Managing access with IAM
IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud. Access to IBM Cloud Activity Tracker Event Routing service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by Activity Tracker Event Routing as operations that are allowed to be performed on the service. An action is mapped to an IAM platform or service role that you can assign to a user.
If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.
IBM Cloud platform roles
The following tables detail actions that are mapped to platform roles.
Platform roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.
Review the following tables that outline what types of tasks each role allows for when you're configuring Activity Tracker Event Routing in your account.
Use the following table to identify the Account management Activity Tracker Event Routing platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:
| Platform role | Description of actions |
|---|---|
| Viewer | As a viewer, you can view Activity Tracker Event Routing configuration resources such as routes and targets. |
| Operator | As an operator, you can view Activity Tracker Event Routing configuration resources such as routes and targets. |
| Editor | As an editor, you can view, create, update, and delete Activity Tracker Event Routing resources such as routes and targets. |
| Administrator | As an administrator, you can view, create, update, and delete Activity Tracker Event Routing resources. You can also assign access policies to manage Activity Tracker Event Routing resources to other users in the account. |
IAM actions by task
Review the available platform roles that are available, and the actions that are mapped to each to help you assign access.
For Activity Tracker Event Routing, the IAM actions and Activity Tracker actions are the same.
| Action | IAM and Activity Tracker action | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| Grant other account members access to configure Activity Tracker Event Routing | iam-am.policy.create |
 |
|||
| Revoke member access to configure Activity Tracker Event Routing | iam-am.policy.delete |
|
|||
| Modify member access to configure Activity Tracker Event Routing | iam-am.policy.update |
|
| Action | IAM and Activity Tracker action | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| View a target | atracker.target.read |
|
|
|
|
| List all targets | atracker.target.list |
|
|
|
|
| Create a target | atracker.target.create |
|
|
||
| Update a target | atracker.target.update |
|
|
||
| Delete a target | atracker.target.delete |
|
|
| Action | IAM and Activity Tracker | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| View a route | atracker.route.read |
|
|
|
|
| List all routes | atracker.route.list |
|
|
|
|
| Create a route | atracker.route.create |
|
|
||
| Update a route | atracker.route.update |
|
|
||
| Delete a route | atracker.route.delete |
|
|
| Action | IAM and Activity Tracker action | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| View configuration settings | atracker.setting.get |
|
|
|
|
| Update configuration settings | atracker.setting.update |
|
Assigning access to IBM Cloud Activity Tracker Event Routing
For details on assigning access, see Assigning access to IBM Cloud Activity Tracker Event Routing.
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud UI console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
- Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.