Create access policies and access groups

When you create an instance in IBM Quantum® Platform, an access group is automatically generated for collaborators to use that instance. If you want to customize that access group or create other access groups, use the IBM® Cloud console for Access groups.

An access group contains policies, which define the actions that access group members can take on specific resources, such as services. In this guide, the resource is generally an IBM Quantum service instance.

You can create additional access groups by using the IBM Cloud® console, CLI, API, or Terraform.

Important

To determine the actions allowed by each role, from the IAM Roles page, select Qiskit Runtime in the dropdown menu at the top of the page. For a more detailed list, click the number in the column next to the role name. For example, by visiting that page and clicking the number by the Manager role, you can see that this role includes the ability to delete a job (quantum-computing.job.delete).

The Compare pre-defined service role actions section provides a comparison of the pre-defined Manager, Writer, and Reader roles.

Create an IBM Quantum Administrators access group

After setting up an account for your organization, it's recommended that you create an IBM Quantum Administrators access group. This access group lets other users create and manage instances, and manage user access for the Qiskit Runtime service.

When you create this access group, include the following policies:

Qiskit Runtime service - Grant access to manage all IBM Quantum instances in the account and view account usage analytics.
- Manager service access role
- Administrator platform management access role
All account management services - Grant access to list all the resource groups in the account.
- Viewer platform management access role
All IAM Account Management services - Grant access to invite users, manage access groups, and create access policies.
- Administrator platform management access role
Support Center service - Grant access to enable users to open support cases through IBM Cloud Support Center.
- Administrator platform management access role

Note

Users with the viewer platform management role on "all account management services" can also view services such as billing. If you want to prevent this extra view access, use the IBM Cloud CLI to give them access to just Resource groups:

ibmcloud iam access-group-policy-create <group name> --roles Viewer --resource-type resource-group

Follow these examples to create an IBM Quantum Administrators access group by using the IBM Cloud CLI or console.

Use the IBM Cloud CLI

To create an access group by using the CLI, use the ibmcloud iam access-group-create command.

ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]

To create an access group policy by using the CLI, use the ibmcloud iam access-group-policy-create command.

ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

You can use the following JSON code to create policies for an Administrators access group:

All Account Management services (viewer)

{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "serviceType",
                    "value": "platform_service"
                }
            ]
        }
    ]
}

Qiskit Runtime Service (Manager, Administrator)

{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Manager"
        },
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "serviceName",
                    "value": "quantum-computing"
                }
            ]
        }
    ]
}

All IAM Account Management services (administrator)

{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "service_group_id",
                    "value": "IAM"
                }
            ]
        }
    ]
}

Support Center service (administrator)

{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
        },
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "[ACCOUNT_ID]"
                },
                {
                    "name": "serviceName",
                    "value": "support"
                }
            ]
        }
    ]
}

Use the IBM Cloud IAM console

As an account owner or administrator, follow these steps to create an IBM Quantum Administrator access group.

Go to Manage > Access (IAM) in the IBM Cloud console.
On the left panel in the Manage access section, click Access groups, then click Create.
In the Create access group window that opens, add a name and description that represent the group of users that you will invite. For example, IBM Quantum Administrators. Click Create.

Next, create policies for the Qiskit Runtime service, for All IAM Account Management services, and for All Account Management services.

In the access group just created, click the Access tab, then click Assign access.
In the Create policy page that opens, define these elements:
- Service - Search for Qiskit Runtime and select it. Click Next.
- Resources - Select All resources. Click Next. Note: If you were creating a policy that you want to apply only to a certain instance, you would instead choose Specific resources, Service instance, string equals, then select the instance.
- Roles and actions - Select the following values:
  - For Service access, select Manager.
  - For Platform access, select Administrator.
At the bottom, click Add. You should see the policy on the right-hand panel. Click Assign at the bottom of that panel.

You have successfully created an access group with one policy. Next, create a second policy for the same instance.

In the same access group, click the Access tab, then click Assign access.
In the Create policy page that opens, define these elements:
- Service - Select All IAM Account Management services. Click Next.
- Roles and actions - For Platform access, select Administrator, Click Next. At the bottom, click Add, then click Assign.

