Granting users access to tag resources and service IDs
As the account owner, you might want to delegate some of the responsibility of tagging resources and service IDs. For users to attach tags to a resource or service ID, you must grant them the appropriate access. Use IBM Cloud® Identity and Access Management (IAM) access policies to grant users access to resources in a resource group.
Tags are visible account-wide and can be replicated across geographic regions. Since tags are not regulated information, avoid creating tags that use personal information, such as your name, address, phone number, email address, or other identifying or proprietary information.
Tagging permissions
Any user in an account can view tags. When a resource is tagged, all users that have read access to the resource can view the tag. To attach or detach a tag on a resource or service ID, certain access roles or permissions are needed
depending on the resource type and tag type. See the following table to understand what role is needed for each resource type.
| Resource Type | Role |
|---|---|
| IAM-enabled | To attach or detach user tags, editor or administrator on the resource To attach or detach access management tags, administrator on the resource To view the assigned policies on the resource that has an access management tag that is attached, viewer role |
| Bare metal on classic infrastructure | View hardware details and access to a specific set of services or all bare metal servers |
| Dedicated Hosts on classic infrastructure | View virtual dedicated host details and access to a specific set of services or all dedicated hosts |
| Virtual Server on classic infrastructure | View virtual server details and access to a specific set of services or all virtual servers |
| Cloud Object Storage S3 on classic infrastructure | Storage manage permission |
| File Storage on classic infrastructure | Storage manage permission |
| Evault backup on classic infrastructure | Storage manage permission |
| Content Delivery Network on classic infrastructure | Manage CDN account permission |
| Direct Link on classic infrastructure | Account member |
| Hardware Firewall | Manage Firewalls |
| FortiGate Security Appliance | Manage Firewalls |
| IBM Cloud Load Balancer | Manage Load Balancers |
| Gateway Appliance | Manage Network Gateways |
| Service IDs | To attach or detach user tags, editor or administrator on the IAM Identity service To attach or detach access management tags, administrator on the IAM Identity service |
Granting users access to tag IAM-enabled resources
Complete the following steps to assign the editor role for a user to tag IAM-enabled resources:
- From the IBM Cloud console, click Manage > Access (IAM), and select Access groups.
- Click Create.
- Enter a group name and description, and click Create.
- Add users to the access group by clicking Add users, selecting one or more users from the table, and clicking Add to group.
- Click Access > Assign access.
- Select All Identity and Access enabled services or a specific service.
- Select a specific location.
- Select Editor from the list of platform access roles, and click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
Granting users access to tag IAM-enabled resources by using the API
To assign the editor role for a user to tag IAM-enabled resources, call the IAM Policy Management API as shown in the following example request. Replace variables with your target service and resource name.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Editor role for SERVICE_NAME's RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}'
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Editor")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("service")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'service',
operator: 'stringEquals',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Editor')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='service')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Editor"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
Granting users access to tag classic infrastructure resources
The taggable resources for classic infrastructure are Virtual Guest, Virtual Dedicated Host, Network Application Delivery Controller, Gateway Member, Subnet, VLAN, and VLAN Firewall (Dedicated). Complete the following steps to assign the Manager service access role for a user to tag classic infrastructure services:
- Click Manage > Access (IAM), and select Users.
- Click the user's name from the table.
- Click Classic infrastructure.
- From the Permissions tab, expand the Devices category.
- Select View Hardware Details and View Virtual Server Details. If you need to assign access to Cloud Object Storage S3, File Storage, or Evault Backup, assign the Storage manage permission. If you need to assign access to Content Delivery Network, assign the Manage CDN Account permission.
- Click Save.
- Click the Devices tab.
- Select All bare metal servers or All virtual servers, depending on the resource that you want the user to be able to tag.
Granting users access to tag service IDs
Complete the following steps to assign the administrator role on the IAM Identity Service for a user:
- Click Manage > Access (IAM), and select Users.
- Click the user's name from the table.
- Select the IAM Identity service and click Next.
- Select All resources and click Next.
- Select the Administrator role.
- Click Review > Add.
- Click Assign.
Granting users access to tag service IDs by using the API
To assign the administrator role on the IAM Identity Service for a user, call the IAM Policy Management API as shown in the following example request. Replace values with your target user's IAM ID and account ID.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Administrator role for the IAM Identity Service so that user can tag service IDs",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}'
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "iam-identity"
}
]
}
]
}'
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Administrator")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("iam-identity")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'iam-identity',
operator: 'stringEquals',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='iam-identity')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("iam-identity"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))