IBM Cloud Docs
Planning for the Watsonx.ai SaaS with Assistant and Governance deployable architecture

Planning for the Watsonx.ai SaaS with Assistant and Governance deployable architecture

By using this deployable architecture, you can create and configure a set of IBM Cloud services in an IBM Cloud target account. You can configure access to the IBM watsonx platform for an existing user that's invited in the target account, also known as the IBM watsonx admin. Then, use IBM Cloud projects as the deployment tool. Complete the following steps before you deploy the Watsonx.ai SaaS with Assistant and Governance deployable architecture.

Confirm your IBM Cloud target account settings

  1. Confirm or set up the IBM Cloud target account:

Make sure that you have an IBM Cloud Pay-As-You-Go or Subscription account: - If you don't have an IBM Cloud account, create one. - If you have a Trial or Lite account, upgrade your account.

  1. Configure your IBM Cloud target account:
    1. Log in to IBM Cloud with the IBMid you used to set up the account. This IBMid user is the account owner and has full IAM access.
    2. Complete the company profile and contact information for the account. This profile is required to stay in compliance with IBM Cloud Financial Services profile.
    3. Enable the Financial Services Validated option for your account.

Set the IAM permissions

  1. Set up target account access with (Cloud Identity and Access Management (IAM)):
    1. For compliance with IBM Cloud Framework for Financial Services: Require users in your account to use multifactor authentication (MFA).
    2. Set up access groups.

User access to IBM Cloud resources is controlled by using the access policies that are assigned to access groups. For IBM Cloud Financial Services validation, do not assign direct IAM access to any IBM Cloud resources. You can set up one access group for the users that can deploy the solution, and one for the IBM watsonx administrators.

Verify access roles

IAM access roles are required to install this deployable architecture and create all the required elements in the IBM Cloud target account:

  • Administrator role on All Account Management services
  • Editor platform role on Watson Machine Learning
  • Editor platform role on Watson Studio
  • Editor platform role Cloud Object Storage
  • Editor platform role on watsonx.data
  • Editor platform role on watsonx.governance
  • Editor platform role on watsonx Assistant
  • Editor platform role on Watson Discovery
  • Editor platform role on watsonx Orchestrate
  • Manager service role on the IBM Key Protect instance if you want to enable storage delegation for the Cloud Object Storage instance provisioned with the Watsonx.ai SaaS with Assistant and Governance deployable architecture.

Additional IAM access roles are required to configure the IBM watsonx administrator in the IBM Cloud target account:

  • Administrator role on All Account Management services
  • Administrator role on All Identity and Access enabled services
  • Manager service role on Cloud Object Storage to create service credentials. This is not needed if you enable storage delegation for the Cloud Object Storage instance provisioned with the Watsonx.ai SaaS with Assistant and Governance deployable architecture.

To set up access groups for specific users and use cases, use the Terraform access group module.

For information about configuring permissions, contact your IBM Cloud account administrator.

Access for IBM Cloud projects

You should use IBM Cloud projects as a deployment option. Projects are designed with infrastructure as code and compliance in mind to help ensure that your projects are managed, secure, and always compliant. For more information, see Learn about IaC deployments with projects.

The IBM Cloud account where your project is located might be different than the IBM Cloud target account where you are going to install the Watsonx.ai SaaS with Assistant and Governance deployable architecture. The following information refers to the permissions you must have in the project account to create a project and create project tools resources within the account. Make sure that you have the following access:

  • The Editor role on the Projects service
  • The Editor and Manager role on the Schematics service
  • The Viewer role on the resource group for the project

For more information, see Assigning users access to projects.

Setup the IBM Cloud projects for deploying in the IBM Cloud target account

Before creating a project to manage the Watsonx.ai SaaS with Assistant and Governance deployable architecture, you must authorize the deployment.

You can authorize the deployments by using an API key with Secrets Manager to authorize a project to deploy an architecture or configuring a trusted profile with the IBM Cloud target account.