Managing IAM access for toolchains
Access to toolchains for users in your account is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the toolchains in your account must be assigned an access policy with an IAM role. Review the following roles, actions, and more to determine the best way to assign access to toolchains.
The access policy that you assign users in your account determines what actions a user can perform within the context of the toolchain that you select. The allowable actions are customized and defined by the toolchain as operations that are allowed to be performed. Each action is mapped to an IAM platform or role that you can assign to a user.
If a specific role and its actions don't fit the use case that you want to address, you can create a custom role and pick the actions to include.
IAM access policies enable access to be granted at different levels. Some of the options include the following:
- Access across all instances of the service in your account
Review the following tables that outline what types of tasks each role allows for when you're working with the toolchain service. Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access to the service, create or delete instances, and bind instances to applications. Service access roles enable users access to toolchain and the ability to call the toolchain's API. For information about the actions that are mapped to each role, see IAM roles and actions - Toolchain.
| Platform role | Description of actions |
|---|---|
| Viewer | View toolchains and delivery pipelines. |
| Operator | Run toolchains and delivery pipelines. |
| Editor | Manage the toolchains, which include creating and deleting toolchains along with performing all platform actions except for managing the account and assigning access policies. |
| Administrator | Perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
| Service role | Description of actions |
|---|---|
| Administrator, Writer | The IBM Cloud Object Storage service in your team's resource group. |
| Administrator, Writer | The IBM Cloud® Continuous Delivery service in your team's resource group. |
| Administrator | The toolchain service in your team's resource group. |
| Viewer, Reader, Writer | The IBM Cloud® Kubernetes Service. |
| Viewer, ReaderPlus | The Key Protect service in your team's resource group. |
| Viewer, SecretsReader | The Secrets Manager service in your team's resource group. |
Assigning access to toolchains in the console
Assign access in the console in one of the following ways:
- Access policies per user. You can manage access policies per user from the Manage > Access (IAM) > Users page in the console. For information about the steps to assign IAM access, see Assigning access to resources in the console.
- Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the console. For more information, see Assigning access to a group in the console.