You can set up watsonx.governance to monitor model assets in your IBM watsonx projects or deployment spaces. To set up watsonx.governance, you can manage users and roles for your organization to control access to your projects or deployment spaces.
To set up watsonx.governance, complete the following tasks:
Setting up AI use cases
You must configure AI use cases before users can create and use AI use cases for governance. The following roles are required to complete the setup of AI use cases and create inventories.
Required access roles
These are the minimum access roles required to set up AI uses cases.
- Service: watsonx.governance Platform access role: Administrator
- Service: All IAM account management services Platform access role: Viewer, Operator, Editor, or Administrator
- Click AI use cases on the main navigation menu. If you do not see a button to Complete setup, you might have insufficient access. Check your access settings and try again.
- Click Complete setup. A service ID named
watsonx.governance_DO_NOT_DELETE
is created for the IAM account.
Do not delete this service ID. Deleting this service ID will cause certain watsonx.governance features to stop working. If the service ID is deleted, contact IBM Support for assistance with recovery.
Rotate the API key
You can rotate the API key of the service ID watsonx.governance_DO_NOT_DELETE
by using the following cURL command.
curl -X 'POST' \
'https://api.dataplatform.test.cloud.ibm.com/v1/aigov/factsheet/rotate_api_key' \
-H 'accept: application/json' \
-H 'Authorization: Bearer $TOKEN' \
-d ''
Creating access policies
You can complete the following steps to invite users to an IBM Cloud account that has a watsonx.governance instance installed and assign service access.
- Required roles
- Users must have the Reader, Writer, or higher IBM Cloud IAM Platform roles for service access. Users that are assigned the Writer role or higher can access information across projects and deployment spaces in watsonx.governance.
- From the IBM Cloud homepage, click Manage > Access (IAM).
- From the IAM dashboard, click Users and select Invite user.
- Complete the following fields:
- How do you want to assign access? :
Access policy
. - Which service do you want to assign access to? :
watsonx.governance
andAll IAM account management service
then click Next. - How do you want to scope the access : Assign
Viewer
access to All IAM account management service and for thewatsonx.governance
policy, then click Next.- If you select Specific resources, select an attribute type and specify a value for each condition that you add.
- If you select Service instance in the Attribute type list, specify your instance in the Value field.
- How do you want to assign access? :
- If you have multiple instances, you must find the data mart ID to specify the instance that you want to assign users access to. You can use one of the following methods to find the data mart ID:
- On the Insights dashboard, click a model deployment tile and go to Actions > View model information to find the data mart ID.
- On the Insights dashboard, click the navigation menu on a model deployment tile and select Configure monitors. Then, go to the Endpoints tab and find the data mart ID in the Integration details section of the Model information tab.
- Select the Reader role in the Service access list.
- Assign access to users.
- If you are assigning access to new users, click Add, and then click Invite in the Access summary pane.
- If you are assigning access to existing users, click Add, and then click Assign in the Access summary pane.
You can create an access group with the required permissions for watsonx.governance and assign users to the group. For details on creating an access group, see Managing users and access.
IBM watsonx.governance users and roles
You can assign roles to watsonx.governance users to collaborate on model evaluations in projects and deployment spaces.
The following table lists permissions for roles that you can assign for access to evaluations. The Operator and Viewer roles are equivalent.
Operations | Admin role | Editor role | Viewer/Operator role |
---|---|---|---|
Evaluation | ✔ | ✔ | |
View evaluation result | ✔ | ✔ | ✔ |
Configure monitoring condition | ✔ | ✔ | |
View monitoring condition | ✔ | ✔ | ✔ |
Upload training data CSV file in model risk management | ✔ | ✔ | |
Create inventory | ✔ | ✔ | ✔ |
Parent topic: Setting up the platform for administrators