113 lines
9.1 KiB
Plaintext
113 lines
9.1 KiB
Plaintext
---
|
|
title: Considerations for setting up IBM Quantum Platform for an organization
|
|
description: Considerations for setting up IBM Quantum Platform in an organization
|
|
platform: cloud
|
|
---
|
|
{/* cspell:ignore chemlab */}
|
|
|
|
# Considerations for setting up IBM Quantum Platform for an organization
|
|
<Admonition type="note">
|
|
This documentation is relevant to the new IBM Quantum® Platform. If you need the previous version, return to the [IBM Quantum Platform Classic documentation.](https://docs.quantum.ibm.com/admin/)
|
|
</Admonition>
|
|
|
|
In an organization where individuals might work on several projects, IBM Quantum Platform governance can seem complex. However, access management can be used to easily enable user collaboration and to restrict visibility of users and projects when necessary. Managing access becomes more relevant with IBM Quantum Platform resources that are not free - that is, service instances that use paid plans (which organizations are charged for).
|
|
|
|
<span id="overview-org"></span>
|
|
## Overview
|
|
|
|
<Admonition type="note">
|
|
IBM Cloud® provides various ways to implement these mechanisms described in this guide. There are several ways to achieve these objectives. Additionally, most of the steps in this guide are generic to IBM Cloud and not specific to IBM Quantum Platform, except the custom role details.
|
|
</Admonition>
|
|
|
|
### Involved personas
|
|
|
|
The are several main personas that are mentioned in this guide:
|
|
|
|
* **User**: Someone who gets access to IBM Quantum Platform resources (_service instances_) and can potentially collaborate with other users on these resources. Users' access is controlled by an administrator and they cannot create or delete service instances.
|
|
* **Cloud administrator**: An IBM Cloud account owner who owns IBM Quantum Platform resources and manages which users can access these resources. As the resource owner, the administrator is charged for any paid resource use.
|
|
* **IDP administrator**: An administrator who defines identities and their attributes in an identity provider (IDP).
|
|
|
|
### Terminology
|
|
|
|
This guide uses the following terms:
|
|
|
|
* _Resource_: A generic IBM Cloud term that refers to an object that can be managed through the Cloud user interface, CLI, or API. For this guide, a _resource_ is an IBM Quantum Platform service instance.
|
|
* _Service instance_: A service instance is used to access Cloud functions. Specifically, quantum computing on real devices or simulators. It is defined through the catalog. You can define several service instances based on the same or different plans, which offer access to different quantum computing backends. See [Available IBM Cloud plan](/docs/guides/plans-overview) for details.
|
|
* _Project_: A grouping unit that enables users to work on the same resources. This guide uses two projects: `ml` and `finance`. See [Hierarchical project structures](#nest-org) for more information.
|
|
|
|
<Admonition type="note">
|
|
This project is not related to the "project" concept in the classic IBM Quantum® Platform.
|
|
</Admonition>
|
|
|
|
<span id="xplanning-orgx"></span>
|
|
## Plan your setup
|
|
|
|
Before you set up IBM Quantum Platform for your organization, you need to make these decisions:
|
|
|
|
* How are user identities defined? You can set up IBM Cloud users, users from another IDP, or both.
|
|
* If you are using a different IDP, does the Cloud administrator or the IDP administrator assign users to project resources?
|
|
* If the IDP administrator assigns users to projects, you need a string to be used as a key, such as `project` (which this guide uses) for project comparisons.
|
|
* What are the projects and which service instances will belong to each? You must plan your project names carefully.
|
|
* Do not make project names substrings of another. For example, if you use `ml` and `chemlab` for project names, then later you set up a project match for `ml`, it triggers on both values, accidentally granting more access than expected. Instead, use unique names such as `ml` and `chem-lab`. Alternatively, use prefix or suffix values to avoid such unintended substring matches.
|
|
* Using naming conventions along with prefix or suffix values can help you easily allow access to several projects.
|
|
* Quantum experiments (jobs) belong to service instances, and users that have access to an instance can see its jobs.
|
|
* Service instances can be based on different plans, allowing access to different backends like real devices or simulators.
|
|
* Which users need to access which projects?
