Get Started with IAM

Access to IBM Cloud® Backup and Recovery service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).

Identity and Access Management roles

Every user that accesses the IBM Cloud Backup and Recovery service in your account must be assigned an access policy with an IAM user role defined. That policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels. Some of the options include the following:

Access across all instances of the service in your account
Access to an individual service instance in your account
Access to all IAM-enabled services in your account

After you define the scope of the access policy, you assign a role. Review the following tables which outline what actions each role allows within the IBM Cloud Backup and Recovery service.

The following table details actions that are mapped to platform management roles. Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, and bind instances to applications.

IAM user roles and actions
Platform management role	Description of actions	Example actions
Viewer	View service instances but not modify them	List available BRS service instances View BRS service plan details View usage details
Editor	Perform all platform actions except for managing the accounts and assigning access policies	Create and delete BRS service instances
Operator	Not used by Backup and Recovery	None
Administrator	Perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users, as well as setting PublicAccess policy on buckets.	Update user policies Update pricing plans

The following table details actions that are mapped to service access roles. Service access roles enable users access to IBM Cloud Backup and Recovery as well as the ability to call the IBM Cloud Backup and Recovery API.

IAM service access roles and actions
Service access role	Description of actions	Example actions
Reader	Readers will be able to view the sources, protection groups and recoveries.	View Protection Groups, View Protection Policies, View Protection Sources
Writer	In addition to Reader actions,Writers will be able to Modify protection groups, policies, add sources and perform restore .	Modify Protection Groups, Modify Protection Policies, Modify Protection Sources
Manager	In addition to Writer actions, Managers can complete privileged actions including modifying data lock, deleting snapshots etc,.	Delete Resources, Modify Data Lock

For information about assigning user roles in the UI, see Managing IAM access.

Identity and Access Management actions

Granular IAM action descriptions
Action id	Description
`backup-recovery.dashboard.view`	View Protection, Sources.
`backup-recovery.dashboard.edit`	Edit Protection, Sources, Recoveries
`backup-recovery.dashboard.manage`	Manage Datalock, Deletion