Managing accounts and users (ibmcloud account)
Use the following commands from the IBM Cloud® Command Line Interface to manage accounts and users in an account.
ibmcloud account orgs
List all organizations:
ibmcloud account orgs [-r REGION_NAME] [--guid] [-c ACCOUNT_ID] [-u ACCOUNT_OWNER]
Command options
- -r REGION_NAME
- Region name. List the organizations in the region specified. Default to current region if not specified. If set to 'all', list the organizations in all regions.
- --guid
- Display the guid of the organizations. This option is exclusive with
--output. - -c ACCOUNT_ID
- Account ID. List the organizations under the account. Default to current account if not specified. If set to
all, list organizations under all accounts. This option is exclusive with-u. - -u ACCOUNT_OWNER
- Account owner name. List the organizations under the accounts that are owned by the user. Default to current account if not specified. If set to 'all', list organizations under all accounts. This option is exclusive with
-c.
Examples
List all the organizations in region us-south with the GUID displayed:
ibmcloud account orgs -r us-south --guid
List all the organizations in JSON format:
ibmcloud account orgs --output JSON
ibmcloud account org
Show the information of the specified organization:
ibmcloud account org ORG_NAME [-r REGION] [--guid]
Command options
- ORG_NAME (required)
- The name of the organization.
- -r REGION
- Region name. If not specified, the default is current region. If set to
all, orgs with the given name in all regions are listed. - --guid
- Retrieve and display the org's guid. All other output for the org is suppressed. This option is exclusive with
--output.
Examples
Show the information of organization IBM with the GUID displayed:
ibmcloud account org IBM --guid
ibmcloud account org-create
Create an organization. This operation can be run only by the account owner.
ibmcloud account org-create ORG_NAME [-r, --region REGION]
Command options
- ORG_NAME (required)
- The name of the organization to be created.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Create an organization named IBM:
ibmcloud account org-create IBM
ibmcloud account org-replicate
Replicate an org from the current region to another region:
ibmcloud account org-replicate ORG_NAME REGION_NAME [-r, --region SOURCE_REGION]
Command options
- ORG_NAME (required)
- The name of the existing org that is to be replicated.
- REGION_NAME (required)
- The name of the region that hosts the replicated org.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Replicate the org myorg to the region eu-gb:
ibmcloud account org-replicate myorg eu-gb
ibmcloud account org-rename
Rename an organization. This operation can be done only by an org manager.
ibmcloud account org-rename OLD_ORG_NAME NEW_ORG_NAME [-r, --region REGION]
Command options
- OLD_ORG_NAME (required)
- The old name of the org that is to be renamed.
- NEW_ORG_NAME (required)
- The new name of the org that is to be renamed.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
ibmcloud account spaces
List all account spaces:
ibmcloud account spaces [-o ORG_NAME] [-r REGION-NAME]
Command options
- -o ORG_NAME (optional)
- Organization name. List the spaces under the organization specified. Default to current organization if not specified.
- -r REGION-NAME (optional)
- Region name. List the spaces under the region specified. Default to current region if not specified.
Examples
List all spaces:
ibmcloud account spaces
List all spaces of org org_example in JSON format:
ibmcloud account spaces -o org_example --output JSON
ibmcloud account space
Show the information of a specific space:
ibmcloud account space SPACE_NAME [-o ORG_NAME] [--guid] [--security-group-rules]
Command options
- SPACE_NAME (required)
- Name of space to be shown.
- -o ORG_NAME
- Organization name. Default to current organization if not specified.
- --guid
- Retrieve and display the space's guid. All other output for the space is suppressed. This option is exclusive with
--output. - --security-group-rules
- Retrieve the rules for all the security groups associated with the space.
Examples
Show the information of space space_example:
ibmcloud account space space_example
Show the GUID of space space_example:
ibmcloud account space space_example --guid
Show the information of space space_example in JSON format:
ibmcloud account space space_example --output JSON
Show the security group rules of space space_example:
ibmcloud account space space_example --security-group-rules
ibmcloud account org-users
Display users in the specified organization by role:
ibmcloud account org-users ORG_NAME [-r, --region REGION] [-a, --all]
Command options
- ORG_NAME (required)
- The name of the organization.
