IBM Cloud Docs
Managing users in an account

Managing users in an account

Use IBM Cloud® Identity and Access Management (IAM) to manage users in your account. You can invite users, cancel invitations, remove a user from an account, or update a user's IBMid.

All users must accept an invitation to become an active user within a new account. Learn more.

Before you begin

Inviting users to an account

To invite users and manage outstanding invitations, you must have at least one of the following types of access. Only users can invite others. If you use a service ID to authenticate, you can't invite new users to the account.

  • Account owner
  • An IAM access policy with the Editor role or higher on the user management account management service
  • The Manage Users classic infrastructure permission to add users

Depending on your access level, you can invite new users and assign all or just some types of access.

Before you can invite users by using Terraform, make sure that you have completed the following:

  • Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
  • Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Removing users from an account

Only account owners and users with the correct access can remove others. If you use a service ID to authenticate, you can't remove users from the account. The following access is required for removing users from an account:

  • An Identity and access management (IAM) policy for the User management account management service with the Administrator role assigned.
  • If you have classic infrastructure in your account, a user must have an IAM policy for the User management account management service with the Administrator role assigned and be an ancestor of the user in the classic infrastructure user hierarchy with the Manage user classic infrastructure permission assigned.

Changing a user's IBMid

To change an IBMid, the replacement ID must already exist. If you're not sure if the new IBMid exists, users can go to My IBM and click Create an IBMid. If you enter an email address that corresponds to a federated identity provider (IdP) domain, IBMid redirects you to that IdP's login page. First-time logins to IBM® using a federated IdP triggers the creation of a new IBMid. Otherwise, follow the steps to create the ID. The email address that is used becomes the user's new replacement IBMid.

Inviting users in the console

To invite users, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Users.

  2. Click Invite users.

  3. Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access. You can restrict membership to your account based on the domain of the users that are invited. This way, only users from a specific domain can be invited to the account.

    For more information, see Restrict user domains for account invitations.

  4. Add one or more of the access options that you manage. You must assign at least one access option. For any access options that you don't add and configure, the default value of No access is assigned. Depending on the options that you are authorized to manage, you can assign the following types of access:

    • Add users to access groups. Click Add for each access group that you want the users to belong to.
    • Manually assign users access. Expand the section to assign individual IAM access policies or classic infrastructure permissions.
      • Select Classic infrastructure, and then choose from the three permission sets.
      • Select a group of services like All Identity and Access enabled services, All Account management services, and All IAM Account Management services, or a specific service. Next, you can scope the access to the entire account or just one resource group. Then, select all roles that apply. To view what actions are mapped to each role, click the numbers listed next to each role. Some services support the use of advanced operators to grant access to resources that satisfy specific naming conventions. See Assigning access by using wildcard policies for more information.
      • Select Account management, and then choose from the all account management services option or select a specific service. Then, select all roles that apply.
  5. Select Add to save the access assignment to the invitation.

  6. After you add all the necessary access assignments, click Invite.

You can cancel an invitation for any users that are shown in a Processing or Pending state in the Status column of the Users page. If an invited user did not receive an invitation, you can resend the invitation to any user in a Pending state. You can add more policies and permissions only after a user accepts the invitation.

Adding VPN-only users

Any user with the following permissions can add a VPN-only user:

  • For classic infrastructure, you must have the Manage Users permission on the account.
  • For IAM access, you must have the Administrator or Editor role on the user management account management service.

To add a VPN-only user, use the following steps:

  1. On the Users page, click Add VPN-only user.
  2. Enter the personal information details for the user.
  3. Click Save.

Inviting users by using the CLI

To invite users by using the CLI, run the following command:

ibmcloud account user-invite USER_EMAIL [-o ORG [--org-role ORG_ROLE] [-s SPACE, --space-role SPACE_ROLE]]

By using the CLI, you can choose not to assign access and work on assigning access later. For more information about the command parameters, see ibmcloud account user-invite.

