Managing IAM access for watsonx.governance as a Service on AWS
Access to watsonx.governance as a Service on AWS service instances for users in your account is controlled by Identity and Access Management (IAM). Further access controls are managed within Governance console.
Every user that accesses the watsonx.governance service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to watsonx.governance.
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by watsonx.governance as operations that are allowed to be performed on the service. Each action is mapped to an IAM role that you can assign to a user or group.
IAM access policies enable access to be granted to an individual service instance in your account
Tasks and roles
Review the following tables that outline what types of tasks each role allows for when you're working with the watsonx.governance service. Subscription management roles enable users to perform tasks on service subscriptions, for example, assign user access to the service, create or delete instances. Service access roles enable users access to Governance console and the ability to call the Governance console API.
Mumbai region
| Task | Roles required |
|---|---|
| Set up watsonx.governance | Account level: Account Admin Service Level: Service User and Model Management Administrator |
| Create inventories | Account level: Account Viewer Service Level: Service User and Model Management Administrator |
| Log in to Governance console as an administrator | Account level: Account Viewer Service Level: Service Owner or Service Admin |
| Log in to Governance console | Account level: Account Viewer Service Level: Service User |
Other regions
| Task | Roles required |
|---|---|
| Log in to Governance console as an administrator | Account level: Account Viewer, Service Level: Service Owner or Service Admin |
| Log in to Governance console | Account level: Account Viewer, Service Level: Service User |
Service IDs and API access
You can grant services or applications access to your service instance by using service IDs and API keys.
For more information, see Granting access through service IDs and API keys from the IBM SaaS Console.
Assigning access in the IBM SaaS Console
You can assign access in the IBM SaaS Console by using one of these methods:
- Access policies per user. You can manage access policies per user from the Access Management > Users tab in the console.
- Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You can manage access groups and their access from the Access Management > User Groups tab in the console.
For more information, see Getting started with the IBM SaaS Console with accounts.
Users and groups are synchronized to Governance console. Groups are synchronized when they are assigned access.
Assigning access in Governance console
Administrators use Governance console to set up further access controls for users. For more information, see Configuring the Governance console for business users.
Parent topic: Setting up your watsonx.governance environment on AWS