Setting an alternative account owner
As the owner of an account with classic infrastructure, you can set a trusted profile as the alternative account owner. The alternative account owner has the highest level of classic infrastructure permissions and more capabilities. An alternative account owner ensures that you always have a secure way to manage account ownership if the primary account owner leaves your organization or isn't available.
Only accounts with classic infrastructure can set an alternative account owner.
Granting alternative account owner access
Alternative account owner access grants the following assignments:
- Administrator and manager roles on All Identity and Access enabled services
- Administrator role on All Account Management services
- A classic infrastructure flag that indicates the trusted profile is the alternative account owner
You can set only one trusted profile as the alternative account owner. A trusted profile with alternative account owner access can't be modified after creation. If you create an additional alternative account owner, an error occurs. For more informaiton, see troubleshooting.
To set a trusted profile as the alternative account owner, complete the following steps.
- Go to Manage > Access (IAM) in the IBM Cloud console.
- Select Trusted profiles.
- Click Create.
- Set the Alternative account owner access toggle to Yes.
- Click Continue.
- Define which federated users can apply the trusted profile. For more information, see Establishing trust with federated users.
- Click Continue.
- Review the policies and permissions that the trusted profile is assigned.
- Click Create.
The trusted profile with alternative account owner access is indicated by alt owner in the trusted profiles table.
Users with the administrator, operator, or editor role on the IAM Identity service can grant or revoke access to the trusted profile at any time by updating the trust relationship.
Differentiating between the account owner and the alternative account owner
The alternative account owner doesn't replace the account owner, but they share some of the same privileges.
Every IBM Cloud account must have a valid account owner. Accounts without a valid account owner are subject to suspension and possible termination. For more information, see Transferring ownership of your account.
The following table shows the difference between the account owner and the alternative account owner:
| Privileges | Account owner | Alternative account owner |
|---|---|---|
| Full access to all resources |  |
|
| Assign access to others | |
|
| Update the account owner | |
|
| View all users | |
|
| Set user visibility | |
|
| Billing responsibility | |
|
| Owner notifications | |
|
| Default email | |