Restricting users from creating service IDs

By default, all members of an account can create service IDs. However, access can be restricted so that only members with the correct access can create service IDs by using the Service ID creation setting. For more information about Service IDs, see Creating and working with service IDs.

Enabling the restriction to create service IDs in the console

To enable the setting to restrict users from creating service IDs, you must have the following assigned access:

An IAM policy with the Administrator, Operator, or Editor role on the IAM Identity Service.

If you enable the Service ID creation setting, users in your account require specific access to create service IDs, including the account owner. To restrict who can create service IDs, use the following steps:

In the IBM Cloud console, go to Manage > Access (IAM), and select Settings.
In the Account section, enable the Service ID creation setting.
Click Yes to confirm.

Now that the setting is enabled to restrict users from creating service IDs, you can assign the required access to enable specific users to continue creating service IDs. Remember, the account owner is also required to be assigned this explicit access.

Enabling the restriction to create service IDs by using Terraform

If you enable the Service ID creation setting, users in your account require specific access to create service IDs, including the account owner.

To enable the setting to restrict users from creating service IDs, you must have the following assigned access:

An IAM policy with the Administrator, Operator, or Editor role on the IAM Identity Service.

Before you can set limits for login sessions by using Terraform, make sure that you have completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

To restrict who can create service IDs, use the following steps:

Create an argument in your main.tf file. The following example enables the restriction to create service IDs by using the ibm_iam_account_settings and iam_account_settings_instance resources.
Define whether or not creating a service ID restricted. Supported valid values are
- RESTRICTED - to apply access control
- NOT_RESTRICTED - to remove access control
- NOT_SET - to unset a previous set value.
```
resource "ibm_iam_account_settings" "iam_account_settings_instance" {
restrict_create_service_id  = "RESTRICTED"
}
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

For more information, see the Terraform documentation.

Assigning access to create service IDs with restrictions enabled in the console

If the Service ID creation setting is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs.

The quickest way to assign a group of users the required access for creating service IDs is to create an access group and assign the group the required role. For more information about assigning access policies, see Setting up access groups.