Setting up watsonx.governance on IBM Cloud

Last updated: May 08, 2025

You can set up watsonx.governance to monitor model assets in your IBM watsonx projects or deployment spaces. To set up watsonx.governance, you can manage users and roles for your organization to control access to your projects or deployment spaces.

To set up watsonx.governance, complete the following tasks:

Setting up AI use cases
Creating access policies
Managing users and roles

Setting up AI use cases

You must configure AI use cases before users can create and use AI use cases for governance. The following roles are required to complete the setup of AI use cases and create inventories.

Required access roles

These are the minimum access roles required to set up AI uses cases.

Service: watsonx.governance Platform access role: Administrator
Service: All IAM account management services Platform access role: Viewer, Operator, Editor, or Administrator

Click AI use cases on the main navigation menu. If you do not see a button to Complete setup, you might have insufficient access. Check your access settings and try again.
Click Complete setup. A service ID named watsonx.governance_DO_NOT_DELETE is created for the IAM account.
If there is no default inventory available for your account, you are prompted to create one. A default inventory is a platform catalog that provides a repository for inventory assets. It is required for governing external models or managing attachments and reports. For details, see Setting up the default inventory.

Caution:

Do not delete this service ID. Deleting this service ID will cause certain watsonx.governance features to stop working. If the service ID is deleted, contact IBM Support for assistance with recovery.

Rotate the API key

You can rotate the API key of the service ID watsonx.governance_DO_NOT_DELETE by using the following cURL command.

curl -X 'POST' \
  'https://api.dataplatform.test.cloud.ibm.com/v1/aigov/factsheet/rotate_api_key' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer $TOKEN' \
  -d ''

Creating access policies

You can complete the following steps to invite users to an IBM Cloud account that has a watsonx.governance instance installed and assign service access.

Required roles: Users must have the Reader, Writer, or higher IBM Cloud IAM Platform roles for service access. Users that are assigned the Writer role or higher can access information across projects and deployment spaces in watsonx.governance.

From the IBM Cloud homepage, click Manage > Access (IAM).
From the IAM dashboard, click Users and select Invite user.
Complete the following fields:
- How do you want to assign access? : Access policy.
- Which service do you want to assign access to? : watsonx.governance then click Next.
- Select the scope of access for users in the How do you want to scope the access? list and click Next.
  - If you select Specific resources, select an attribute type and specify a value for each condition that you add.
  - If you select Service instance in the Attribute type list, specify your instance in the Value field.
If you have multiple instances, you must find the data mart ID to specify the instance that you want to assign users access to. You can use one of the following methods to find the data mart ID:
- On the Insights dashboard, click a model deployment tile and go to Actions > View model information to find the data mart ID.
- On the Insights dashboard, click the navigation menu on a model deployment tile and select Configure monitors. Then, go to the Endpoints tab and find the data mart ID in the Integration details section of the Model information tab.
Select the Reader role in the Service access list.
Assign access to users.
- If you are assigning access to new users, click Add, and then click Invite in the Access summary pane.
- If you are assigning access to existing users, click Add, and then click Assign in the Access summary pane.

Note:

You can create an access group with the required permissions for watsonx.governance and assign users to the group. For details on creating an access group, see Managing users and access.

IBM watsonx.governance users and roles

You can assign roles to watsonx.governance users to collaborate on model evaluations in projects and deployment spaces.

The following table lists permissions for roles that you can assign for access to evaluations. The Operator and Viewer roles are equivalent.

Table 1. Operations by role
The first row of the table describes separate roles that you can choose from when creating a user. Each column provides a checkmark in the role category for the capability associated with that role.
Operations	Admin role	Editor role	Viewer/Operator role
Evaluation	✔	✔
View evaluation result	✔	✔	✔
Configure monitoring condition	✔	✔
View monitoring condition	✔	✔	✔
Upload training data CSV file in model risk management	✔	✔
Create inventory	✔	✔	✔

Parent topic: Setting up the platform for administrators

Was the topic helpful?

0/1000