IAM platform and service access roles
Platform access roles enable users to perform tasks on service resources at the platform level. For example, you can assign user access for the service, create or delete instances, and bind instances to applications. Review the following table for the actions available to platform access roles for Satellite.
You cannot scope access policies to a particular Satellite Config resource. Instead, scope the policy to the IBM Cloud Satellite service so that users can list Satellite Config resources.
Satellite Config uses a custom IAM service access role, Deployer, in addition to the standard Reader, Writer, and Manager roles. You can assign users the Deployer role so that they can deploy existing configurations to your clusters, but cannot add or edit the actual configurations for your apps.
IBM Cloud Satellite
Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use satellite
for the service name.
Role | Description |
---|---|
Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. |
Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. |
Viewer | As a viewer, you can view service instances, but you can't modify them. |
Role | Description |
---|---|
Deployer | This role allow the user to deploy satellite-config managed contents to managed clusters |
Manager | As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources. |
Reader | As a reader, you can perform read-only actions within a service such as viewing service-specific resources. |
Satellite Cluster Creator | As a Satellite Cluster Creator you have the ability create new Red Hat OpenShift on IBM Cloud OpenShift Clusters in the Satellite Location |
Satellite Link Administrator | The Satellite Link Administrator is able to create, edit, update, and delete Satellite Link Endpoints and Sources |
Satellite Link Source Access Controller | Allows the subject to enable access to Link Endpoint from a Link Source |
Writer | As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources. |
Action | Description | Roles |
---|---|---|
satellite.dashboard.view |
Administrator, Editor, Operator | |
satellite.config-configuration.create |
create configuration for the satellite config. You can create one or more configurations for your org. | Administrator, Manager |
satellite.config-configuration.read |
list all the configurations for your org, or get details about one configuration | Manager, Reader |
satellite.config-configuration.update |
updates fields in configuration | Manager, Writer |
satellite.config-configuration.delete |
delete a configuration | Administrator, Manager |
satellite.config-configuration.manageversion |
change your configuration version | Manager, Writer |
satellite.config-subscription.create |
create a subscription for a configuration | Deployer, Manager |
satellite.config-subscription.read |
read subscriptions for your org | Deployer, Manager, Reader |
satellite.config-subscription.update |
update subscription name and other relevant fields | Deployer, Manager |
satellite.config-subscription.delete |
delete a subscription | Deployer, Manager |
satellite.config-subscription.setversion |
set the configuration version on this subscription | Deployer, Manager |
satellite.config-cluster.attach |
attach cluster to a cluster group | Administrator, Manager, Satellite Cluster Creator |
satellite.config-cluster.read |
read cluster list for for an org or details about a given cluster | Administrator, Manager, Reader |
satellite.link.create |
Create Link instance for the Satellite Location. | Administrator |
satellite.config-organization.read |
allow to access the organization info | Administrator, Deployer, Manager, Reader, Satellite Cluster Creator |
satellite.config-organization.manage |
allow to read the org_key for an organization | Manager |
satellite.resource.get |
read resource under a cluster or from a cluster group | Administrator, Manager, Reader |
satellite.api.globalaccess |
global access satellite api for special users | Administrator, Manager |
satellite.config-cluster.register |
register cluster to the satellite config | Administrator, Manager, Satellite Cluster Creator |
satellite.config-cluster.detach |
detach cluster | Administrator, Manager |
satellite.config-clustergroup.read |
read cluster group for all its resources | Administrator, Manager, Reader |
satellite.config-clustergroup.manage |
create or delete a cluster group | Administrator, Manager |
satellite.location.create |
create satellite location to be added to the existing locations | Administrator |
satellite.location.read |
read satellite location | Administrator, Editor, Operator, Satellite Cluster Creator, Satellite Link Administrator, Viewer |
satellite.location.update |
edit an existing satellite location information | Administrator, Editor, Operator |
satellite.location.delete |
delete a satellite location belonged to you | Administrator, Operator |
satellite.config-clustergroup.setversion |
set the configuration version on this cluster group | Administrator, Deployer, Manager |
satellite.resource.servicelevelread |
Service level read of resources | Administrator, Manager |
satellite.link.get |
Get configuration and status of a Link instance. | Administrator, Editor, Operator, Satellite Link Administrator, Viewer |
satellite.link.delete |
Delete a Link instance of a Satellite Location. | Administrator, Operator |
satellite.link-endpoints.list |
List all Link Endpoints of a Satellite Location. | Administrator, Editor, Operator, Satellite Link Administrator, Viewer |
satellite.link-endpoints.create |
Create a Link Endpoint with specified configuration. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoints.get |
Get configuration and status of a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator, Viewer |
satellite.link-endpoints.update |
Modify configuration of a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoints.delete |
Delete a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoint-certs.get |
Get certificate/key of a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoint-certs.upload |
Upload certificate/key for a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoint-certs.delete |
Delete certificate/key of a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-sources.list |
List all ACL Sources of a Link instance. | Administrator, Editor, Operator, Satellite Link Administrator, Viewer |
satellite.link-sources.create |
Create a ACL Source for a Link instance. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-sources.delete |
Delete a ACL Source of a Link instance. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoint-sources.list |
List ACL Sources used by a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Administrator, Viewer |
satellite.link-endpoint-sources.update |
Update ACL Sources enable/disable state of a Link Endpoint. | Administrator, Editor, Operator, Satellite Link Source Access Controller |
satellite.link-sources.update |
Modify IP address/subnets list of a ACL Source configured for the specified Link instance. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.config-cluster.update |
Update cluster registration | Manager |
satellite.location.cluster-create |
Enables the user to create Red Hat OpenShift on IBM Cloud clusters in the Satellite Location | Administrator, Satellite Cluster Creator |
satellite.link-endpoints.import |
Import Endpoint from previous export. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-endpoints.export |
Export Endpoint configuration to an archive file. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-source-endpoints.list |
List Source status for all Endpoints. | Administrator, Editor, Operator, Satellite Link Administrator |
satellite.link-source-endpoints.update |
Update Source status for listed Endpoints. | Administrator, Editor, Operator, Satellite Link Source Access Controller |