Managing access overview

Access to IBM Cloud Satellite® service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the Satellite service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions that a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

The name for the IBM Cloud Satellite service in IAM is

IBM Cloud Satellite in the UI
satellite in the API and CLI

Keep in mind that you need permissions to IBM Cloud services if you use the services with Satellite. For example, to create and manage clusters in your Satellite location, you must have the appropriate permissions to Red Hat OpenShift on IBM Cloud in IAM (Kubernetes Service in the UI, containers-kubernetes in the API and CLI).

Locations and hosts

Review details about the Satellite location IAM resource type, which includes actions for locations and hosts.

If you scope an access policy to the location resource type, the users must target the regional endpoint to interact with the location. For more information, see the troubleshooting topic.

Name of the resource type: UI: Location; API or CLI: location
Type of role that you can assign for the resource in IAM: Platform access Viewer, Operator, Editor, and Administrator roles; Custom service access role to create clusters, Satellite Cluster Creator
What you can scope an access policy for the resource to: Account; Resource group; Instances of the resource
Description: Locations are places that you use to extend IBM Cloud by attaching your own host compute machines to the location. Access to the location resource lets users work with locations and hosts. However, location access does not grant access to other resources that run within the location, such as endpoints, configurations, or Red Hat OpenShift clusters.

Configuration, subscription, cluster, cluster group, and resource

Review details about the Satellite Config IAM resource type, which includes actions for configurations, subscriptions, clusters, cluster groups, resources, and other components that use Satellite Config such as storage.

Name of the resource type

Console: Configuration, Subscription, Cluster, Clustergroup, or Resource

API or CLI: configuration, subscription, cluster, clustergroup, or resource

Type of role that you can assign for the resource in IAM

Platform access Viewer, Operator, Editor, and Administrator roles

Service access Reader, Writer, and Manager roles, and a custom Deployer role

What you can scope an access policy for the resource to

Account

Cluster or Clustergroup only: Particular instance of the resource

Description

Satellite Config is a collection of configurations, versions, and subscriptions that you use to automatically deploy Kubernetes resources to groups of clusters that are registered with the Satellite Config component. However, access to Satellite Config does not give a user access to the clusters that run the Kubernetes resources of the configuration. You can scope access to the following Satellite Config resources.

Configurations, where you upload the version of the configuration file for the Kubernetes resources that you want to deploy. You cannot scope a policy to a particular configuration.
Subscriptions, which you use to specify the cluster group where you want to deploy the Kubernetes resource definition that you added as a version to your configuration. You cannot scope a policy to a particular configuration.
Clusters or cluster groups, which are Red Hat OpenShift on IBM Cloud that are registered with Satellite Config and can be subscribed to configurations.
Resources, which are Kubernetes resources such as pods or services that are described in a Satellite Config and run in a subscribed cluster. Certain roles permit access to view and manage Kubernetes resources through Satellite Config, but you cannot scope an access policy to a particular resource.

Link

Review details about the Satellite Link IAM resource type, which includes actions for endpoints and sources.

Name of the resource type: UI: Link; API or CLI: link
Type of role that you can assign for the resource in IAM: Platform access Viewer, Operator, Editor, and Administrator roles; Custom Satellite Link Administrator and Satellite Link Source Access Controller service access roles
What you can scope an access policy for the resource to: Account; Resource group; Particular instances of the resource
Description: Link endpoints connect services, servers, or apps that run in your Satellite location with an endpoint that runs in IBM Cloud. Access to a Satellite Link does not give a user access to the resources that the endpoint connects, such as a location or service instance. Instead, the access is to manage the endpoint itself.

Other services

Review details about other Satellite-enabled IBM Cloud service IAM resource types, such as Red Hat OpenShift on IBM Cloud clusters and other Satellite-enabled IBM Cloud services.

Resource type, IAM role, and scope of access policies

Varies by service. For example, Red Hat OpenShift on IBM Cloud is the Kubernetes Service in IAM and can scope access to cluster or namespace resources. For more information, consult the service documentation.

Red Hat OpenShift on IBM Cloud clusters

You do not assign access policies for Red Hat OpenShift clusters in Satellite. Instead, access to clusters is assigned in IBM Cloud IAM through Red Hat OpenShift on IBM Cloud (Kubernetes Service in the console or containers-kubernetes in the API or CLI). For more information, see Platform and service roles for Red Hat OpenShift clusters.

If you have access to a Satellite location or configuration, you can view the clusters that are attached to the location or configuration. However, you might not be able to access the clusters if you do not have the appropriate roles to those clusters. For example, if you have the appropriate access to a Satellite configuration, you might be able to list all the Kubernetes resources that run in registered clusters through the Satellite Config API. However, without an access policy to the individual clusters, you cannot log in to the individual clusters and use Red Hat OpenShift APIs to list Kubernetes resources. For more information, see the following topics.

Reference documentation for user access permissions, including platform and service roles.
Set the cluster credentials, such as setting up the API key for underlying infrastructure permissions and granting users access with IBM Cloud IAM.
Accessing clusters on the public or private service endpoints, or by using an IBM Cloud IAM API key such as for automation purposes.

Other managed services

To use Satellite with other managed services, you must set up service to service access through IAM, with Satellite as your target service and the managed service as the source service.

Platform and service roles for Red Hat OpenShift clusters

If you create Red Hat OpenShift on IBM Cloud clusters to use in your Red Hat OpenShift locations, you manage access to these clusters in IAM for the Red Hat OpenShift service, not for Red Hat OpenShift. Review the following information to manage IAM access to Red Hat OpenShift clusters.

Reference documentation for user access permissions, including platform and service roles.
Set the cluster credentials, such as setting up the API key for underlying infrastructure permissions and granting users access with IBM Cloud IAM.
Accessing clusters on the public or private service endpoints, or by using an IBM Cloud IAM API key such as for automation purposes.

Common use cases and roles in IBM Cloud

Wondering which access roles to assign to your Satellite access groups and users? Use the examples in the following table to determine which roles and scope to assign.

Types of roles you might assign to meet different use cases.
Use case	Example roles and scope
Creating a location	The user and the API key that is set for the region and resource group require the following permissions. Administrator platform role for all Satellite locations. The custom Satellite Link Administrator service role for Satellite Link. Manager service role to the IBM Cloud Object Storage instance that backs up the location control plane data. To use automated templates such as to add hosts from AWS or Azure, the Administrator platform role for IBM Cloud Schematics and Administrator platform role for Kubernetes Service. For other permissions to set up the location control plane, see Permissions to create a cluster.
Creating a cluster in a location	See Creating Satellite clusters.
Location auditor	Viewer platform role for the Satellite location and link endpoints. Reader service role for the configuration resources in the location. Reader service role to the IBM Cloud Object Storage instance that backs up the location control plane data.
App developers	Viewer platform role for the Satellite location. Writer or Deployer service access role for the configuration resources. Editor platform role and Writer service role to Red Hat OpenShift clusters or particular projects in a cluster.
Billing	Viewer platform role for all the Satellite locations in the account.
Location administrator	Administrator platform role for the location and link resources. Administrator platform role to Red Hat OpenShift clusters. Manager service role to the IBM Cloud Object Storage instance that backs up the location control plane data.
DevOps operator	Editor platform role for the location and link resources. Deployer service role for the configurations. Operator platform role to Red Hat OpenShift clusters.
Operator or site reliability engineer	Administrator platform role for the location and link resources. Manager service role for the configuration resources. Administrator platform role and Manager service role to Red Hat OpenShift clusters.