Creating enterprise-managed policy templates
Configuring an access policy every time you need to grant access in an access group or trusted profile template can be time-consuming and error prone. Simplify the process and maintain uniformity in your policies by using enterprise-managed access policy templates to assign access or create service to service authorizations.
Access policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
For example, you might need to assign an access policy that grants administrator access on All IAM enabled services to multiple access groups or trusted profile templates so that members can create instances of IAM-enabled services. To reduce
policy misconfigurations, create an access policy template called Admin on All IAM enabled services
. Select the preconfigured policy when you need to assign that level of access in an access group or trusted profile template.
While a policy subject isn't required if you use the CLI or API, you do need one in the IBM Cloud console. Each time that you assign an access policy to a trusted profile or access group template in the IBM Cloud console, you create a policy template. You can reference policy templates to grant access in trusted profile and access group templates by using the console, CLI or API. View policy by going to Manage > Access (IAM) > Templates > Policies.
Access policy templates support only the v2/policies
schema. For more information, see the IAM Policy Management API change log.
Policy templates have limited availability in the IBM Cloud console. Use the API or CLI to create policy templates.
Creating a policy template in the console
Policy templates that you create in the IBM Cloud console must be associated with an access group or trusted profile template. Learn more about adding access policies to access group templates and trusted profile templates.
Deleting a policy template in the console
Deleting a policy template deletes all version of the template. You can delete a policy template that's referenced in a Draft or Committed trusted profile or access group template. However, the policy template reference becomes invalid and you must remove it before you can assign the trusted profile or access group template to child accounts.
In the case that you want to delete a policy template that's referenced in a trusted profile or access group template that are assigned to child accounts, you must remove the trusted profile or access group template assignment from those child accounts. For more information, see Removing an assignment for access group templates and trusted profile templates.
To delete a policy template in the console, complete the following steps:
- Go to Manage > Access (IAM) > Templates in the IBM Cloud.
- Click Policies.
- Click the Actions icon > Delete template.
- Confirm that you want to delete the template.
Deleting a policy template version in the console
To delete only a specific version, complete the following steps:
- Go to Manage > Access (IAM) > Templates in the IBM Cloud.
- Click Policies.
- Click the Actions icon > Delete version.
- Confirm that you want to delete the version.
Create an access policy template by using the CLI
If multiple access group or trusted profile templates require the same policy, create an access policy template.
To create an access policy template by using the CLI, complete the following steps:
-
Create a JSON file that configures the policy template definition. For more information about the attributes that you can use in your JSON file, see the IAM Policy Management API.
The following example JSON file specifies the
name
anddescription
of the template and theaccount_id
of the enteprise account. Then, thepolicy
definition is defined. This policy template grants an access policy with Editor permissions on the IBM Cloud Security and Compliance Center service. The policy includes a time-based rule that grants access from Monday to Friday all day, repeating weekly. For more information, see Time-based conditions and Limiting access with time-based conditions.{ "name": "SCCEditor", "description": "Grant Editor Role on Security and Compliance Center service", "account_id": "ACCOUNT_ID", "policy": { "type": "access", "description": "Grant Editor Role on Security and Compliance Center service", "control": { "grant": { "roles": [ { "role_id": "crn:v1:bluemix:public:iam::::role:Editor" } ], }, }, "resource": [ { "attributes": [ { "key": "serviceName", "operator": "stringEquals", "value": "compliance" } ] } ], "rule" :{ "key": "{{environment.attributes.day_of_week}}", "operator": "dayOfWeekAnyOf", "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"] }, "pattern": "time-based-conditions:weekly:all-day" } }
-
Use the
ap-template-create
command as shown in the following sample request:
imcloud iam access-policy-template-create --file /path/to/security_editor_access_policy_template.json
Updating an access policy template by using the CLI
You can update the roles, resources, name, and description for a policy template at any time before you commit it.
To update policy template by using the CLI, complete the following steps:
-
Update your JSON file with the new policy template definition. For more information about the attributes that you can use in your JSON file, see the IAM Policy Management API.
When you update the template name, this updates the name for every version.
-
Use the
ap-template-version-update
command as shown in the following sample request:ibmcloud iam access-policy-template-update SCCEditor 1 --file /path/to/security_editor_access_policy_template.json
This updates version
1
of theSCCEditor
policy template by reffering to the updated JSON file.
If you need to make updates after you commit the template, create a new version.
Committing a policy template version by using the CLI
Review the policy template and commit it so that no further changes can be made to the version. This way, the Template Assignment Administrator can be sure that they assign the version only when you have confirmed that it's ready.
-
Review the policy template before you commit it by using the
access-policy-template-version
method to view the specific verison.ibmcloud iam access-policy-template-version SCCEditor 1
-
To commit a policy template by using the CLI, use the
ap-template-version-commit
method as shown in the following sample request:ibmcloud iam access-policy-template-version-commit SCCEditor 1
Granting access with a policy template by using the CLI
Unlike regular access policies, policy templates don't have an explicit subject that you're granting access to when you create it.
