Assigning access to resources by using access groups
Get up and running quickly with IBM Cloud Identity and Access Management (IAM) by setting up access groups for quick access assignments, inviting users to your account, and managing their access.
This tutorial is for IAM-enabled resources. For classic infrastructure that doesn't support creating IAM policies for managing access, you can review the classic infrastructure permissions documentation.
Before you begin
If you are new to using IAM, check out the following documentation to learn more about the features, concepts, and components of the access management system:
- What is IBM Cloud Identity and Access Management? provides a quick overview of what IAM is in IBM Cloud, the available features, and links to available CLI and API docs.
- IAM access gives a more in-depth review of how access management works by using access policies.
Create access groups
To streamline the process of assigning access to users in your account, you can create an access group. Access groups are a way to organize users and service IDs so that you can easily assign access by adding one or more policies for the entire group. Then, you can add or remove users and service IDs as needed instead of assigning individual access to each user.
A unique name is required to differentiate access groups in the account.
Set up your groups
To create an access group, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Access Groups.
- Click Create.
- Enter a unique name to identify your access group and an optional description.
- Click Create.
Next, continue to set up your group by adding users or service IDs:
- Select the name of the group that you want to update.
- Click Add users.
- Select the users that you want to add from the list, and click Add to group.
- To add service IDs to the group, click Service IDs.
- Select the IDs that you want to add from the list, and click Add to group.
Assign access to your groups
After you create your access groups, you can assign access to all members of the group with one or more policies. By assigning a group of users access to a group of resources with a single policy, you reduce the overall number of policies that you need to manage.
-
From the Access tab, click Assign access.
-
Select a single service or group of services. Then, click Next.
-
Scope the access to all resource or specific resources based on attributes. Then, click Next.
-
Select the level of access that you want to assign.
If you're assigning access to IAM-enabled services, some services support the use of advanced operators to grant access to resources that satisfy specific naming conventions. See Assigning access by using wildcard policies for more information.
-
Click Review.
-
Click Add to add your policy configuration to your policy summary.
-
Click Assign to assign all added access to your access group.
Invite users
You can invite one or multiple users in a single invite. If you invite multiple users in one invitation, the same access is assigned to each user. However, you can invite users to your account with no access, and assign them access later.
-
In the IBM Cloud console, go to Manage > Access (IAM), and select Users.
-
Click Invite users. Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
-
Add one or more of the access options that you manage. You must assign at least one access option. For any access options that you don't add and configure, the default value of No access is assigned. Depending on the options that you are authorized to manage, you can assign the following types of access:
- Access groups: Click Add for each access group that you want the users to belong to.
- Access policy: Assign individual IAM access policies or classic infrastructure permissions.
-
Select Classic infrastructure, and then select from the three permission sets.
-
Select a group of services like All Identity and Access enabled services, All Account Management services, and All IAM Access Management services, or select a specific service. Next, you can scope the access to the entire account or just one resource group. Then, select all roles that apply. To view what actions are mapped to each role, click the numbers listed next to each role.
Some services support the use of advanced operators to grant access to resources that satisfy specific naming conventions. See Assigning access by using wildcard policies for more information.
-
-
Then, select all roles that apply.
-
Select Add to save the access assignment to the invitation.
-
After you add all the necessary access assignments, click Invite.
For more information, see Inviting users to an account.
Manage access for existing users
After you invite users, you might want to assign more access or edit the existing access to ensure that all members of your account have the correct level of access.
Assigning new access
To assign a new access policy, complete the following steps:
- In the IBM Cloud console, click Manage > Access (IAM), and select Users.
- From the row for the user that you want to assign access, click the Actions icon > Assign access.
- Select a service or group of services. Then, click Next.
- Scope the access to all resources or specific resources based on selected attributes. Then, click Next.
- Select any combination of roles or permissions to define the scope of access, and click Review. For more information, see IAM roles.
- Click Add to add your policy configuration to your policy summary.
- Click Assign to assign all added access to the selected user.
Assign the viewer role or higher to the resource group that contains the resource to ensure that the user can access the resource from their list of resources.
Editing existing access
You can update existing access by editing the assigned roles for a user.
- In the IBM Cloud console, click Manage > Access (IAM), and select Users.
- Select the name of the user that you want to edit access for.
- Click Access.
- Click the Actions icon > Edit on the row for the policy that you want to edit.
- Edit the policy by updating the assigned roles.
- Click Save.
Next steps
Continue securing your cloud resources by creating context-based restrictions, which work with traditional IAM policies, to provide another layer of protection. Or, learn what else you can do with IBM Cloud IAM by checking out the features list.