Updating trusted profiles

You can update the permissions or redefine trust relationships for trusted profiles at any time by using either the console or the IAM Identity Services API.

To update trusted profiles, you must be assigned the administrator, operator, or editor role within the account, or on the IAM Identity Service.

You can use Activity Tracker to monitor which federated users and compute resources apply a trusted profile. For more information, see Monitoring login sessions for trusted profiles.

Updating trusted profiles in the console

To update trusted profiles, go to Manage > Access (IAM) in the IBM Cloud console, and select Trusted profiles. Then, select the name of the trusted profile that you want to update.

Updating the description of your profile

Click the name of the trusted profile that you want to update, and select Actions > Edit. Enter the new name and description, and click Apply.

Redefining the trust relationship

After the trusted profile is created, you can build trust with both federated users and compute resources in the same trusted profile.

Click the name of the trusted profile that you want to update.
Click Add to add a condition to the existing trust relationship. To edit an existing condition, click the Actions icon > Edit next to the trust relationship you want to update.
- Click Add a condition and repeat as needed to add more conditions.
- To remove a condition, click the Remove icon next to the existing condition.
Click Save to apply all added or removed conditions to your trusted profile.

Assigning access

You can assign access to a trusted profile by assigning individual access policies, or by adding the trusted profiles to an existing access group.

Assigning access policies

Click the name of the trusted profile that you want to update.
Click Access.
To edit existing access policies, click the Actions icon > Edit next to the access policy you want to update.
To assign new access policies, click Assign.

You can select your resources based on resource attributes and assign any combination of roles.

Assigning access groups

Click the name of the trusted profile that you want to update.
Click Access
To edit existing access group membership, click the Actions icon > Edit next to the access group you want to update.
To add the trusted profile to a new access group, click Assign group.
Select the access groups to which you want to add the trusted profile and click Add. You can assign users to only the access groups that you have access to manage.
Click Assign.

Updating session duration

Click the name of the trusted profile that you want to update.
In the federated users section, click the Actions icon for the identity provider (IdP) that you want to update.
Select Edit
In hours, enter how long federated users can use this profile before their session expires.
Click Save.

Updating trusted profiles by using the CLI

You can update a trusted profile from your account by using the CLI. For more information, see the IBM Cloud CLI.

Log in, and select the account.
```
ibmcloud login
```
Check the list of trusted profiles for the current account and select the one that you want to update. The following command shows the list of trusted profiles for your IBM Cloud account:
```
ibmcloud iam trusted-profiles
```
If you'd like to check the details of a trusted profile, use the ibmcloud iam trusted-profile command. Specify the ID or the name of the trusted profile that you would like to check.
```
ibmcloud iam trusted-profile <IDorName>
```
Run the following command to get an overview about the different options.
```
ibmcloud iam trusted-profile-update
```
Update the trusted profile by running the following command. Specify the ID or the name of the trusted profile that you would like to update and rename.
```
ibmcloud iam trusted-profile-update <IDorName> -n <NewName> ...
```

For example, the following command updates the name Test trusted profile to New test trusted profile.

ibmcloud iam trusted-profile-update <Test trusted profile> -n <New test trusted profile> ...

Assigning access policies

You can assign new access policies to your trusted profile by using the CLI.

Log in, and select the account.
```
ibmcloud login
```
Check the list of trusted profiles for the current account and select the one that you want to assign new access policies to. The following command shows the list of trusted profiles for your IBM Cloud account:
```
ibmcloud iam trusted-profiles
```
Assign new access policies by running the following command:
```
ibmcloud iam trusted-profile-policy-create
```

To check the details of the access policy for a trusted profile, run the following command:

ibmcloud iam trusted-profile-policy

For checking the list of access policies for a trusted profile, you can use the ibmcloud iam trusted-profile-policies command:

ibmcloud iam trusted-profile-policies

You can easily update existing access policies by running the ibmcloud iam trusted-profile-policy-update command:

ibmcloud iam trusted-profile-policy-update

If you'd like to remove an access policy for a trusted profile, you can use the ibmcloud iam trusted-profile-policy-delete command:

ibmcloud iam trusted-profile-policy-delete

Updating trusted profiles by using the API

For more information, see the IAM Identity Services API.

Updating the name or description

To update the name or description of an existing trusted profile, call the following. Enter your updated name and description attributes.

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID' -H 'Authorization: Bearer TOKEN' -H 'If-Match: <value of etag header from GET request>' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{
  "name": "My Profile updated",
  "description": "My updated desc"
}'

Updating the conditions of the trust relationship

After the trusted profile is created, you can build trust with both federated users and compute resources in the same trusted profile.

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID/rules/CLAIM_RULE_ID'
-H 'Authorization: Bearer TOKEN'
-H 'If-Match: <value of etag header from GET request>'
-H 'Content-Type: application/json'
-H 'Accept: application/json'
-d '{
   "type": "Profile-SAML",
   "realm_name": "https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20",
   "expiration": 10000,
   "conditions": [
  {
"claim": "groups",
"operator": "CONTAINS",
"value": "\"cloud-docs-ops\""
  }
  ]
}'

Assigning access policies

To assign new access policies, call the following:

curl -X PUT 'https://iam.cloud.ibm.com/v1/policies'
-H 'Authorization: Bearer $TOKEN'
-H 'Content-Type: application/json'
-H 'If-Match: $ETAG'
-d '{
"type": "access",
"description": "Viewer role for for all instances of SERVICE_NAME in the account.",
"subjects": [
   {
      "attributes": [
      {
         "name": "iam_id",
         "value": "IBMid-123453user"
      }
      ]
   }'
],
"roles":[
   {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
   }
],
"resources":[
   {
      "attributes": [
      {
         "name": "accountId",
         "value": "$ACCOUNT_ID"
      },
      {
         "name": "serviceName",
         "value": "$SERVICE_NAME"
      }
      ]
   }
]
}'

For more information, see the IAM Policy Management API.

Updating session duration

To update the session duration for federated users, call the following:

curl -X PUT 'https://iam.cloud.ibm.com/v1/profiles/PROFILE_ID/rules/CLAIM_RULE_ID'
-H 'Authorization: Bearer TOKEN'
-H 'If-Match: <value of etag header from GET request>'
-H 'Content-Type: application/json'
-H 'Accept: application/json'
-d '{
   "type": "Profile-SAML",
   "realm_name": "https://w3id.sso.ibm.com/auth/sps/samlidp2/saml20",
   "expiration": 10000,
   "conditions": [
  {
"claim": "groups",
"operator": "CONTAINS",
"value": "\"cloud-docs-ops\""
  }
  ]
}'