Managing access to resources

To manage access for users or service IDs by using IAM policies, you must be the account owner or have the correct access assigned. To assign user's access to resources you must be an administrator on all services in the account, or the assigned administrator for the particular service or service instance. To assign access to a service ID, you must be administrator on the identity service or the specific service ID.

Assigning access to resources

You can assign access to resources by using two types of policies:

Access to resources in the account, including the option for just one type or all types
Access to resources within a resource group, including the option for just one resource or all

If you delete or edit an existing policy for a service ID currently being used, it might cause service interruption.

If you want to enable a user full administrator access to complete account management tasks, such as inviting and removing users, viewing billing and usage, managing service IDs, managing access groups, managing user access, and access to all IAM-enabled resources, you must assign a user the following access:

A policy for All Identity and Access enabled services with the Administrator and Manager roles.
A policy with Administrator role on All Account Management services.

You can also set access management tags to manage access. For more information, see Controlling access to resources by using tags.

Users with the Administrator role for account management services can change the access of other users for any account management service. They can also invite and remove users from the account, including other users with the administrator role.

Assigning access to resources in the console

To assign access to an individual resource in the account or access to all resources in the account, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
Click the Actions icon > Assign access for the user or service ID that you want to assign access.
Select a group of services or a single service. Then, click Next.
Scope the access to the all resources in the account, or select specific resources based on attributes.
Click Next.
Select any combination of roles to assign, and click Review.
Click Add to add your policy configuration to your policy summary.
(Optional) Add users or service IDs to Access groups.
1. Select the access groups that you want the user or service ID to belong to.
2. Click Add
Click Assign.

If a user doesn't have a role on the resource group that contains the resources, they can see the resources, but can't access the resources by going to the Resource list page in the account to start working with them. Assign the Viewer role or higher on the resource group itself to ensure that a user can access the resource.

Assigning access within a resource group in the console

To assign access to all resources in a resource group or to just one service within a resource group, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
Click on the user or service ID that you want to assign access, then click Access > Assign access.
Select a group of services or a sinlge service. Then, click Next.
Scope the access to Specific resources, then select the Resource group attribute. By selecting a resource group, you can select roles for access to manage the resource group as well.
Click Next.
Select the access roles to manage the resource group. Then, click Next.
Select any combination of roles to assign, and click Review.
Click Add to add your policy configuration to your policy summary.
Click Assign.

Assigning access to manage a resource group

You can assign access to view or manage a resource group without assigning service access.

As an administrator, you might want to create an access group with the Viewer role on all resource groups. This way, when you assign access to service resources you don’t have to create additional policies for viewing resource groups. The Viewer role on a resource group is required for a user to create a service instance in that resource group.

To assign access to a resource group without assigning service access, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to assign access.
Click on the user or service ID that you want to assign access, then click Access > Assign access.
Select Resource group only.
Select Add a condition.
Select the Resource group attribute type and enter a resource group.
Click Next.
Select the access roles for viewing or managing the resource group. Then, click Review.
Click Add to add your policy configuration to your policy summary.
Click Assign.

You can repeat this type of policy as needed for each available resource group in the account to assign access to manage all resource groups in the account.

Assigning access to resources by using the CLI

Log in to IBM Cloud® CLI. If you have multiple accounts, you are prompted to select which account to use. If you do not specify a region with the -r flag, you must also select a region.
```
ibmcloud login
```
If your credentials are rejected, you might be using a federated ID. To log in with a federated ID, use the --sso flag. See Logging in with a federated ID for more details.

If it's your first time using the IBM Cloud CLI, check out the getting started tutorial.
Create an access policy and assign it to a user or a service ID by using the command ibmcloud iam user-policy-create.
- This example assigns access to an individual resource in the account with the Administrator role for all instances of sample-service service:
```
ibmcloud iam user-policy-create name@example.com --roles Administrator --service-name sample-service
```
- This example assigns access to All Account Management services with the Administrator role:
```
ibmcloud iam service-policy-create name@example.com --roles Administrator --account-management
```
- This example assigns access to All Identity and Access enabled services with the Administrator role:
```
ibmcloud iam service-policy-create name@example.com --roles Administrator --attributes serviceType=service
```
- This example assigns access to All IAM Account Management services with the Administrator role:
```
ibmcloud iam service-policy-create name@example.com --roles Administrator --attributes service_group_id=IAM
```