Inviting users by using the API

You can use the API to invite users in bulk. All users that are included in a single invitation are assigned the same access. When you invite users by using the API, you enter emails in a comma-separated list with each entry that is surrounded by quotations. This example assigns access by adding the user to an access group.

curl -X POST https://user-management.cloud.ibm.com/v2/accounts/987d4cfd77b04e9b9e1a6asdcc861234/users -H 'Authorization: Bearer <IAM_TOKEN>'
  -H 'Content-Type: application/json' -d '{
      "users": [
      {
        "email": "cloud_api_example_member@ibm.com",
        "account_role": "Member"
      }],
      "iam_policy": [{
        "type": "access",
        "roles": [{
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }],
        "resources": [{
          "attributes": [{
              "name": "accountId",
              "value": "987d4cfd77b04e9b9e1a6asdcc861234"
            },
            {
              "name": "resourceType",
              "value": "resource-group"
            },
            {
              "name": "resource",
              "value": "2c7449dd871049c29ec3a53853ce123e"
            }
          ]
        }]
      }],
      "access_groups":[
        "AccessGroupId-******-0f54-4d4f-89c2-e5fdc0b9a28c",
        "AccessGroupId-******-3087-4395-a382-a8e8ff9ccc23"
      ]
    }'
InviteUser inviteUserModel = new InviteUser.Builder()
        .email(memberEmail)
        .accountRole("Member")
        .build();
Role roleModel = new Role.Builder()
        .roleId(viewerRoleId)
        .build();
Attribute attributeModel = new Attribute.Builder()
        .name("accountId")
        .value(accountId)
        .build();
Attribute attributeModel2 = new Attribute.Builder()
        .name("resourceGroupId")
        .value("*")
        .build();
Resource resourceModel = new Resource.Builder()
        .addAttributes(attributeModel)
        .addAttributes(attributeModel2)
        .build();
InviteUserIamPolicy inviteUserIamPolicyModel = new InviteUserIamPolicy.Builder()
        .type("access")
        .addRoles(roleModel)
        .addResources(resourceModel)
        .build();
InviteUsersOptions inviteUsersOptions = new InviteUsersOptions.Builder()
        .accountId(accountId)
        .addUsers(inviteUserModel)
        .addIamPolicy(inviteUserIamPolicyModel)
        .addAccessGroups(accessGroupId)
        .build();
Response<InvitedUserList> response = adminService.inviteUsers(inviteUsersOptions).execute();
InvitedUserList invitedUserList = response.getResult();
System.out.println(invitedUserList);
const inviteUserModel = {
  email: memberEmail,
  account_role: 'Member',
};
const roleModel = {
  role_id: viewerRoleId,
};
const attributeModel = {
  name: 'accountId',
  value: accountId,
};
const attributeModel2 = {
  name: 'resourceGroupId',
  value: '*',
};
const resourceModel = {
  attributes: [attributeModel, attributeModel2],
};
const inviteUserIamPolicyModel = {
  type: 'access',
  roles: [roleModel],
  resources: [resourceModel],
};
const params = {
  accountId: accountId,
  users: [inviteUserModel],
  iamPolicy: [inviteUserIamPolicyModel],
  accessGroups: [accessGroupId],
};
userManagementAdminService.inviteUsers(params)
  .then(res => {
    deleteUserId = res.result.resources[0].id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });
invite_user_model = {
  'email': member_email,
  'account_role': 'Member'
}
role_model = {'role_id': viewer_role_id}
attribute_model = {'name': 'accountId', 'value': account_id}
attribute_model2 = {'name': 'resourceGroupId', 'value': '*'}
resource_model = {'attributes': [attribute_model, attribute_model2]}
invite_user_iam_policy_model = {
  'type': 'access',
  'roles': [role_model],
  'resources': [resource_model]
}
invite_user_response = user_management_admin_service.invite_users(
  account_id=account_id,
  users=[invite_user_model],
  iam_policy=[invite_user_iam_policy_model],
  access_groups=[access_group_id]
).get_result()
print(json.dumps(invite_user_response, indent=2))
inviteUserModel := &usermanagementv1.InviteUser{
  Email:       &memberEmail,
  AccountRole: core.StringPtr("Member"),
}
roleModel := &usermanagementv1.Role{
  RoleID: &viewerRoleID,
}
attributeModel := &usermanagementv1.Attribute{
  Name:  core.StringPtr("accountId"),
  Value: &accountID,
}
attributeModel2 := &usermanagementv1.Attribute{
  Name:  core.StringPtr("resourceGroupId"),
  Value: core.StringPtr("*"),
}
resourceModel := &usermanagementv1.Resource{
  Attributes: []usermanagementv1.Attribute{*attributeModel, *attributeModel2},
}
inviteUserIamPolicyModel := &usermanagementv1.InviteUserIamPolicy{
  Type:      core.StringPtr("access"),
  Roles:     []usermanagementv1.Role{*roleModel},
  Resources: []usermanagementv1.Resource{*resourceModel},
}
inviteUsersOptions := &usermanagementv1.InviteUsersOptions{
  AccountID:    &accountID,
  Users:        []usermanagementv1.InviteUser{*inviteUserModel},
  IamPolicy:    []usermanagementv1.InviteUserIamPolicy{*inviteUserIamPolicyModel},
  AccessGroups: []string{accessGroupID},
}
invitedUserList, response, err := userManagementAdminService.InviteUsers(inviteUsersOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(invitedUserList, "", "  ")
fmt.Println(string(b))

