Helm repository, remove Helm charts from the internal Helm repository, and synchronize internal and external Helm repositories

Users and roles for model evaluation

For Watson OpenScale, the Operator and Viewer roles are equivalent. For more information about role-based access in Watson OpenScale, see Configuring Identity and Access Management.

Table 2. Operations by role
The first row of the table describes separate roles that you can choose from when creating a user. Each column provides a checkmark in the role category for the capability associated with that role.
Operations Admin role Editor role Viewer/Operator role
Add machine learning engine configuration
Remove machine learning engine configuration
Update machine learning configuration
View machine learning configuration
Add database configuration
Remove database configuration
Update database configuration
View database configuration
Model approval
Evaluation
View users and roles
Add subscription to dashboard
Remove subscription from dashboard
View subscription
Configure monitoring condition
View monitoring condition
Upload payload logging record
Upload feedback data
Upload training data CSV file in model risk management
Run auto setup
API calls to update the system
API calls to query the subscriptions and monitoring

Quota limits

To help you manage your resources efficiently and avoid performance issues, Watson OpenScale applies the following quota limits by default when users configure assets:

Asset Limit
DataMart 100 per instance
Service providers 100 per instance
Integrated systems 100 per instance
Subscriptions 100 per service provider
Monitor instances 100 per subscription

Every asset in Watson OpenScale has a hard limitation of 10000 instances of the asset per service instance.

Next steps

Configuring Identity and Access Management

Parent topic: Information security

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more