|
|
* Should users be able to delete jobs? Keeping jobs in service instances gives more traceability for billing costs.
|
|
* Will you use access groups that directly reference IBM Quantum Platform service instances or organize services into resource groups?
|
|
* **Access groups** are a convenient and common way of controlling user access for IBM Cloud resources. They are a simple but powerful means to consistently assign user access. We create an access group for each project and map users to access groups. Each access group uses a custom role that allows users to access specific service instances or resource groups.
|
|
* **Resource groups** are used only when you need to maintain a clear separation of service instances. If more service instances are created in a resource group, all users that have access to the resource group see them automatically without updating access groups. If you choose to use resource groups, you will create access groups and then assign them to resource groups.
|
|
|
|
<Admonition type="note">
|
|
A service instance can belong to only one resource group, and after instances are assigned into resource groups, they cannot be changed. This also means that the resource group assignment can happen only at service instance creation. Therefore, resource groups might not provide enough flexibility if assignments of service instances to resource groups might need to change.
|
|
</Admonition>
|
|
|
|
## Considerations
|
|
|
|
You should understand the following considerations when setting up your environment.
|
|
|
|
### Define more fine-grained roles
|
|
|
|
The actions in the custom roles can be used for more fine-grained access control. For example, some users might need full access to work on service instances, while others might only need Read access to service instances, programs, and jobs.
|
|
|
|
To achieve that, define two different custom roles, such as `MLreader` and `MLwriter`. Remove all cancel, delete, and update roles from the `MLreader` custom role, and include all actions in the `MLwriter` custom role. Next, add the roles to two different access groups accordingly.
|
|
|
|
<Admonition type="note">
|
|
When using dynamic rules, that is, when the identity provider (IDP) administrator manages access through custom IDP user attributes, do not use IDP custom user attributes that are substrings of each other. For instance, don't use `ml` and `mlReader`, as the string comparison of `ml` would also accept `mlReader`. You could use `MLreader` and `MLwriter` to avoid this conflict.
|
|
</Admonition>
|
|
|
|
For an example of setting up custom roles, see [Create access groups for projects](/docs/guides/custom-roles).
|
|
|
|
<span id="shared-access"></span>
|
|
### Shared workload access
|
|
|
|
It is important to note that access applies to service instances. Thus, users with 'write' access to an instance can cancel their own workloads, but can also view and cancel other users' workloads. This is a function of how IAM works and cannot be changed.
|
|
|
|
<span id="other-cloud-rsc-org"></span>
|
|
### Other Cloud resources
|
|
|
|
The steps in this guide can be used to manage access to other Cloud resources as well. Include the appropriate permissions to the access groups of the relevant projects.
|
|
|
|
<span id="nest-org"></span>
|
|
### Hierarchical project structures
|
|
|
|
In this guide, the mapping of users to projects and service instances was kept simple. However, by associating several users with access groups and referencing service instances from several access groups, more complex mappings can be implemented.
|
|
|
|
This method can accommodate a hierarchical structure. That is, it can align to how users might be assigned to the Hub/Group/Project access structure in the classic version of IBM Quantum® Platform. For example, a _group_ could be an access group that is assigned to all service instances of the group's projects. Users who should get access to all of the group's projects would then only have to be added to the group's access group.
|
|
|
|
<span id="repeat-org"></span>
|
|
### Consistent and repeatable deployment of the configuration
|
|
|
|
The steps of this guide can be automated for consistent and repeatable management of users, projects, and the mapping between those. Refer to the [Terraform IBM Cloud® Provider documentation](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs) for templates.
|
|
|
|
## Next steps
|
|
|
|
<Admonition type="tip" title="Recommendations">
|
|
* See [Configure IBM Quantum Platform for an organization](./quickstart-steps-org) for the steps to set up IBM Quantum Platform.
|
|
* [Understand available plans.](/docs/guides/plans-overview)
|
|
* [Create instances.](/docs/guides/instances)
|
|
* [Understand the IBM Cloud structure.](/docs/guides/cloud-account-structure)
|
|
* [Create policies and access groups.](/docs/guides/access-groups)
|
|
* [Manage users.](/docs/guides/invite-and-manage-users)
|
|
</Admonition>
|