You can assign access to a group of services. To assign access to All Identity and Access enabled services, specify serviceType for the name attribute, and use the value service. To assign access to All Account Management services, specify serviceType for the name attribute, and use the value platform_service. To assign access to the subset of account management services All IAM Account Management services, specify service_group_id for the name attribute, and use the value IAM.

Inviting users by using Terraform

You can invite users to your IBM Cloud account by using Terraform.

  1. Create an argument in your main.tf file. The following example invites users by using the ibm_iam_user_invite resource, where users are the list of user email IDs to invite.
    resource "ibm_iam_user_invite" "invite_user" {
     users = ["test@in.ibm.com"]
    }
    
    For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page.
  2. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
      terraform plan
      
    2. Run terraform apply to create the resources that are defined in the plan.
      terraform apply
      

Canceling or resending pending invitations

After inviting new users to join your account, IBM Cloud requires all except VPN-only users to accept the invitation to become an active user in your account.

The invitation expires after 30 days. New users to IBM Cloud can accept an invitation only by using the invitation link that they received through email.

You can cancel an invitation for any users that are shown in a Processing or Pending state in the Status column of the Users page. If an invited user did not receive an invitation, you can resend the invitation to any user in a Pending state.

  1. Go to the Users page.
  2. Locate the row for the user in Processing or Pending state.
  3. Click the Actions icon More Actions icon, then choose to Resend invite or Cancel invite.

Accepting invitations in the console

If the invited user is already a member of IBM Cloud, they receive an invitation link in their notifications and by email. On the Notifications page, users can use the search field to locate an invitation or filter by the notification type called account. For more information, see Managing invitation notifications and Viewing notifications.

Accepting invitations by using the CLI

If the invited user is already a member of IBM Cloud, they can accept invitations by using the CLI. In the following ibmcloud login command, the ACCOUNT_ID is the ID of the targeted account that the user is invited to join.

ibmcloud login -c ACCOUNT_ID --accept

Accepting invitations by using the API

If the invited user is already a member of IBM Cloud, they can accept invitations by using the API. In the following example, the ACCOUNT_ID is the ID of the targeted account that the user is invited to join and the IAM_TOKEN belongs to the invitee.

curl -X POST \
  'https://iam.cloud.ibm.com/v2/users/accept' \
  --header 'Authorization: Bearer <IAM_TOKEN>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "account_id": "<ACCOUNT ID>"
  }

Removing a user from an account by using the console

When you remove a user from an account, the user can no longer log in to the console, switch to your account, or access account resources. Removing a user from an account doesn't delete the IBMid for the user.

