Managing access
API Connect V10 Reserved uses IBM Cloud Identity and Access Management (IAM) to securely authenticate users and control access to service instances on the IBM Cloud platform.
Identity and Access Management roles and actions
Access to Reserved instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).
Every user in your account that accesses a Reserved instance must be assigned an access policy with an IAM user role defined. The policy determines what actions a user can perform within the context of the associated Reserved isntance. The allowable actions are customized and defined by the IBM Cloud service as operations that can be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. Options include the following access levels:
- Access across all Reserved instances in your account
- Access to an individual Reserved instance in your account
- Access to a Reserved instance contained in a specific resource group
After you define the scope of the access policy, you assign a role. The role determines the user's level of access. The following tables outline what actions each role allows within the API Connect V10 Reserved instance.
Table 1 details actions that are mapped to platform management roles, and which API Connect role corresponds to each platform role. Platform management roles enable users to perform tasks on service resources at the platform level; for example: assign user access for the service, create or delete instances, and bind instances to applications.
| IAM Platform role | Maps to API Connect role | Summary of allowed actions |
|---|---|---|
| Viewer | Viewer | View (but not edit) APIs, members, settings, and organizations. |
| Operator | Community Manager | View data and settings. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. |
| Editor | API Administrator | View data and settings. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. |
| Administrator | Administrator | View data and settings. Manage members, settings, and Provider organizations. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. Manage the service instance and plan. Manage provider organizations. Manage users in the cloud account. |
Table 2 details actions that are mapped to service access roles, and which API Connect role corresponds to each service role. Service access roles enable users to access API Connect as well as call the API Connect API.
| IAM Service role | Maps to API Connect role | Summary of allowed actions |
|---|---|---|
| Reader | Viewer | View (but not edit) APIs, members, settings, and organizations. |
| Writer | Developer | View data and settings. Edit Products and APIs. Manage apps, subscriptions, and analytics. |
| Manager | API Administrator | View data and settings. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. |
| API Administrator | API Administrator | View data and settings. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. |
| Community Manager | Community Manager | View data and settings. Edit Products and APIs. Manage Consumer organizations, apps, subscriptions, and analytics. |
| API Developer | Developer | Create and edit Products and APIs. Stage and publish Products. |
For more information about assigning user roles in the IAM service, see Giving access to resources in resource groups.