Managing user access
Access to IBM Cloud® Code Engine service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the Code Engine service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels.
Roles define the actions that a user or service ID can run. There are different types of roles in the IBM Cloud:
- Platform management roles enable users to perform tasks on Code Engine resources at the platform level, for example assign user access for Code Engine, create or delete service IDs, create projects, and assign policies for Code Engine to other users.
- Service access roles enable users to be assigned varying levels of permission for calling the Code Engine API.
Code Engine uses both the Platform and Service management roles. You can set policies about who can create a project at the platform level, and then use the service roles to manage interaction with the project itself.
Want to learn more about IAM key concepts? Check out What is IBM Cloud Identity and Access Management?.
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud® Identity and Access Management (IAM) console. Be sure to check access policies that apply for your user, and any access policies that are assigned to any access groups that include your user.
To view IAM information about your user access,
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
To view IAM information about access groups for your user,
- Go to Access IAM groups.
- Click the name of an access group to view information about the group.
- Click the Access tab to see your access policies assigned to the group.
Managing access by using access groups
To manage access or assign new access for users by using access groups, you must be the account owner, administrator, or editor on all Identity and Access enabled services in the account, or the assigned Administrator or Editor for the IAM Access Groups Service.
Choose any of the following actions to manage access groups in the IBM Cloud:
For more information about IAM commands, see the IAM CLI reference docs.
Managing access by assigning policies directly to users
To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.
Choose any of the following actions to manage IAM policies in the IBM Cloud:
- To grant permissions to a user, see Assigning access.
- To revoke permissions, see Removing access.
- To review a user's permissions, see Reviewing your assigned access.
For more information about IAM commands, see the IAM CLI reference docs.
IBM Cloud platform roles
Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.
In Code Engine, projects are service instances.
Use the following table to identify the platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:
| Platform actions | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|
| Grant other account members access to work with the service. |  |
|||
| Create a project. | |
|
||
| Delete a project. | |
|
||
| Update a project. | |
|
||
| View Code Engine dashboard. | |
|
|
|
| View details of a project. | |
|
|
|
IBM Cloud service roles
Use the following table to identify the service roles that you can grant a user to run any of the following service actions:
| Actions | Manager | Writer | Reader |
|---|---|---|---|
| Create items within a project. | |
|
|
| Update items within a project. | |
|
|
| Delete items within a project. | |
|
|
| List and view items within a project. | |
|
|
Code Engine CLI access requirements
To work with a Code Engine project with the CLI, you must first target a resource group. To target a resource group with the CLI, you need Viewer access to the resource group.
Code Engine container registry requirements
For more information about Code Engine requirements for accessing images in a container registry, see Accessing container registries.
Code Engine service binding access requirements
For more information about Code Engine service binding access requirements, see Configuring access for service bindings.
Code Engine access requirements for your toolchain
For more information about Code Engine access requirements for building and deploying an app or job with a toolchain, see Configuring access for your toolchain.