Assigning access to catalogs
As the account owner, you assign users specific catalog management access depending on what tasks they are performing. To streamline the process of assigning access, you can use access groups to organize a set of users into a single entity. That way, you can assign a single policy to the group one time, and then add or remove users from the group as needed.
For more details, see Managing access in IBM Cloud.
Setting up your access groups in the console
See the following sections for details about creating your access groups and assigning specific IAM policies to each one.
Administrator access in the console
Administrator access is required for setting account-level filters to the IBM Cloud catalog.
- Log in to your IBM Cloud account.
- Go to Manage > Access (IAM) > Access groups in the IBM Cloud console.
- Click Create.
- Enter
private-catalog-adminsas the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Administrator role.
- Click Review.
- Click Add to add your policy configuration to your policy summary.
- Assign.
Editor access in the console
Editor access is required for creating private catalogs, setting filters at the private catalog level, adding your software to your private catalog, and updating, deprecating, and restoring your software.
- Go to Access groups, and click Create.
- Enter
private-catalog-editorsas the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Editor role.
- Click Add to add your policy configuration to your policy summary.
- Select Kubernetes Service from the list of services.
- Select your cluster, and then select the Administrator and Manager roles.
- Click Add.
- Select Schematics from the list of services.
- Select the Manager role.
- Click Review.
- Click Add > Assign.
Viewer access in the console
Viewer access is required for viewing private catalogs, the filtered IBM Cloud catalog, and the filter settings.
- Go to Access groups, and click Create.
- Enter
private-catalog-viewersas the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Viewer role.
- Click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
You also need to have viewer access on the resource group to which your private catalog is assigned. You can assign your private catalog to a resource group when you complete the steps for creating your private catalog. For more information, see Customizing the IBM Cloud catalog for all account users.
To assign viewer access to your private catalog's resource group, use the following steps:
- Go to Users and select the user.
- Select Access > Assign access.
- Select All Identity and Access enabled services from the list of services.
- Scope the access to Specific resources based on selected attributes, and select your private catalogs resource group.
- For Platform access, select the Viewer role.
- Click Add > Assign.
Add users to your access groups in the console
After you set up your access groups, complete the following steps to add users to the groups:
- Go to Users, and click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Select one of the three access groups you previously created, and click Add > Invite.
- Repeat the steps to add users to your other access groups.
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
Setting up your access groups by using the CLI
To assign access, run the ibmcloud iam user-policy-create command.
Administrator access by using the CLI
Run the following command to assign administrator access:
ibmcloud iam user-policy-create USER_NAME --roles Administrator --service-name globalcatalog-collection
Editor access by using the CLI
Run the following command to assign editor access:
ibmcloud iam user-policy-create USER_NAME --roles Editor --service-name globalcatalog-collection
Viewer access by using the CLI
Run the following command to set viewer access:
ibmcloud iam user-policy-create USER_NAME --roles Viewer --service-name globalcatalog-collection
Add users to your access groups by using the CLI
To add users to an access group by using the CLI, run the ibmcloud iam access-group-user-add command.
ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]
For example the following command adds user name@example.com to the example_group access group.
ibmcloud iam access-group-user-add example_group name@example.com
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
Setting up your access groups by using the API
To assign access, call the IAM Policy Management API as shown in the follwing example. Replace the role_id vaiable with the role you want to
assign: Viewer, Editor, or Administrator.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Editor role for SERVICE_NAME RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Viewer")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("service")
.operator("stringEquals")
.build();
ResourceTag policyResourceTag = new ResourceTag.Builder()
.name("project")
.value("prototype")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.addTags(policyResourceTag)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'service',
operator: 'stringEquals',
};
const policyResourceTag = {
name: 'project',
operator: 'stringEquals',
value: 'prototype',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
tags: [policyResourceTag],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='service')
policy_resource_tag = ResourceTag(
name='project', value='prototype')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute],
tags=[policy_resource_tag])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
Name: core.StringPtr("project"),
Value: core.StringPtr("prototype"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
Setting up access expected response
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
Add users to your access groups by using the API
To add users to an access group by using the API, call the IAM Access Groups API as shown in the following example.
curl -X PUT -H "Authorization: {iam_token}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"members": [ {"iam_id": "IBMid-user1", "type": "user"}, {"iam_id": "iam-ServiceId-123", "type": "service"} ]}' "{base_url}/groups/{access_group_id}/members"
AddGroupMembersRequestMembersItem member1 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("IBMid-user1")
.type("user")
.build();
AddGroupMembersRequestMembersItem member2 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("iam-ServiceId-123")
.type("service")
.build();
AddMembersToAccessGroupOptions addMembersToAccessGroupOptions = new AddMembersToAccessGroupOptions.Builder()
.accessGroupId(testGroupId)
.addMembers(member1)
.addMembers(member2)
.build();
Response<AddGroupMembersResponse> response = service.addMembersToAccessGroup(addMembersToAccessGroupOptions).execute();
AddGroupMembersResponse addGroupMembersResponse = response.getResult();
System.out.println(addGroupMembersResponse);
const groupMember1 = {
iam_id: 'IBMid-user1',
type: 'user',
};
const groupMember2 = {
iam_id: 'iam-ServiceId-123',
type: 'service',
};
const params = {
accessGroupId: testGroupId,
members: [groupMember1, groupMember2],
};
iamAccessGroupsService.addMembersToAccessGroup(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
member1 = AddGroupMembersRequestMembersItem(
iam_id='IBMid-user1', type='user')
member2 = AddGroupMembersRequestMembersItem(
iam_id='iam-ServiceId-123', type='service')
members = [member1, member2]
add_group_members_response = iam_access_groups_service.add_members_to_access_group(
access_group_id=test_group_id,
members=members
).get_result()
print(json.dumps(add_group_members_response, indent=2))
groupMembers := []iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("IBMid-user1"),
Type: core.StringPtr("user"),
},
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("iam-ServiceId-123"),
Type: core.StringPtr("service"),
},
}
addMembersToAccessGroupOptions := iamAccessGroupsService.NewAddMembersToAccessGroupOptions(testGroupID)
addMembersToAccessGroupOptions.SetMembers(groupMembers)
addGroupMembersResponse, response, err := iamAccessGroupsService.AddMembersToAccessGroup(addMembersToAccessGroupOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(addGroupMembersResponse, "", " ")
fmt.Println(string(b))
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
Adding users expected response
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
Add users to your access groups by using Terraform
Before you can add users to your access groups by using Terraform, make sure that you have completed the following:
- Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.
Use the following steps to add users to your access groups
-
In your Terraform configuration file, find the Terraform code that you used to create the access group and note the
access_group_idassigned to your access group. -
Add a member to the access group.
resource "ibm_iam_access_group_members" "accgroupmem" { access_group_id = ibm_iam_access_group.accgroup.id ibm_ids = ["test@in.ibm.com"] }For more information, see the argument reference details on the Terraform Identity and Access Management (IAM) page.
-
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init -
Provision the resources from the
main.tffile. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform planto generate a Terraform execution plan to preview the proposed actions.terraform plan -
Run
terraform applyto create the resources that are defined in the plan.terraform apply
-