You can reference a policy template to assign access in an access group or trusted profile template by using the CLI.
-
List all access policy templates and note the ID of the policy template by using the
ap-templates
command as shown in the following sample request:ibmcloud iam access-policy-templates
-
Use the policy template ID to assign access in access group templates and trusted profile templates.
- In the JSON file that configures an access group template or a trusted profile template, there's a
policy_template_references
parameter. Use theid
andversion
of the policy template that you want to reference to grant access. For more information, see the trusted profiles and access groups documentation.
- In the JSON file that configures an access group template or a trusted profile template, there's a
Creating a new version of an access policy template by using the CLI
As access requirements evolve for teams in your enterprise, you might need to create another version of a policy template to meet new needs. To create a new policy template version by using the CLI, complete the following steps:
-
Edit your JSON file to include any updates to the policy template definition. For more information about the attributes that you can use in your JSON file, see the IAM Policy Management API
-
Use the
access-policy-template-version-create
command as shown in the following sample request:ibmcloud iam access-policy-template-version-create SCCEditor --file /path/to/security_editor_access_policy_template.json
Removing policy template references by using the CLI
Removing the reference to a policy template from an access group or trusted profile template revokes the permissions that the policy grants to members. You can remove a policy template reference from an IAM template in a Draft state. However, you can't remove a policy template that's referenced in a committed or assigned trusted profile or access group template.
If you want to assign a different policy in a committed or assigned access group or trusted profile template, you must create a new version. For more information, see Creating a new version of access group templates and trusted profile templates.
You can remove a policy template reference for an access group or trusted profile template by using the CLI.
-
Get the ID of the policy template by using the
ap-templates
command as shown in the following sample request:example command
-
Update the JSON file that configures the access group or trusted profile template definition and remove the reference to the policy template. For more information, see.
Deleting a version by using the CLI
You can delete a policy template that's referenced in a draft or committed trusted profile or access group template. However, the policy template reference becomes invalid and you must remove it before you can assign the trusted profile or access group template to child accounts.
In the case that you want to delete a policy template that's referenced in a trusted profile or access group template that's assigned to child accounts, you must remove the trusted profile or access group template assignment from those child accounts. For more information, see Removing an assignment for access group templates and trusted profile templates.
To delete a policy template version by using the CLI, use the access-policy-template-version-delete
command as shown in the following sample request:
ibmcloud iam access-policy-template-version-delete SCCEditor 2
This deletes version 2
of the SCCEditor
policy template.
Creating a policy template by using the API
If there's a policy that multiple access group or trusted profile templates might require, create an access policy template.
To programmatically create an access policy template by using the API, call the IAM Policy Management API as shown in the following sample request:
curl -X POST 'https://iam.test.cloud.ibm.com/v1/policy_template' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"name": "IKSEditor",
"description": "Grant Editor Role on SERVICE_NAME",
"account_id": "ACCOUNT_ID",
"policy": {
"type": "acces",
"description": "Grant Editor Role on SERVICE_NAMEe",
"control": {
"grant": {
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
},
},
"resource": [
{
"attributes": [
{
"key": "serviceName",
"operator": "stringEquals",
"value": "$SERVICE_NAME"
}
]
}
],
"rule" :{
"key": "{{environment.attributes.day_of_week}}",
"operator": "dayOfWeekAnyOf",
"value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
},
"pattern": "time-based-conditions:weekly:all-day"
}'
policyRole := &iampolicymanagementv1.Roles{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
Roles: []iampolicymanagementv1.Roles{*policyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
Key: core.StringPtr("serviceName"),
Operator: core.StringPtr("stringEquals"),
Value: core.StringPtr("iam-access-management"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
*serviceNameResourceAttribute},
}
templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
Type: core.StringPtr("access"),
Description: core.StringPtr("Test Template"),
Resource: policyResource,
Control: v2PolicyControl,
}
createPolicyTemplateOptions := iamPolicyManagementService.NewCreatePolicyTemplateOptions(
examplePolicyTemplateName,
exampleAccountID,
templatePolicyModel,
)
policyTemplate, response, err := iamPolicyManagementService.CreatePolicyTemplate(createPolicyTemplateOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", " ")
fmt.Println(string(b))
Updating a policy template version by using the API
You can update the roles, resources, name, and description for a policy template at any time before you commit it. To programmatically update policy template by using the API, call the IAM Policy Management API as shown in the following sample request:
curl -X PUT 'https://iam.test.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
"type": "access",
"description": "Viewer role for for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "$USER_ID"
}
]
}'
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
}
]
}
]
}'
v2PolicyGrant := &iampolicymanagementv1.Grant{
Roles: []iampolicymanagementv1.Roles{
{core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer")},
{core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator")},
},
}
v2PolicyControl := &iampolicymanagementv1.Control{
Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
Key: core.StringPtr("serviceName"),
Operator: core.StringPtr("stringEquals"),
Value: core.StringPtr("watson"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
*serviceNameResourceAttribute},
}
templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
Type: core.StringPtr("access"),
Description: core.StringPtr("Test Template v2"),
Resource: policyResource,
Control: v2PolicyControl,
}
replacePolicyTemplateOptions := iamPolicyManagementService.NewReplacePolicyTemplateOptions(
examplePolicyTemplateID,
examplePolicyTemplateVersion,
examplePolicyTemplateETag,
templatePolicyModel,
)
policyTemplate, response, err := iamPolicyManagementService.ReplacePolicyTemplate(replacePolicyTemplateOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", " ")
fmt.Println(string(b))
If you need to make updates after you commit the template, create a new version.