Assigning access within a resource group by using the CLI

Enter the ibmcloud user-policy-create command to assign access to all resources in a resource group or to just one service within a resource group. This example gives name@example.com Operator role for resource group with ID dda27e49d2a1efca58083a01dfde18f6:

ibmcloud iam user-policy-create name@example.com --roles Operator --resource-type resource-group --resource dda27e49d2a1efca58083a01dfde18f6

Enter the ibmcloud iam service-policy-create command to assign access to all resources in a resource group or to just one service within a resource group. This example gives service test Administrator role for resource group called sample-resource-group:

ibmcloud iam service-policy-create test --roles Administrator --resource-group-name sample-resource-group

Assigning access to manage a resource group by using the CLI

You can assign access to view or manage a resource group without assigning service access.

The following example creates a policy for Viewer of a specific resource group:

iam user-policy-create name@example.com --roles Viewer --resource-type resource-group --resource fec6c95e6a0a44c5bcca138bfe5a1f9e

The following example creates a policy for Viewer of all resource groups in the account.

iam user-policy-create name@example.com --roles Viewer --resource-type resource-group

The following example creates a policy for Viewer of all resources in a resource group

iam user-policy-create name@example.com --roles Viewer --resource-group-name satellite-test

Assigning access to resources by using the API

You can assign access to an individual resource in the account or access to a list of resources in the account by calling the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request. The sample request gives Administrator role access for an instance of a service:

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Administrator role for SERVICE_NAME's RESOURCE_NAME",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        },
        {
          "name": "resource",
          "value": "$RESOURCE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ]
}'

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
      .name("iam_id")
      .value("EXAMPLE_USER_ID")
      .build();

PolicySubject policySubjects = new PolicySubject.Builder()
      .addAttributes(subjectAttribute)
      .build();

PolicyRole policyRoles = new PolicyRole.Builder()
      .roleId("crn:v1:bluemix:public:iam::::role:Administrator")
      .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
      .name("accountId")
      .value(exampleAccountId)
      .operator("stringEquals")
      .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
      .name("serviceName")
      .value("service")
      .operator("stringEquals")
      .build();

PolicyResource policyResources = new PolicyResource.Builder()
      .addAttributes(accountIdResourceAttribute)
      .addAttributes(serviceNameResourceAttribute)
      .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
      .type("access")
      .subjects(Arrays.asList(policySubjects))
      .roles(Arrays.asList(policyRoles))
      .resources(Arrays.asList(policyResources))
      .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: 'exampleUserId',
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceName',
  value: 'service',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
  name='serviceName', value='service')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_name_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceName"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute}
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

You can assign access to a group of services. To assign access to All Identity and Access enabled services, specify serviceType for the name attribute, and use the value service. To assign access to All Account Management services, specify serviceType for the name attribute, and use the value platform_service. To assign access to the subset of account management services All IAM Account Management services, specify service_group_id for the name attribute, and use the value IAM.

Assigning access within a resource group by using the API

This action can be done only through the UI or CLI. To see the steps, switch to the UI or CLI instructions.

Before you begin

Before you can assign access to resources by using Terraform, ensure that you've completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Assigning access to resources by using Terraform

To assign access to resources by using Terraform, use the following steps:

Assign access to resources by using the ibm_iam_user_policy resource argument in your main.tf file.

The following example gives test@in.ibm.com Viewer role for all instances of kms service by using ibm_iam_user_policy.
```
resource "ibm_iam_user_policy" "policy" {
 ibm_id = "test@in.ibm.com"
 roles  = ["Viewer"]

resources {
 service = "kms"
}
}
```
You can specify the name of the service for which you want to assign access to on the service option. For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page.
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

Assigning access within a resource group by using Terraform

To assign access within a resource group by using Terraform, use the following steps.

Assign access within a resource group by using the ibm_iam_user_policy resource in your main.tf file.