- -a, -all (optional)
- List all the users in the specified organization, not grouped by role.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
ibmcloud account org-user-add
Add a user into org (org manager required):
ibmcloud account org-user-add USER_NAME ORG [-r, --region REGION]
Command options
- USER_NAME (required)
- The name of the user. ORG (required)
- The name of the organization.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
ibmcloud account org-user-remove
Remove a user from org (org manager or user only):
ibmcloud account org-user-remove USER_NAME ORG [-f, --force]
Command options
- --force, -f
- Force deletion without confirmation.
ibmcloud account org-roles
Get all organization roles of the current user:
ibmcloud account org-roles [-r, --region REGION] [-u USER_ID]
Command options
- -u
- User ID. If not specified, default to current user.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
ibmcloud account org-role-set
Assign an organization role to a user. This operation must be run by an organization manager.
ibmcloud account org-role-set USER_NAME ORG_NAME ORG_ROLE [-r, --region REGION]
Command options
- USER_NAME (required)
- The name of the user to be assigned.
- ORG_NAME (required)
- The name of the organization this user is assigned to.
- ORG_ROLE (required)
- The name of the organization role this user is assigned to. For example:
OrgManager: This role can invite and manage users, select and change plans, and set spending limits.
BillingManager: This role can create and manage the billing account and payment information.
OrgAuditor: This role has read-only access to org information and reports.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Assign user Mary to the organization IBM as OrgManager role:
ibmcloud account org-role-set Mary IBM OrgManager
You can set org and space roles by using the CLI, but if you want to set the other permissions, you must use the UI. For more information, see Managing access to resources.
ibmcloud account org-role-unset
Remove an organization role from a user. This operation can be run by an organization manager.
ibmcloud account org-role-unset USER_NAME ORG_NAME ORG_ROLE [-r, --region REGION]
Command options
- USER_NAME (required)
- The name of the user to be removed.
- ORG_NAME (required)
- The name of the organization this user is removed from.
- ORG_ROLE (required)
- The name of the organization role this user is removed from. For example:
OrgManager: This role can invite and manage users, select and change plans, and set spending limits.
BillingManager: This role can create and manage the billing account and payment information.
OrgAuditor: This role has read-only access to org information and reports.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Remove user Mary from the organization IBM as OrgManager role:
ibmcloud account org-role-unset Mary IBM OrgManager
ibmcloud account space-users
Display users in the specified space by role:
ibmcloud account space-users ORG_NAME SPACE_NAME [-r, --region REGION]
Command options
- ORG_NAME (required)
- The name of the organization.
- SPACE_NAME (required)
- The name of the space.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
ibmcloud account space-roles
Get all space roles of current user under specific org:
ibmcloud account space-roles ORG [-r, --region REGION]
Command options
- ORG (required)
- The name of the organization.
- -r (optional)
- Region name. Default to current region if not specified.
ibmcloud account space-role-set
Assign a space role to a user. This operation can be run only by a space manager.
ibmcloud account space-role-set USER_NAME ORG_NAME SPACE_NAME SPACE_ROLE [-r, --region REGION]
Command options
- USER_NAME (required)
- The name of the user to be assigned.
- ORG_NAME (required)
- The name of the organization this user is assigned to.
- SPACE_NAME (required)
- The name of the space this user is assigned to.
- SPACE_ROLE (required)
- The name of the space role this user is assigned to. For example:
SpaceManager: This role can invite and manage users, and enable features.
SpaceDeveloper: This role can create and manage apps and services, and see logs and reports.
SpaceAuditor: This role can view logs, reports, and settings for the space.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Assign user Mary to the organization IBM and space Cloud as SpaceManager role:
ibmcloud account space-role-set Mary IBM Cloud SpaceManager
ibmcloud account space-role-unset
Remove a space role from a user. This operation can be run only by a space manager.
ibmcloud account space-role-unset USER_NAME ORG_NAME SPACE_NAME SPACE_ROLE [-r, --region REGION]
Command options
- USER_NAME (required)
- The name of the user to be removed.
- ORG_NAME (required)
- The name of the organization this user is removed from.
