Setting up authorization for validation in a target account
When onboarding software to a private catalog, you are required to validate the software and provide proof for any security and compliance claims by adding scans. You can choose to complete these steps in an account other than the account that contains your product, which is known as a target account. Before you can use a target account for validation, you must set up a service to service authorization. The authorization must grant the Schematics service in the target account access to the catalog management service in the account that contains your product.
You might want to use a target account to validate software for the following reasons:
- Prevent the account with the product from becoming cluttered with resources that are created and deleted as part of the onboarding process
- Allow users to complete onboarding when they might not have authorization to create resources in the account that contains the product
Before you begin
-
Verify that you're using a Pay-As-You-Go or Subscription account. See Viewing your account type for more details.
-
Verify that you have the administrator role on the catalog management service or have the catalog administrator set up authorization.
Setting up authorization
Set up an authorization in the account that contains your product. The authorization grants the Schematics service in another account access to your product.
In a service to service authorization, the source service is the service that needs access to the target service. The source service is the Schematics service in another account, which needs access to the catalog management service in the account that contains your product. The authorization allows Schematics to fetch the source URL from your product's version.
Getting the source account ID
- Log in to the IBM Cloud account where you want to validate your product.
- Go to Manage > Account > Account settings.
- Copy the 32 character account ID.
Save the account ID for the next steps in creating the authorization.
Creating the authorization
- Use the account switcher to go to the account that contains your product.
- Go to Manage > Access (IAM) > Authorizations > Create.
- Select Another account for the source account.
- Enter the 32 character account ID that you copied in Getting the source account ID.
- Select Schematics for the source service.
- Select Catalog management for the target service.
- Limit access to a specific catalog by selecting Resources based on selected attributes > Catalog. Then, choose your catalog from the Value menu. Move on to the next step if you want to grant access to all of your catalogs.
- Select Viewer for platform access.
- Click Authorize to finalize the authorization.
Now, the Schematics service in the target account has Viewer access to the catalog in the account that contains your product. This allows Schematics to fetch the source URL from your product's version. Next, you are ready to give your catalog permissions to create the Schematics workspace in the target account by Setting up a target account for validation. Then, you can add the target account to your catalog for validation and security and compliance center scans.