Managing IAM access
Access to IBM® Storage Ceph® as a Service instances for users in your account is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the IBM CephaaS service must be assigned an access policy with an IAM role. Review the following roles, actions, and more to help determine the best way to assign access to IBM CephaaS.
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by the IBM CephaaS as operations that are allowed to be performed on the service. Each action is mapped to an IAM platform or service role that you can assign to a user.
IAM access policies enable access to be granted at different levels. Some of the options include the following:
- Access across all deployment of the service in your account
- Access to an individual service instance in your account
After defining the scope of the access policy, assign a role.
Review the following tables that outline what types of tasks each role allows when you're working with the IBM CephaaS service. Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access to the service and create deployments. Service access roles enable users access to IBM CephaaS and the ability to call the IBM CephaaS API. For information about the exact actions that are mapped to each role, see table Identity and access management actions mapped to roles.
| Platform role | Description of actions |
|---|---|
| Viewer | As a viewer, you can view deployments, but you can't modify them. In addition, you can also inspect, the s3 certificate and view quota. |
| Operator | As an operator, you can perform platform actions that are required to configure and operate deployments. In addition, you can also inspect, upload, update and delete the s3 certificate, and update quota. |
| Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. In addition, you can also inspect, upload, update and delete the s3 certificate, and update quota. |
| Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. In addition, you can also inspect, upload, update and delete the s3 certificate, and update quota. |
| Service role | Description of actions |
|---|---|
| Manager | As a manager, you have permissions beyond the editor role to complete privileged actions as defined by the service. You can create, update, delete and view service level resources such as volumes, hosts, and S3 credentials. |
Identity and access management actions mapped to roles
| Action ID | Roles | Descriptions |
|---|---|---|
resource-controller.instance.retrieve |
Administrator, Editor, Operator, Viewer | View and list deployments but cannot modify the instance properties. |
resource-controller.instance.create |
Administrator, Editor | Create a deployment from IBM CephaaS Deployments page. |
resource-controller.instance.update |
Administrator, Editor, Operator | Update an IBM CephaaS deployment. Allowed to modify IBM CephaaS deployment parameters such as name, quota settings, and S3 Certificate for object. |
software-defined-storage.certificate.update |
Administrator, Editor, Operator | Update certificate |
software-defined-storage.certificate.inspect |
Administrator, Editor, Operator, Viewer | Inspect certificate |
software-defined-storage.certificate.delete |
Administrator, Editor, operator | Delete certificates |
software-defined-storage.certificate.create |
Administrator, Editor, operator | Create certificate |
software-defined-storage.s3-credential.create |
Manager | Create S3 credentials |
software-defined-storage.s3-credential.get |
Manager | Get S3 credentials |
software-defined-storage.s3-credential.delete |
Manager | Delete S3 credentials |
software-defined-storage.volume.create |
Manager | Create a volume |
software-defined-storage.volume.read |
Manager | Read volumes |
software-defined-storage.volume.update |
Manager | Update volumes |
software-defined-storage.volume.delete |
Manager | Delete volumes |
software-defined-storage.host.create |
Manager | Create hosts |
software-defined-storage.host.read |
Manager | Read hosts |
software-defined-storage.host.update |
Manager | Update hosts |
software-defined-storage.host.delete |
Manager | Delete hosts |
software-defined-storage.host.unmap |
Manager | Unmap hosts |
software-defined-storage.host.map |
Manager | Map hosts |
Assigning access to IBM CephaaS in the console
There are two common ways to assign access in the console:
- Access policies per user. You can manage access policies per user from the Manage > Access (IAM) > Users page in the console. For information about the steps to assign IAM access, see Managing access to resources in the console.
- Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the console. For more information, see Assigning access to a group in the console.
Assigning access to IBM CephaaS in the CLI
For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the CLI.
The following example shows a command for assigning the <Manager> role for <IBM CephaaS Storage>:
Use <programmatic_service_name> for the service name. Also, use quotations around role names that are more than one word like the example here.
ibmcloud iam user-policy-create USER@EXAMPLE.COM --service-name software-defined-storage --roles "Manager"
Assigning access to IBM CephaaS by using the API
For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the API or the Create a policy API doc. Role cloud resource names (CRN) in the following table are used to assign access with the API.
| Role name | Role CRN |
|---|---|
| Viewer | crn:v1:bluemix:public:software-defined-storage::::serviceRole:Viewer |
| Operator | crn:v1:bluemix:public:software-defined-storage::::serviceRole:Operator |
| Editor | crn:v1:bluemix:public:software-defined-storage::::serviceRole:Editor |
| Administrator | crn:v1:bluemix:public:software-defined-storage::::serviceRole:Administrator |
| Manager | crn:v1:bluemix:public:software-defined-storage::::serviceRole:Manager |
The following example is for assigning the <Manager> role for <IBM CephaaS Storage>:
Use <programmatic_service_name> for the service name, and refer to the Role ID values table to ensure that you're using the correct value for the CRN.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H "Authorization: Bearer $IAM_TOKEN" -H 'IBM-API-Version: 2025-02-01' -H 'accept: application/json' -d '{
"type": "access",
"description": "Manager role for IBM Storage Ceph as a Service",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:software-defined-storage::::serviceRole:Manager"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "software-defined-storage"
}
]
}
]
}
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: core.StringPtr("IBMid-123453user"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:software-defined-storage::::serviceRole:Manager"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr("ACCOUNT_ID"),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceName"),
Value: core.StringPtr("software-defined-storage"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute}
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
Assigning access to IBM CephaaS by using Terraform
The following example is for assigning the <Manager> role for <software-defined-storage>:
Use software-defined-storage for the service name.
resource "ibm_iam_user_policy" "policy" {
ibm_id = "test@example.com"
roles = ["Manager"]
resources {
service = "software-defined-storage"
}
}
For more information, see ibm_iam_user_policy.