IBM Cloud Docs
Managing user access

Managing user access

Access to IBM Cloud® Code Engine service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses the Code Engine service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels.

Roles define the actions that a user or service ID can run. There are different types of roles in the IBM Cloud:

  • Platform management roles enable users to perform tasks on Code Engine resources at the platform level, for example assign user access for Code Engine, create or delete service IDs, create projects, and assign policies for Code Engine to other users.
  • Service access roles enable users to be assigned varying levels of permission for calling the Code Engine API.

Code Engine uses both the Platform and Service management roles. You can set policies about who can create a project at the platform level, and then use the service roles to manage interaction with the project itself.

Want to learn more about IAM key concepts? Check out What is IBM Cloud Identity and Access Management?.

How do I know which access policies are set for me?

You can see which access policies are set for you in the IBM Cloud® Identity and Access Management (IAM) console. Be sure to check access policies that apply for your user, and any access policies that are assigned to any access groups that include your user.

To view IAM information about your user access,

  1. Go to Access IAM users.
  2. Click your name in the user table.
  3. Click the Access policies tab to see your access policies.

To view IAM information about access groups for your user,

  1. Go to Access IAM groups.
  2. Click the name of an access group to view information about the group.
  3. Click the Access tab to see your access policies assigned to the group.

Managing access by using access groups

To manage access or assign new access for users by using access groups, you must be the account owner, administrator, or editor on all Identity and Access enabled services in the account, or the assigned Administrator or Editor for the IAM Access Groups Service.

Choose any of the following actions to manage access groups in the IBM Cloud:

For more information about IAM commands, see the IAM CLI reference docs.

Managing access by assigning policies directly to users

To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.

Choose any of the following actions to manage IAM policies in the IBM Cloud:

For more information about IAM commands, see the IAM CLI reference docs.

IBM Cloud platform roles

Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.

In Code Engine, projects are service instances.

Use the following table to identify the platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:

Table 1. IAM user platform roles and actions
Platform actions Administrator Editor Operator Viewer
Grant other account members access to work with the service. Checkmark icon.
Create a project. Checkmark icon. Checkmark icon.
Delete a project. Checkmark icon. Checkmark icon.
Update a project. Checkmark icon. Checkmark icon.
View Code Engine dashboard. Checkmark icon. Checkmark icon. Checkmark icon.
View details of a project. Checkmark icon. Checkmark icon. Checkmark icon. Checkmark icon.

IBM Cloud service roles

Use the following table to identify the service roles that you can grant a user to run any of the following service actions:

Table 2. IAM service roles and actions
Actions Manager Writer Reader
Create items within a project. Checkmark icon. Checkmark icon.
Update items within a project. Checkmark icon. Checkmark icon.
Delete items within a project. Checkmark icon. Checkmark icon.
List and view items within a project. Checkmark icon. Checkmark icon. Checkmark icon.

Code Engine CLI access requirements

To work with a Code Engine project with the CLI, you must first target a resource group. To target a resource group with the CLI, you need Viewer access to the resource group.

Code Engine container registry requirements

For more information about Code Engine requirements for accessing images in a container registry, see Accessing container registries.

Code Engine service binding access requirements

For more information about Code Engine service binding access requirements, see Configuring access for service bindings.

Code Engine access requirements for your toolchain

For more information about Code Engine access requirements for building and deploying an app or job with a toolchain, see Configuring access for your toolchain.