Access to IBM Watson OpenScale service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that performs model evaluation in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Identity and Access Management roles and actions
Policies enable access to be granted at different levels. Included are some of the following options:
- Access across all instances of the service in your account
- Access to an individual service instance in your account
- Access to a specific resource within an instance
After you define the scope of the access policy, you assign a role that determines the user's level of access. Review the following tables that outline what actions each role allows.
With platform management roles, users can be assigned varying levels of permission for performing platform actions within the account and on a service. For example, platform management roles that are assigned for catalog resources enable users to complete actions such as creating, deleting, editing, and viewing service instances. And, the platform management roles that are assigned for account management services enable users to complete actions such as inviting and removing users, working with resource groups, and viewing billing information. For more information about the account management services, see Assigning access to account management services.
Select all roles that apply when you create a policy. Each role allows separate actions to be completed and doesn't inherit the actions of the lesser roles.
The following table provides examples for some of the platform management actions that users can take within the context of catalog resources and resource groups. See the documentation for each catalog offering to understand how the roles apply to users within the context of the service that is being used.
| One or all IAM-enabled services | Selected service in a resource group | Selected resource group | |
|---|---|---|---|
| Viewer/Operator role | View instances, aliases, bindings, and credentials | View only specified instances in the resource group | View resource group |
| Operator role | View instances and manage aliases, bindings, and credentials | Not applicable | Not applicable |
| Editor role | Create, delete, edit, and view instances. Manage aliases, bindings, and credentials | Create, delete, edit, suspend, resume, view, and bind only specified instances in the resource group | View and edit name of resource group |
| Administrator role | All management actions for services | All management actions for the specified instances in the resource group | View, edit, and manage access for the resource group |
| Cluster administrator role (specific to IBM Watson OpenScale for IBM Cloud Pak for Data only) | Has complete access to platform | Has complete access to the specified instances in the resource group | The following actions can be completed by the cluster administrator only: Connect to an LDAP directory, add users and assign them the IAM roles, manage workloads, infrastructure, and applications across all namespaces, create namespaces, assign quotas, add pod security policies, add an internal Helm repository, delete an internal Helm repository, add Helm charts to the internal Helm repository, remove Helm charts from the internal Helm repository, and synchronize internal and external Helm repositories |
Users and roles for model evaluation
For Watson OpenScale, the Operator and Viewer roles are equivalent. For more information about role-based access in Watson OpenScale, see Configuring Identity and Access Management.
| Operations | Admin role | Editor role | Viewer/Operator role |
|---|---|---|---|
| Add machine learning engine configuration | ✔ | ||
| Remove machine learning engine configuration | ✔ | ||
| Update machine learning configuration | ✔ | ||
| View machine learning configuration | ✔ | ||
| Add database configuration | ✔ | ||
| Remove database configuration | ✔ | ||
| Update database configuration | ✔ | ||
| View database configuration | ✔ | ||
| Model approval | ✔ | ✔ | |
| Evaluation | ✔ | ✔ | |
| View users and roles | ✔ | ||
| Add subscription to dashboard | ✔ | ✔ | |
| Remove subscription from dashboard | ✔ | ✔ | |
| View subscription | ✔ | ✔ | ✔ |
| Configure monitoring condition | ✔ | ✔ | |
| View monitoring condition | ✔ | ✔ | ✔ |
| Upload payload logging record | ✔ | ✔ | |
| Upload feedback data | ✔ | ✔ | |
| Upload training data CSV file in model risk management | ✔ | ✔ | |
| Run auto setup | ✔ | ||
| API calls to update the system | ✔ | ✔ | |
| API calls to query the subscriptions and monitoring | ✔ | ✔ | ✔ |
Quota limits
To help you manage your resources efficiently and avoid performance issues, Watson OpenScale applies the following quota limits by default when users configure assets:
| Asset | Limit |
|---|---|
| DataMart | 100 per instance |
| Service providers | 100 per instance |
| Integrated systems | 100 per instance |
| Subscriptions | 100 per service provider |
| Monitor instances | 100 per subscription |
Every asset in Watson OpenScale has a hard limitation of 10000 instances of the asset per service instance.
Next steps
Configuring Identity and Access Management
Parent topic: Information security