IBM Cloud Docs
IAM platform and service access roles

IAM platform and service access roles

Platform access roles enable users to perform tasks on service resources at the platform level. For example, you can assign user access for the service, create or delete instances, and bind instances to applications. Review the following table for the actions available to platform access roles for Satellite.

You cannot scope access policies to a particular Satellite Config resource. Instead, scope the policy to the IBM Cloud Satellite service so that users can list Satellite Config resources.

Satellite Config uses a custom IAM service access role, Deployer, in addition to the standard Reader, Writer, and Manager roles. You can assign users the Deployer role so that they can deploy existing configurations to your clusters, but cannot add or edit the actual configurations for your apps.

IBM Cloud Satellite

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use satellite for the service name.

Platform roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role Description
Administrator As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer As a viewer, you can view service instances, but you can't modify them.
Service roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role Description
Deployer This role allow the user to deploy satellite-config managed contents to managed clusters
Manager As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Satellite Cluster Creator As a Satellite Cluster Creator you have the ability create new Red Hat OpenShift on IBM Cloud OpenShift Clusters in the Satellite Location
Satellite Link Administrator The Satellite Link Administrator is able to create, edit, update, and delete Satellite Link Endpoints and Sources
Satellite Link Source Access Controller Allows the subject to enable access to Link Endpoint from a Link Source
Writer As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.
Service actions - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action Description Roles
satellite.dashboard.view Administrator, Editor, Operator
satellite.config-configuration.create create configuration for the satellite config. You can create one or more configurations for your org. Administrator, Manager
satellite.config-configuration.read list all the configurations for your org, or get details about one configuration Manager, Reader
satellite.config-configuration.update updates fields in configuration Manager, Writer
satellite.config-configuration.delete delete a configuration Administrator, Manager
satellite.config-configuration.manageversion change your configuration version Manager, Writer
satellite.config-subscription.create create a subscription for a configuration Deployer, Manager
satellite.config-subscription.read read subscriptions for your org Deployer, Manager, Reader
satellite.config-subscription.update update subscription name and other relevant fields Deployer, Manager
satellite.config-subscription.delete delete a subscription Deployer, Manager
satellite.config-subscription.setversion set the configuration version on this subscription Deployer, Manager
satellite.config-cluster.attach attach cluster to a cluster group Administrator, Manager, Satellite Cluster Creator
satellite.config-cluster.read read cluster list for for an org or details about a given cluster Administrator, Manager, Reader
satellite.link.create Create Link instance for the Satellite Location. Administrator
satellite.config-organization.read allow to access the organization info Administrator, Deployer, Manager, Reader, Satellite Cluster Creator
satellite.config-organization.manage allow to read the org_key for an organization Manager
satellite.resource.get read resource under a cluster or from a cluster group Administrator, Manager, Reader
satellite.api.globalaccess global access satellite api for special users Administrator, Manager
satellite.config-cluster.register register cluster to the satellite config Administrator, Manager, Satellite Cluster Creator
satellite.config-cluster.detach detach cluster Administrator, Manager
satellite.config-clustergroup.read read cluster group for all its resources Administrator, Manager, Reader
satellite.config-clustergroup.manage create or delete a cluster group Administrator, Manager
satellite.location.create create satellite location to be added to the existing locations Administrator
satellite.location.read read satellite location Administrator, Editor, Operator, Satellite Cluster Creator, Satellite Link Administrator, Viewer
satellite.location.update edit an existing satellite location information Administrator, Editor, Operator
satellite.location.delete delete a satellite location belonged to you Administrator, Operator
satellite.config-clustergroup.setversion set the configuration version on this cluster group Administrator, Deployer, Manager
satellite.resource.servicelevelread Service level read of resources Administrator, Manager
satellite.link.get Get configuration and status of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link.delete Delete a Link instance of a Satellite Location. Administrator, Operator
satellite.link-endpoints.list List all Link Endpoints of a Satellite Location. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoints.create Create a Link Endpoint with specified configuration. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.get Get configuration and status of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoints.update Modify configuration of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.delete Delete a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.get Get certificate/key of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.upload Upload certificate/key for a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-certs.delete Delete certificate/key of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-sources.list List all ACL Sources of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-sources.create Create a ACL Source for a Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-sources.delete Delete a ACL Source of a Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoint-sources.list List ACL Sources used by a Link Endpoint. Administrator, Editor, Operator, Satellite Link Administrator, Viewer
satellite.link-endpoint-sources.update Update ACL Sources enable/disable state of a Link Endpoint. Administrator, Editor, Operator, Satellite Link Source Access Controller
satellite.link-sources.update Modify IP address/subnets list of a ACL Source configured for the specified Link instance. Administrator, Editor, Operator, Satellite Link Administrator
satellite.config-cluster.update Update cluster registration Manager
satellite.location.cluster-create Enables the user to create Red Hat OpenShift on IBM Cloud clusters in the Satellite Location Administrator, Satellite Cluster Creator
satellite.link-endpoints.import Import Endpoint from previous export. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-endpoints.export Export Endpoint configuration to an archive file. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-source-endpoints.list List Source status for all Endpoints. Administrator, Editor, Operator, Satellite Link Administrator
satellite.link-source-endpoints.update Update Source status for listed Endpoints. Administrator, Editor, Operator, Satellite Link Source Access Controller