- SPACE_NAME (required)
- The name of the space this user is removed from.
- SPACE_ROLE (required)
- The name of the space role this user is removed from. For example:
SpaceManager: This role can invite and manage users, and enable features.
SpaceDeveloper: This role can create and manage apps and services, and see logs and reports.
SpaceAuditor: This role can view logs, reports, and settings for the space.
- -r, --region REGION (optional)
- Region name. Default to current region if not specified.
Examples
Remove user Mary from the organization IBM and space Cloud as SpaceManager role:
ibmcloud account space-role-unset Mary IBM Cloud SpaceManager
ibmcloud account list
List all accounts of the current user:
ibmcloud account list
ibmcloud account org-account
Display the account of specified organization(org user required).
ibmcloud account org-account ORG_NAME [-r, --region REGION] [--guid]
Command options
- -r (optional)
- Region name. Default to current region if not specified.
- --guid (optional)
- Display account ID only
ibmcloud account show
Show account details:
ibmcloud account show
Examples
Show details of currently targeted account:
ibmcloud account show
ibmcloud account update
Update a specific account:
ibmcloud account update (--service-endpoint-enable true | false)
Command options
- --service-endpoint-enable true | false
- Enable or disable service endpoints connectivity for a SoftLayer account.
Examples
Enable service endpoint connectivity for current account:
ibmcloud account update --service-endpoint-enable true
Classic infrastructure account audit-logs
List SoftLayer account audit logs:
account audit-logs [-u, --user-name USER_NAME] [-t, --object-type OBJECT_TYPE] [-o, --object OBJECT] [-a, --action ACTION] [-s, --start-date START_DATE] [-e, --end-date END_DATE]
Command options
- -a, --action ACTION
- Action. List audit logs with the action.
- -e, --end-date END_DATE
- End date. List audit logs before the end date. Supported formats are yyyy-MM-ddTHH:mm:ss.
- o, --object OBJECT
- Object. List audit logs with the object.
- t, --object-type OBJECT_TYPE
- Object type. List audit logs with the object type.
- s, --start-date START_DATE
- Start date. List audit logs after the start date. Supported formats are yyyy-MM-ddTHH:mm:ss.
- u, --user-name USER_NAME
- User name. List audit logs with the user name.
Examples
List audit logs:
ibmcloud account audit-logs
ibmcloud account audit-logs
List account audit logs:
ibmcloud account audit-logs [--user-name USER_NAME] [--object-type OBJECT_TYPE] [--object OBJECT] [--action ACTION] [--start-date START_DATE] [--end-date END_DATE]
Command options
- --user-name USER_NAME (optional)
- List audit logs with the user name.
- --object-type OBJECT_TYPE (optional)
- List audit logs with the object type.
- --object OBJECT (optional)
- List audit logs with the object.
- --action ACTION (optional)
- List audit logs with the action.
- --start-date START_DATE (optional)
- List audit logs after the start date. Supported formats are yyyy-MM-ddTHH:mm:ss.
- --end-date END_DATE (optional)
- List audit logs before the end date. Supported formats are yyyy-MM-ddTHH:mm:ss.
ibmcloud account users
Displays users that are associated with the account. To view the required permissions to run this command, see Retrieve users in the account.
ibmcloud account users [-c, --account-id ACCOUNT_ID]
Command options
- -c (optional)
- Account ID. If not specified, default to current account.
ibmcloud account user-remove
Remove a user from an account (account owner only).
ibmcloud account user-remove USER_ID [-c ACCOUNT_ID] [-f, --force]
Command options
- USER_ID (required)
- User ID
- -c ACCOUNT_ID
- Account ID. If not specified, default to current account.
- -f, --force
- Force removal without confirmation.
ibmcloud account user-invite
Invite a user to the account:
ibmcloud account user-invite USER_EMAIL [-o ORG [--org-role ORG_ROLE] [-s SPACE, --space-role SPACE_ROLE]] [-r, --region REGION]
Command options
- USER_EMAIL (required)
- The email of the user to be invited.
- -o, --org ORG (deprecated)
- Organization to invite user to.