Create a third policy for the same instance.

In the same access group, click the Access tab, then click Assign access.
In the Create policy page that opens, define these elements:
- Service - Select All Account Management services. Click Next.
- Roles and actions - For Platform access, select Viewer, Click Next. At the bottom, click Add, then click Assign.

Create a fourth policy for the same instance.

In the same access group, click the Access tab, then click Assign access.
In the Create policy page that opens, define these elements:
- Service - Select Support Center. Click Next.
- Roles and actions - For Platform access, select Administrator. Click Next. At the bottom, click Add, then click Assign.

Finally, add users to the access group. You can do this from the access group's Users page, or by using the IBM Quantum Platform Access management page.

Note

You can only invite users who are already members of the account. If you don't see a user on the Add users page, follow the steps in Invite and manage users to add them to the account first. After they accept the invitation, you can add them to the access group.

Compare permissions

The following table displays which permissions are granted to three entities: account owners, IBM Quantum Administrators (see the Create an IBM Quantum Administrators access group section), and instance collaborators (a "Collaborators" access group is automatically generated whenever you create an instance using IBM Quantum Platform).

Key:

✅ Has permission

✴️ Involves a dependency

❌ Does not have permission

Permissions	Account owner	IBM Quantum Administrators (access group)	Instance collaborators (access group)
Full access to all IBM Cloud resources	✅	✅ (Only to Qiskit Runtime instances)	❌ (Only to a particular Qiskit Runtime instance)
Assign access to others	✅	✅ (Only to Qiskit Runtime service)	❌
Create service instances	✅ (All IBM Cloud catalog)	✅ (Only Qiskit Runtime service instances)	❌
View all users	✅	✅	✴️ (Depends on user visibility settings)
Set user visibility	✅	❌	❌
Invite users to the account	✅	✅	❌
Billing responsibility	✅	❌	❌
View billing information	✅	✅	❌
Owner notifications	✅	❌	❌
Submit quantum workloads	✅ (On all Qiskit Runtime instances)	✅ (On all Qiskit Runtime instances)	✅ (Only on a particular Qiskit Runtime instance)
View quantum workloads	✅ (On all Qiskit Runtime instances)	✅ (On all Qiskit Runtime instances)	✅ (Only on a particular Qiskit Runtime instance)
Cancel quantum workloads	✅ (On all Qiskit Runtime instances)	✅ (On all Qiskit Runtime instances)	✅ (Only on a particular Qiskit Runtime instance)
Delete quantum workloads	✅ (On all Qiskit Runtime instances)	✅ (On all Qiskit Runtime instances)	❌
Create support cases	✅	✅ (If the access policy is included in the access group)	✅ (If the access group gives access to a Premium Plan instance)
Configure an identity provider to connect your external user repositories to your IBM Cloud account	✅	❌	❌

Compare pre-defined service role actions

The following table displays examples of actions that can be taken by the pre-defined service role actions: Manager, Writer, and Reader. To see a complete mapping of Quantum Service roles to actions, visit this table in the IBM Cloud Product guide.

Action	Description	Roles
`quantum-computing.session.create`	Create a Session/Batch	Manager, Writer
`quantum-computing.job.create`	Submit a Job	Manager, Writer
`quantum-computing.job.read`	Read a result	Manager, Reader, Writer
`quantum-computing.job.cancel`	Cancel a job	Manager, Writer
`quantum-computing.job.delete`	Delete a job	Manager
`quantum-computing.direct-access-backend-properties.read`	Read QPU calibrations	Manager, Reader, Writer
`quantum-computing.account-analytics-usage.read`	See account analytics	Manager, Writer (Only if role is set up for all resources)
`quantum-computing.instance-usage.read`	See instance usage and remaining time	Manager, Reader, Writer

Next steps

Recommendations

Understand the IBM Cloud account structure, including access policies, groups, and roles.
Read about how IBM Cloud IAM works.
Read more about how to set up access groups.
Understand the the IAM Roles (select Qiskit Runtime from the dropdown at the top of the page).
Learn about creating custom roles.