Access to watsonx.governance as a Service on AWS service instances for users in your account is controlled by Identity and Access Management (IAM). Further access controls are managed within Governance console.
Every user that accesses the watsonx.governance service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to watsonx.governance.
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by watsonx.governance as operations that are allowed to be performed on the service. Each action is mapped to an IAM role that you can assign to a user or group.
IAM access policies enable access to be granted to an individual service instance in your account
Review the following tables that outline what types of tasks each role allows for when you're working with the watsonx.governance service. Subscription management roles enable users to perform tasks on service subscriptions, for example, assign user access to the service, create or delete instances. Service access roles enable users access to Governance console and the ability to call the Governance console API.
| Subscription role | Description of actions |
|---|---|
| Subscription Viewer | As a Viewer, you can view instances of a subscription and check instance statuses. |
| Subscription Owner | As an Owner, you can view and manage a watsonx.governance subscription. You can also provision instances. |
| Subscription Admin | As an Admin, you can manage instances. Admin actions include inviting users and assigning roles to them. Admins can also create, update, and delete instances of a subscription. |
| Service instance role | Description of actions |
|---|---|
| Service User | As a Service User, you can log in to Governance console. Further access is defined in Governance console. |
| Service Owner | As a Service Owner, you have administrator access in Governance console. |
| Service Admin | As a Service Admin, you have administrator access in Governance console. |
Service IDs and API access
You can grant services or applications access to your service instance by using service IDs and API keys.
For more information, see Granting access through service IDs and API keys from the IBM SaaS Console.
Assigning access in the IBM SaaS Console
Assign the Service User role to give users access to Governance console.
Assign the Service Owner or Service Admin role to give users administrator access in Governance console.
You can assign access in the IBM SaaS Console by using one of these methods:
- Access policies per user. You can manage access policies per user from the Access Management > Users tab in the console.
- Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You can manage access groups and their access from the Access Management > User Groups tab in the console.
For more information, see Getting started with the IBM SaaS Console with accounts.
Users and groups are synchronized to Governance console. Groups are synchronized when they are assigned access.
Assigning access in Governance console
Administrators use Governance console to set up further access controls for users. For more information, see Configuring the Governance console for business users.
Parent topic: Setting up your watsonx.governance environment on AWS