IBM Cloud Docs
Managing access for App ID

Managing access for App ID

With IBM Cloud® App ID and IBM Cloud Identity and Access Management (IAM), account owners can manage user access in your account.

As an account owner, you can set policies within your account to create different levels of access for different users. For example, certain users can have Read only access to one instance, but Write access to another. You can decide who is allowed to create, update, and delete instances of App ID.

For more information about IAM, see IAM Access.

User roles

The scope of an access policy is based on a user's assigned role.

Policies enable access to be granted at different levels. Some options include:

  • Access across all instances of the service in your account
  • Access to an individual service instances in your account
  • Access to a specific resource within an instance
  • Access to all IAM-enabled services in your account

Platform roles

Platform management roles enable users to perform tasks on service resources at the platform level. For example, roles can be assigned to determine who can create or delete IDs, create instances, and bind instances to apps. The following table details the actions as they correlate to platform management roles.

Table 1. Platform roles, permissions, and the example actions that each role can take
Platform role Permissions Example actions
Viewer View App ID instances. You can see that instances of the service exist, but not the information that is contained within them.
Editor View and bind App ID instances. You can bind applications to an instance of App ID.
Operator Create, delete, edit, suspend, resume, view, or bind App ID instances. You can create or delete an App ID instance.
Administrator All management actions for all services in the account. You can perform all operator actions and the ability to assign policies to other users.

Service access roles

The following table details actions that are mapped to service access roles. Service access roles enable users to access App ID and to call the App ID API.

Table 2. Service roles and the actions that the role can take
Service role Example actions
Reader
  • View the post-authentication redirect URLs that are configured in your instance.
  • View the identity provider configuration or a view the configuration for a single identity provider.
  • View the overview page of your app.
  • View the current configuration of the Login Widget including the logo, color, and language.
  • View the current configuration of your tokens.
  • View the action URLs that are configured for Cloud Directory.
  • View a single action URL that is configured for Cloud Directory.
  • View advanced password policy configurations.
  • View a Cloud Directory password policy in regex form.
  • View the current email template configuration.
  • View Cloud Directory email sender details.
  • View user information from your app configuration.
  • View your Cloud Directory users and their data.
  • View a user profile.
  • Search all your user profiles and get a count of any anonymous users.
  • View all the apps that are registered with your instance of App ID.
  • View a specific app that is registered with App ID.
  • View the email provider configuration.
  • View a JSON object that contains the auditing status of the tenant.
  • View all the MFA channels.
  • View an MFA channel.
  • View the current MFA configuration.
  • View the Cloud Directory SSO configuration.
  • View a Cloud Directory user and their information.
  • View your rate limit configuration.
  • View the roles that are associated with a scope.
  • View the roles that are assigned to a specific user.
  • View a registered extension's configuration.
Writer
  • All Reader actions.
  • Add or update post-authentication redirection URLs.
  • Configure your identity provider options.
  • Configure your Login Widget appearance which includes the logo, color, and language.
  • Configure your tokens.
  • Delete an action URL that is configured for Cloud Directory.
  • Configure advanced password policies.
  • Update a Cloud Directory password policy in regex form.
  • Get the metadata that is used to link your SAML provider.
  • Start the sign-up process for a new Cloud Directory user.
  • View the result of a new user sign-up.
    Start the forgot password email flow for a Cloud Directory user.
  • Check whether the forgot password email was successfully sent.
  • Resend an email to a Cloud Directory user.
  • Start the change password email flow for a Cloud Directory user.
  • Update your email template configuration.
  • Delete an email template configuration.
  • Set Cloud Directory email sender details configuration.
  • Update a user profile with the information from your application.
  • Create a new Cloud Directory user.
  • Update a Cloud Directory user's information.
  • Delete a user from Cloud Directory.
  • Update a user profile.
  • Create a future user.
  • Revoke a users refresh token.
  • Register a new app with App ID.
  • Update an app that is registered with App ID.
  • Delete an app that is registered with App ID.
  • Configure or update your own email provider.
  • Test your email provider configuration.
  • Update your auditing status.
  • Update an MFA channel.
  • Update your MFA configuration.
  • Update your Cloud Directory SSO configuration.
  • Initiate SSO logout for Cloud Directory.
  • Test your MFA configuration for SMS.
  • Remove Cloud Directory users and their profiles.
  • Update your rate limit configuration.
  • Add a scope to an application.
  • Get the scopes that are associated with an application.
  • Delete a scope that is associated with an application.
  • Add a role.
  • Update the roles in your instance of App ID.
  • Delete a role.
  • Update the roles that are assigned to a specific user.
  • Update the status of a registered extension for an instance of App ID to enabled or disabled.
  • Update a registered extension's configuration.
  • Test a registered extensions configuration.
Manager
  • All Writer actions.
  • Export your Cloud Directory users and their data from your App ID instance.
  • Import your Cloud Directory users into a new instance of App ID.
  • Export all the user profiles in an instance of App ID.
  • Import all the user profiles that you exported into a new instance of App ID.

For more information about assigning user roles in the UI, see Managing access to resources.