Controlling access through IAM
IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and consistently control access to all cloud resources in the IBM Cloud. You grant permissions through policies that you define on the IBM Cloud Security and Compliance Center Workload Protection service in the account.
Users in an account must be assigned a platform role to manage instances and to launch the UI from the IBM Cloud. In addition, users must have a service role that defines the permissions to work with IBM Cloud Security and Compliance Center Workload Protection.
The policy determines the actions that the user can perform within the context of the selected service or instance. The actions are customized and defined with operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. Some of the options include the following:
- Access to all IAM-enabled services in your account
- Access across all instances of the service in a single region in your account
- Access to an individual service instance in your account
- Access to all instances of the service within the context of a resource group
- Access to all instances of the service in a single region within the context of a resource group
- Access to all IAM-enabled services within the context of a resource group
Roles define the actions that a user or serviceID can run. There are different types of roles in the IBM Cloud:
- Platform management roles enable users to perform tasks on service resources at the platform level, for example assigning user access for the service, creating or deleting service IDs, creating instances, assigning policies for your service to other users, and binding instances to applications.
- Service access roles enable users to be assigned varying levels of permission when calling the service's API or running actions in the monitoring UI.
To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times for each individual user or service ID.
Managing access by using access groups
To manage access groups, you must be the account owner, administrator, or editor on all Identity and Access-enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.
Use the following actions to manage IAM access groups in the IBM Cloud:
Managing access by assigning policies directly to users
To manage access or assign new access to users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.
Use the following actions to manage IAM policies in the IBM Cloud:
- To grant permissions to a user, see Assigning access to resources.
- To revoke permissions, see Removing access.
- To review a user's permissions, see Reviewing assigned access.
IBM Cloud platform roles
Users must be granted a platform role to allow them to view and manage the IBM Cloud Security and Compliance Center Workload Protection service in your account. You can grant permissions to work with all the instances in the IBM Cloud account or you can restrict access to individual instances.
The following table identifies the platform role that you can grant a user in the IBM Cloud to run the specified platform actions:
| Platform actions | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|
Grant other account members access to work with the service |
 |
|||
Provision a service instance |
|
|
||
Delete a service instance |
|
|
||
Create a service ID |
|
|
||
View details of a service instance |
|
|
|
|
View service instances in the Observability Monitoring dashboard |
|
|
|
|
A user with an administrator role automatically has the service manager role permissions.
IBM Cloud service roles
The following table identifies the service role that you can grant a user in the IBM Cloud to run the specified actions:
| Actions | Manager | Writer | Reader |
|---|---|---|---|
Manage access keys |
|
||
Manage Secure API Tokens |
|
||
Create, configure, and delete teams |
|
||
Configure and remove notifications channels |
|
||
Configure and remove agents |
|
||
Create, delete, and edit content in the UI |
|
|
|
Manage runtime policies |
|
|
|
Manage image scanning policies |
|
|
|
Manage Activity Audit |
|
|
|
Send container images to the scanning queue |
|
|
|
Create, update and remove alerts |
|
|
|
View reports and image scanning results |
|
|
|
View platforms, frameworks, rules and policies |
|
|
|
View events |
|
|
|
IAM actions
The following table identifies the IAM actions that are assigned to the platform and service roles for the IBM Cloud Security and Compliance Center Workload Protection service:
| Role type | Role | IAM actions |
|---|---|---|
| Platform | administrator |
sysdig-secure.launch.admin sysdig-secure.launch.user sysdig-secure.launch.viewer |
| Service | manager |
sysdig-secure.launch.admin sysdig-secure.launch.user sysdig-secure.launch.viewer |
| Service | writer |
sysdig-secure.launch.user sysdig-secure.launch.viewer |
| Service | reader |
sysdig-secure.launch.viewer |
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud UI console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
- Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.