The following example gives test@in.ibm.com Viewer role for resource group with ID data.ibm_resource_group.group.id by using ibm_iam_user_policy.
```
data "ibm_resource_group" "group" {
 name = "default"
}

resource "ibm_iam_user_policy" "policy" {
 ibm_id = "test@in.ibm.com"
 roles  = ["Viewer"]

resources {
 service           = "containers-kubernetes"
 resource_group_id = data.ibm_resource_group.group.id
}
}
```
You can specify the ID of the resource group that you want to assign access to on the resource_group_id option. For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page.
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

Removing access in the console

Removing access for a user or service ID can take up to 10 minutes to take effect.

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to manage.
Select the user's name or service ID that you want to remove access for.
Go to Access and click the Actions icon > Remove on the row for the policy you want to remove.
Review the policy details that you're about to remove, and confirm by clicking Remove.

You can also remove users and service IDs from access groups by selecting the checkbox for the user or service ID that you want to remove, and click Remove. Then, click Remove again to approve the process.

Removing access by using the CLI

To remove a user policy by using the CLI, you can use the ibmcloud iam user-policy-delete command.

ibmcloud iam user-policy-delete USER_ID POLICY_ID [-f, --force]

To remove a service ID policy by using the CLI, you can use the ibmcloud iam service-policy-delete command.

ibmcloud iam service-policy-delete SERVICE_ID POLICY_ID [-f, --force]

Removing access by using the API

Delete a policy by providing a policy ID and calling the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request:

curl -X DELETE 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json'

DeletePolicyOptions options = new DeletePolicyOptions.Builder()
      .policyId(examplePolicyId)
      .build();

service.deletePolicy(options).execute();

const params = {
  policyId: examplePolicyId,
};

iamPolicyManagementService.deletePolicy(params)
.then(res => {
  console.log(JSON.stringify(res, null, 2));
})
.catch(err => {
  console.warn(err)
});

response = iam_policy_management_service.delete_policy(
  policy_id=example_policy_id
).get_result()

print(json.dumps(response, indent=2))

options := iamPolicyManagementService.NewDeletePolicyOptions(
  examplePolicyID,
)

response, err := iamPolicyManagementService.DeletePolicy(options)
if err != nil {
  panic(err)
}

A policy cannot be deleted if the subject ID contains a locked service ID.

Reviewing assigned access in the console

If you need to review your assigned access in an account that you've been added to, complete the following steps:

In the IBM Cloud console, click Manage > Access (IAM), and select Users or Service IDs, depending on which identity you want to review.
Select your name or the service ID.
Review the assigned access in the Access tab.

If you need more access, you must contact the account owner to update your access or contact the administrator for the service or service instance to update the access policy.

Reviewing assigned access by using the CLI

If you need to review your assigned access in an account that you've been added to, you can use the ibmcloud iam user-policies command. This example lists policies of user name@example.com:

ibmcloud iam user-policies name@example.com

Reviewing assigned access by using the API

By using the API, you can only retrieve all policies in the account and filter by attribute values. You can check your assigned access in an account by going to Manage > Users > your_name > Access in the IBM Cloud console. To retrieve policies, call the IBM Cloud® Identity and Access Management (IAM) Policy Management API as shown in the following sample request:

curl -X GET 'https://iam.cloud.ibm.com/v1/policies?account_id=$ACCOUNT_ID' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json'

ListPoliciesOptions options = new ListPoliciesOptions.Builder()
    .accountId(exampleAccountId)
    .iamId(EXAMPLE_USER_ID)
    .build();

Response<PolicyList> response = service.listPolicies(options).execute();
PolicyList policyList = response.getResult();

System.out.println(policyList);

const params = {
  accountId: exampleAccountId,
  iamId: exampleUserId
};

iamPolicyManagementService.listPolicies(params)
 .then(res => {
   console.log(JSON.stringify(res.result, null, 2));
 })
 .catch(err => {
   console.warn(err)
 });

policy_list = iam_policy_management_service.list_policies(
 account_id=example_account_id, iam_id=example_user_id
).get_result()

print(json.dumps(policy_list, indent=2))

options := iamPolicyManagementService.NewListPoliciesOptions(
 exampleAccountID,
)
options.SetIamID(exampleUserID)

policyList, response, err := iamPolicyManagementService.ListPolicies(options)
if err != nil {
 panic(err)
}
b, _ := json.MarshalIndent(policyList, "", "  ")
fmt.Println(string(b))