IBM Cloud Docs
Access management in IBM Cloud

Access management in IBM Cloud

Access management enables you to control which users see, create, use, and manage resources in your account. To grant access, you can assign roles that allow users levels of access for completing platform management tasks and accessing account resources.

The way that you manage access in IBM Cloud® depends on the type of resource that you want to assign access to. IBM Cloud Identity and Access Management (IAM) is the access management system that is used for consistently managing resources that are organized in a resource group across the IBM Cloud platform. Classic infrastructure resources are not managed by using Cloud IAM. These resource types have their own access management systems.

If you have a combination of resource types, you manage each type separately:

  • For IAM resources, go to Manage > Access (IAM) in the IBM Cloud console, and then select Users, Access groups, Trusted profiles, or Service IDs to get started.
  • For assigning access to your classic infrastructure resources, you set permissions within Manage > Access (IAM) on the Classic infrastructure tab for the user that you want to assign access. You can also choose to assign Classic infrastructure access by using Trusted profiles if your account is linked to a Softlayer account.

While each type of access is managed separately, all access policies are made up of a subject you want to assign access to, a target for the policy to scope what the subject has access to, and then finally an IAM role or classic infrastructure permission to determine the level of access the subject has on the target.

Access management policies by using IAM or classic infrastructure permissions.
Figure 1. Access management policies by using IAM or classic infrastructure permissions

For IAM policies, the subject can be an access group, user, service ID, or trusted profile. And, the target can be an account management service, resource group, service in the account, specific service instance, or resource type within a service. Platform and service roles can be selected to scope the level of access for the subject. For classic infrastructure, a user is selected, and then the access can be scoped to a service or device with specific permissions assigned.