Managing user access for Continuous Delivery in resource groups
Access to IBM Cloud® Continuous Delivery service instances in resource groups for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).
User access for toolchains is managed separately. For more information about managing user access to toolchains in resource groups, see Managing user access to toolchains in resource groups.
Every user that accesses Continuous Delivery services in your account must be assigned an IAM access policy. The policy determines which Continuous Delivery instances the user can access and what actions the user is allowed to take.
Policies enable access to be granted at different levels or scopes, including, but not limited to:
- Access across all Continuous Delivery instances in your account
- Access across all Continuous Delivery instances in a resource group within your account
- Access to a specific Continuous Delivery instance in your account
After you define the scope of the access policy, you assign a role. Review the following tables which outline what actions each role allows within the Continuous Delivery service.
The following table details actions that are mapped to platform management roles. Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, and bind instances to applications.
| Platform Management Role | Description of Actions | Example Actions |
|---|---|---|
| Viewer, Operator | View instances of the Continuous Delivery service. | Click a Continuous Delivery service instance to open its dashboard. |
| Editor, Administrator | Create, view, update, modify the plan for, and delete instances of the Continuous Delivery service. | Provision an instance of Continuous Delivery in a resource group. /n /n Delete an instance of Continuous Delivery from a resource group. /n /n Change a Continuous Delivery instance plan from Lite to Professional. |
| Administrator | Update the Authorized Users list. | Add a user to the Authorized Users list. /n /n Remove a user from the Authorized Users list. /n /n Enable and disable Consolidated billing. |
The following table details actions that are mapped to service access roles. Service access roles enable users access to Continuous Delivery as well as the ability to call the Continuous Delivery API.
| Service Access Role | Description of Actions | Example Actions |
|---|---|---|
| Writer, Manager | Manage authorized users and usage reporting on the Manage tab of a Continuous Delivery service instance. | Add a user to the Authorized Users list. /n /n Remove a user from the Authorized Users list. /n /n Enable and disable Consolidated billing. |
For information about assigning user roles in the UI, see Managing IAM access.
For Continuous Delivery, the following actions exist:
| Action | Operation on Service | Role |
|---|---|---|
| resource-controller.instance.create | Provision a Continuous Delivery service instance in a resource group. | Administrator, Editor |
| resource-controller.instance.update | Update a Continuous Delivery service instance in a resource group. For example, rename the service instance. | Administrator, Editor |
| resource-controller.instance.update_plan | Change the plan for the Continuous Delivery service instance in a resource group. | Administrator, Editor |
| resource-controller.instance.delete | Delete a Continuous Delivery service instance from a resource group. | Administrator, Editor |
| resource-controller.instance.retrieve | View a Continuous Delivery service instance in a resource group. | Administrator, Editor, Operator, Viewer |
| continuous-delivery.consolidated-auth-users.list | View the consolidated authorized users list on the Manage tab within the Continuous Delivery service instance. | Administrator, Manager, Editor, Operator, Viewer |
| continuous-delivery.instance.add-auth-users | Add entries to the Authorized Users list on the Manage tab within the Continuous Delivery service instance. | Administrator, Writer, Manager |
| continuous-delivery.instance.remove-auth-users | Remove entries from the Authorized Users list on the Manage tab within the Continuous Delivery service instance. | Administrator, Writer, Manager |
| continuous-delivery.instance.config-auth-users | Reserved for future use. | Administrator, Manager |
| continuous-delivery.settings.read | View configuration settings, such as Consolidated billing, of a Continuous Delivery service instance. | Administrator, Manager, Editor, Operator, Viewer |
| continuous-delivery.settings.update | Update configuration settings, such as Consolidated billing, of a Continuous Delivery service instance. | Administrator, Manager |