Managing access with IAM for IBM Cloud DNS Services
IBM Cloud® DNS Services leverages IAM to perform authorization and Authentication.
Access to DNS Services instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the DNS Services in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable you to grant access at different levels. Some of the options include the following:
- Access across all instances of the service in your account.
- Access to an individual service instance in your account.
- Access to a specific resource within an instance.
Roles and permissions
With IBM Cloud IAM, you can manage and define access for users and resources in your account.
To simplify access, DNS Services aligns with IBM Cloud IAM roles so that each user has a different view of the service, according to the role the user is assigned. If you are a security admin for your service, you can assign IBM Cloud IAM roles that correspond to the specific IBM Cloud® DNS Services permissions you want to grant to members of your team.
This section discusses IBM Cloud IAM in the context of DNS Services. For complete IAM documentation, see Managing access in IBM Cloud.
Platform access roles
Use platform access roles to grant permissions at the account level, such as the ability to create or delete DNS Services instances in your IBM Cloud account.
| Action | Role |
|---|---|
| View IBM Cloud® DNS Services instances | Administrator, Operator, Editor, Viewer |
| Create IBM Cloud® DNS Services instances | Administrator, Editor |
| Delete IBM Cloud® DNS Services instances | Administrator, Editor |
Service access roles
Use service access roles to grant permissions at the service level, such as the ability to view, create, or delete DNS zones, resource records, and permitted networks.
The following table shows how service access roles map to DNS Services permissions.
| Role | Description | Actions |
|---|---|---|
| Reader | A reader can browse a high-level view of DNS zones, resource records, and permitted networks. Readers cannot create, delete or modify any resources under DNS Services instances. | View DNS zones, resource records, and permitted networks. |
| Writer | A writer can modify DNS zones and resource records, in addition to actions that a reader can perform. | All actions that a reader can perform, also can update DNS zones and resource records. |
| Manager | A manager can perform all actions that a reader and writer can perform, including the ability to create and delete DNS zones, create and delete resource records, and also add and remove permitted networks. | All actions that a Reader or a Writer can perform, also can create and delete DNS zones. Additionally, can create and delete resource records, and add or remove permitted networks. |
Working with permitted network (VPC) related IAM access
To add a VPC into permitted networks for a DNS zone, users must have the Operator role on the VPC resource. The permission can be granted to any user by creating an IAM access policy with the following assignments in IBM Cloud UI:
- Select VPC Infrastructure for What type of access do you want to assign?.
- Select Virtual Private Cloud for Resource Type.
- Choose the appropriate VPC under VPC ID.
To learn more about providing Operator level access to the VPC, see VPC: Getting started with IAM.