To remove a user from an account, complete the following steps:

  1. In the IBM Cloud® console, click Manage > Access (IAM), and select Users.
  2. From the row of the user that you want to remove, click the Actions icon Actions icon > Remove user.

Any resources that are created by the user remain in the account, but any IBM Cloud API keys that the user created are removed. The user no longer has access to work with the resources they created. The account owner or an administrator for the service or service instance can assign other users to work with the resources, or delete them from the account.

If you get an error message that states a classic infrastructure user can't be removed, make sure that any descendants in the user hierarchy for that user are assigned a new parent, disabled in the account, or deleted. Then, you can try again.

As an alternative to removing a user from your account, you can assign them an access policy with a temporary time-based condition. This way, the user can log in to the console and view the account in their account list, but can't access resources in the account before the policy begins or after the policy expires. For more information, see Creating a temporary time-based condition.

Removing a user from an account by using the CLI

To remove a user from an account, run the following command:

ibmcloud account user-remove USER_ID [-c ACCOUNT_ID] [-f, --force]

For command options, see Managing accounts and users CLI commands.

Removing a user from an account by using the API

To remove a user from an account, call the User Management API as shown in the following sample request.

Replace variables with the user's IAM ID. You must use a user token for authorization. Service IDs can't remove users from an account.

curl -X DELETE https://user-management.cloud.ibm.com/v2/accounts/987d4cfd77b04e9b9e1a6asdcc861234/users/IBMid-1000000000 -H 'Authorization: Bearer <IAM_TOKEN>' -H 'Content-Type: application/json'
RemoveUserOptions removeUserOptions = new RemoveUserOptions.Builder()
  .accountId(accountId)
  .iamId(deleteUserId)
  .build();
service.removeUser(removeUserOptions).execute();
const params = {
  accountId: accountId,
  iamId: deleteUserId,
};
userManagementAdminService.removeUser(params)
  .then(res => {
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });
response = user_management_admin_service.remove_user(
  account_id=account_id,
  iam_id=delete_user_id,
).get_result()
print(json.dumps(response, indent=2))
removeUserOptions := userManagementService.NewRemoveUserOptions(
  accountID,
  deleteUserID,
)
response, err := userManagementAdminService.RemoveUser(removeUserOptions)
if err != nil {
  panic(err)
}

You can also remove a user by their user ID or by their email address and realm. Either the user ID or email and realm is required. For more information, see Remove user from account by user ID or email.

curl -X DELETE https://user-management.cloud.ibm.com/v2/accounts/987d4cfd77b04e9b9e1a6asdcc861234/users?user_id=user%40ibm.com&email=user.email%40ibm.com&realm=ibmid -H 'Authorization: Bearer <IAM_TOKEN>' -H 'Content-Type: application/json'

Changing a user's IBMid by using the console

As an account owner, you can update a user's IBMid. The new IBMid that you use to replace the current IBMid must already exist. The IBMid you're replacing is removed from the account. If you need the existing IBMid to continue to be a member of the account, you must invite the user again and reestablish their access.

Account owners can't change their own IBMid.

After the user ensures that the new IBMid exists, complete the following steps to change the user's IBMid:

  1. Go to Manage > Access (IAM) > Users in the IBM Cloud® console, and select the user whose IBMid you want to update.
  2. In the Details section, click Update IBMid.
  3. Enter the new IBMid, and click Update.

The user can now log in to ibm.com with their new IMBid and continue working in the IBM Cloud account with the access assigned to their previously used IBMid.