Managing IAM access for IBM Cloud Metrics Routing

Access to IBM Cloud® Metrics Routing configuration resources for users and applications in your account is controlled by IBM Cloud® Identity and Access Management (IAM). For example, every user that accesses the IBM Cloud Metrics Routing service in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to IBM Cloud Metrics Routing.

The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by the IBM Cloud Metrics Routing as operations that are allowed to be performed on the service. Each IAM action is mapped to an IAM platform role that you can assign to a user.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

IBM Cloud Metrics Routing is a platform service. Therefore, when you assign a policy to a user to work with IBM Cloud Metrics Routing, you are assigning IAM platform roles.

IAM actions

The IBM Cloud Metrics Routing service provides the following IAM actions:

Targets

The following table lists the IAM actions that are generated when you manage targets:

IAM actions for managing targets
Action	Description
`metrics-router.target.create`	Create a new Monitoring target.
`metrics-router.target.list`	List all targets defined under a region.
`metrics-router.target.read`	Retrieve a target and its details by specifying the ID of the target.
`metrics-router.target.update`	Update a target details by specifying the ID of the target.
`metrics-router.target.delete`	Delete a target by specifying the ID of the target.

Routes

The following table lists the IAM actions that are generated when you manage routes:

IAM actions for managing routes
Action	Description
`metrics-router.route.create`	Create a route with rules that define how to route metrics data to targets.
`metrics-router.route.list`	List routes.
`metrics-router.route.read`	Retrieve a route and its details by specifying the ID of the route.
`metrics-router.route.update`	Replace a route details by specifying the ID of the route. Validate a target by checking the credentials to the destination target.
`metrics-router.route.delete`	Delete a route by specifying the ID of the route.

Settings

The following table lists the IAM actions that are generated when you manage settings:

IAM actions for managing settings
Action	Description
`metrics-router.setting.update`	Configure the IBM Cloud Metrics Routing settings for an account.
`metrics-router.setting.get`	Get information about the IBM Cloud Metrics Routing settings for an account.

IAM roles

The IBM Cloud Metrics Routing service provides the following IAM roles to control access to the service.

IAM platform roles
Platform role	Scope	Description of actions
Viewer	All resources	As a viewer, you can view IBM Cloud Metrics Routing configuration resources such as routes, targets, and the account configuration settings.
Operator	All resources	As an operator, you can view IBM Cloud Metrics Routing configuration resources such as routes, targets, and the account configuration settings.
Editor	All resources	As an editor, you can view, create, update, and delete IBM Cloud Metrics Routing resources such as routes and targets. You can also view the account configuration settings.
Administrator	All resources	As an administrator, you can view, create, update, and delete IBM Cloud Metrics Routing resources. You can also assign access policies to manage IBM Cloud Metrics Routing resources to other users in the account.

When you define a policy, the Resources scope must be set to All resources. If this is not set, you will not be able to manage your IBM Cloud Metrics Routing instance and you will get a return code of 403.

If a specific role and its actions don't fit the use case that you're looking to address, you can create a custom role and pick the actions to include.

Targets

The following table lists the IAM actions, their scope and the roles required to manage routes.

IAM action scopes and roles for managing targets
Action	IAM Policy scope	IAM Roles
`metrics-router.target.create`	Region	`Administrator` `Editor`
`metrics-router.target.list`	Account	`Administrator` `Editor` `Operator` `Viewer`
`metrics-router.target.read`	Region	`Administrator` `Editor` `Operator` `Viewer`
`metrics-router.target.update`	Region	`Administrator` `Editor`
`metrics-router.target.delete`	Region	`Administrator` `Editor`

When you use the CLI, notice that you need the metrics-router.target.list role to create, read, update, or delete a target.

Routes

The following table lists the IAM actions, their scope and the roles required to manage routes.

IAM action scopes and roles for managing routes
Action	IAM Policy scope	IAM roles
`metrics-router.route.read`	Account	`Administrator` `Editor` `Viewer` `Operator`
`metrics-router.route.create`	Account	`Administrator` `Editor`
`metrics-router.route.update`	Account	`Administrator` `Editor`
`metrics-router.route.delete`	Account	`Administrator` `Editor`
`metrics-router.route.list`	Account	`Administrator` `Editor` `Viewer` `Operator`

Settings

The following table lists the IAM actions, their scope and the roles required to manage settings.

IAM action scopes and roles for managing settings
Action	IAM Policy scope	IAM roles
`metrics_router.setting.get`	Accoount	`Administrator` `Editor` `Operator` `Viewer`
`metrics_router.setting.update`	Account	`Administrator`

Assigning access to IBM Cloud Metrics Routing

You can assign access to IBM Cloud Metrics Routing by using any of the following methods:

Access policies per user
Access groups

Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access.

An access group can be created to organize a set of users, service IDs, and trusted profiles into a single entity that makes it easy for you to assign access. You can assign a single policy to the group instead of assigning the same access multiple times for an individual user or service ID.For more information, see Setting up access groups.

To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.
Trusted profiles

You can use trusted profiles to grant different IBM Cloud® identities access to resources in your account. Automatically grant federated users access to your account with conditions based on SAML attributes from your corporate directory. Or, use trusted profiles to set up fine-grained authorization for applications that are running in compute resources. This way, you aren't required to create service IDs or API keys for the compute resources. You can also establish trust with IBM Cloud services or service IDs in another account to grant cross-account access. For more information, see Creating trusted profiles.

For more information, see Assigning access to IBM Cloud Metrics Routing.