- --org-role ORG_ROLE (deprecated)
- Organization role. Valid inputs are:
OrgManager,BillingManager,OrgAuditor, andOrgUser. If omitted, theOrgUserrole is set. - -s, --space SPACE (deprecated)
- Space to invite user to.
- --space-role SPACE_ROLE (deprecated)
- Space role. Valid inputs are:
SpaceManager,SpaceDeveloper, andSpaceAuditor. - -r, --region REGION (deprecated)
- Region name. Defaults to current region if not specified.
If you aren't ready to assign access, or want to assign an IAM policy, you can invite a user and assign it later. For more information about assigning access to users, see Managing access to resources.
ibmcloud account user-reinvite
Resend invitation to a user (account admin):
ibmcloud account user-reinvite USER_EMAIL
Command options
- USER_EMAIL (required)
- The email of the user to be invited again.
ibmcloud account user-preference
Show user preference details:
ibmcloud account user-preference
ibmcloud account user-preference-update
Update user preferences:
ibmcloud account user-preference-update (--position NEW_POSITION)
Command options
- --position NEW_POSITION (optional)
- Set a user's position, such as
managerorstudent.
ibmcloud account user-status
Show user's status:
ibmcloud account user-status [USER_ID] [--output FORMAT] [-q, --quiet]
Command options
- USER_ID
- User ID. If not specified, default to current user.
- --output FORMAT
- Specify output format. Only 'JSON' is supported.
- -q, --quiet
- Suppress verbose output.
ibmcloud account user-status-update
Update user's status:
ibmcloud account user-status-update USER_ID NEW_STATUS [--output FORMAT] [-q, --quiet]
Command options
- USER_ID (required)
- User ID.
- NEW_STATUS (required)
- Set a user's status, such as
SUSPENDEDorACTIVE. For more information, see User account status for a list of possible statuses. This option can also take in values in lowercase such assuspendedoractive. - --output FORMAT
- Specify output format. Only 'JSON' is supported.
- -q, --quiet
- Suppress verbose output.
Examples
Suspend user user@ibm.com:
ibmcloud account user-status-update user@ibm.com SUSPENDED
ibmcloud account platform-notification-subscribe
Subscribe platform notification:
ibmcloud account platform-notification-subscribe (--type TYPE)
Command options
- --type TYPE (optional)
- Notification type, one of
unplanned_events,planned_maintenance.
ibmcloud account platform-notification-unsubscribe
Unsubscribe platform notification:
ibmcloud account platform-notification-unsubscribe (--type TYPE)
Command options
- --type TYPE (optional)
- Notification type, one of
unplanned_events,planned_maintenance.
ibmcloud account domain-cert
List the certificate information of a domain:
ibmcloud account domain-cert DOMAIN_NAME
Command options
- DOMAIN_NAME (required)
- The domain that hosts the certificate.
Examples
View the certificate information of the domain ibmcxo-eventconnect.com:
ibmcloud account domain-cert ibmcxo-eventconnect.com
ibmcloud account domain-cert-add
Add a certificate to the specified domain in the current org:
ibmcloud account domain-cert-add DOMAIN -k PRIVATE_KEY_FILE -c CERT_FILE [-p PASSWORD] [-i INTERMEDIATE_CERT_FILE] [-t TRUST_STORE_FILE]
Command options
- DOMAIN (required)
- The domain that the certificate is added to.
- -k PRIVATE_KEY_FILE (required)
- The private key file path.
- -c CERT_FILE (required)
- The certificate file path.
- -p PASSWORD (optional)
- The password for the certificate.
- -i INTERMEDIATE_CERT_FILE (optional)
- The intermediate certificate file path.
- -t TRUST_STORE_FILE (optional)
- The truststore file.
Examples
Add a certificate to the domain ibmcxo-eventconnect.com:
ibmcloud account domain-cert-add ibmcxo-eventconnect.com -k key_file.key -c cert_file.crt -p 123 -i inter_cert.cert
ibmcloud account domain-cert-remove
Remove a certificate from the specified domain in current org:
ibmcloud account domain-cert-remove DOMAIN [-f]
Command options
- DOMAIN (required)
- Domain to remove the certificate from.
- -f (optional)
- Force deletion without confirmation.