Skip to main contentIBM Quantum Documentation Preview
This is a preview build of IBM Quantum™ documentation. Refer to docs.quantum.ibm.com for the official documentation.

Create access policies and access groups

Note

This documentation is relevant to the new IBM Quantum® Platform. If you need the previous version, return to the IBM Quantum Platform Classic documentation.

When you create an instance in IBM Quantum Platform, an access group is automatically generated for collaborators to use that instance. If you want to customize that access group or create other access groups, use the IBM® Cloud console for Access groups.

An access group contains policies, which define the actions that access group members can take on specific resources, such as services. In this guide, the resource is generally an IBM Quantum service instance.

You can create additional access groups by using the IBM Cloud console, CLI, API, or Terraform.

Create an IBM Quantum Administrators access group

After setting up an account for your organization, it's recommended that you create an IBM Quantum Administrators access group. This access group lets other users create and manage instances, and manage user access for the Qiskit Runtime service.

When you create this access group, include the following policies:

  • Qiskit Runtime service - Grant access to manage all IBM Quantum instances in the account and view account usage analytics.
    • Manager service access role
    • Administrator platform management access role
  • All account management services - Grant access to list all the resource groups in the account.
    • Viewer platform management access role
  • All IAM Account Management services - Grant access to invite users, manage access groups, and create access policies.
    • Administrator platform management access role
Note

Users with the viewer platform management role on "all account management services" can also view services such as billing. If you want to prevent this extra view access, use the IBM Cloud CLI to give them access to just Resource groups:

ibmcloud iam access-group-policy-create <group name> --roles Viewer --resource-type resource-group

Follow these examples to create an IBM Quantum Administrators access group by using the IBM Cloud CLI or console.

Use the IBM Cloud CLI

To create an access group by using the CLI, use the ibmcloud iam access-group-create command.

ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]

To create an access group policy by using the CLI, use the ibmcloud iam access-group-policy-create command.

ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

You can use the following JSON code to create policies for an Administrators access group:

  • All Account Management services (viewer)
{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "serviceType",
                    "value": "platform_service"
                }
            ]
        }
    ]
}
  • Qiskit Runtime Service (Manager, Administrator)
{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Manager"
        },
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "serviceName",
                    "value": "quantum-computing"
                }
            ]
        }
    ]
}
  • All IAM Account Management services (administrator)
{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "service_group_id",
                    "value": "IAM"
                }
            ]
        }
    ]
}

Use the IBM Cloud IAM console

As an account owner or administrator, follow these steps to create an IBM Quantum Administrator access group.

  1. Go to Manage > Access (IAM) in the IBM Cloud console.
  2. On the left panel in the Manage access section, click Access groups, then click Create.
  3. In the Create access group window that opens, add a name and description that represent the group of users that you will invite. For example, IBM Quantum Administrators. Click Create.

Next, create policies for the Qiskit Runtime service, for All IAM Account Management services, and for All Account Management services.

  1. In the access group just created, click the Access tab, then click Assign access.

  2. In the Create policy page that opens, define these elements:

    • Service - Search for Qiskit Runtime and select it. Click Next.
    • Resources - Select All resources. Click Next. Note: If you were creating a policy that you want to apply only to a certain instance, you would instead choose Specific resources, Service instance, string equals, then select the instance.
    • Roles and actions - Select the following values:
      • For Service access, select Manager.
      • For Platform access, select Administrator.

    At the bottom, click Add. You should see the policy on the right-hand panel. Click Assign at the bottom of that panel.

You have successfully created an access group with one policy. Next, create a second policy for the same instance.

  1. In the same access group, click the Access tab, then click Assign access.
  2. In the Create policy page that opens, define these elements:
    • Service - Select All IAM Account Management services. Click Next.
    • Roles and actions - For Platform access, select Administrator, Click Next. At the bottom, click Add, then click Assign.

Create a third policy for the same instance.

  1. In the same access group, click the Access tab, then click Assign access.
  2. In the Create policy page that opens, define these elements:
    • Service - Select All Account Management services. Click Next.
    • Roles and actions - For Platform access, select Viewer, Click Next. At the bottom, click Add, then click Assign.

Finally, add users to the access group. You can do this from the access group's Users page, or by using the IBM Quantum Platform Access management page.

Note

You can only invite users who are already members of the account. If you don't see a user on the Add users page, follow the steps in Invite and manage users to add them to the account first. After they accept the invitation, you can add them to the access group.

Next steps

Recommendations