Committing a policy template version
Review the policy template and commit it so that no further changes can be made to the version. This way, the Template Assignment Administrator can be sure that they assign the version only when you have confirmed that it's ready. To programmatically commit a policy template by using the API, call the IAM Policy Management API as shown in the following sample request:
curl -X PUT 'https://iam.test.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMLPATE_VERSION/commit' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{}'
commitPolicyTemplateOptions := iamPolicyManagementService.NewCommitPolicyTemplateOptions(
examplePolicyTemplateID,
examplePolicyTemplateVersion,
examplePolicyTemplateETag,
)
response, err := iamPolicyManagementService.CommitPolicyTemplate(commitPolicyTemplateOptions)
if err != nil {
panic(err)
}
if response.StatusCode != 204 {
fmt.Printf("\nUnexpected response status code received from CommitPolicyTemplate(): %d\n", response.StatusCode)
}
Granting access with a policy template by using the API
Unlike regular access policies, an access policy template doesn't have an explicit subject that you're granting access to when you create it. To programmatically assign a policy template to an access group or trusted profile template by using the API, call the IAM Policy Management API as shown in the following sample request:
-
List all access policy templates and note the ID of the policy template in the response:
curl -X GET 'https://iam.test.cloud.ibm.com/v1/policy_templates?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
-
Use the policy template ID to assign access in access group templates and trusted profile templates. For more information, see the trusted profiles and access groups documentation.
Creating a new policy template version by using the API
As access requirements evolve for teams in your enterprise, you might need to create another version of a policy template to meet new needs. To programmatically create a new policy template version by using the API, call the IAM Policy Management API as shown in the following sample request:
curl -X POST 'https://iam.test.cloud.ibm.com/v1/policy_template/$TEMPLATE_ID/versions' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"name": "IKSEditor",
"description": "Grant Editor Role on SERVICE_NAME",
"account_id": "ACCOUNT_ID",
"policy": {
"type": "acces",
"description": "Grant Editor Role on SERVICE_NAMEe",
"control": {
"grant": {
"roles": [
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
},
},
"resource": [
{
"attributes": [
{
"key": "serviceName",
"operator": "stringEquals",
"value": "$SERVICE_NAME"
}
]
}
],
"rule" :{
"key": "{{environment.attributes.day_of_week}}",
"operator": "dayOfWeekAnyOf",
"value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
},
"pattern": "time-based-conditions:weekly:all-day"
}'
v2PolicyGrant := &iampolicymanagementv1.Grant{
Roles: []iampolicymanagementv1.Roles{
{core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer")},
{core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator")},
},
}
v2PolicyControl := &iampolicymanagementv1.Control{
Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
Key: core.StringPtr("serviceName"),
Operator: core.StringPtr("stringEquals"),
Value: core.StringPtr("watson"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
*serviceNameResourceAttribute},
}
templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
Type: core.StringPtr("access"),
Description: core.StringPtr("Test Template v2"),
Resource: policyResource,
Control: v2PolicyControl,
}
createPolicyTemplateVersionOptions := iamPolicyManagementService.NewCreatePolicyTemplateVersionOptions(
examplePolicyTemplateID,
templatePolicyModel,
)
policyTemplate, response, err := iamPolicyManagementService.CreatePolicyTemplateVersion(createPolicyTemplateVersionOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", " ")
fmt.Println(string(b))
List policy templates
You might need to list the policy templates in your enterprise account for several reasons. You can see what policies are available or retrieve details about a policy that you want to edit, remove from another template, or delete.
To list the policy templates in your enterprise account, call the IAM Policy Management API as shown in the following sample request:
curl -X GET 'https://iam.test.cloud.ibm.com/v1/policy_templates?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
listPolicyTemplatesOptions := iamPolicyManagementService.NewListPolicyTemplatesOptions(
exampleAccountID,
)
policyTemplateCollection, response, err := iamPolicyManagementService.ListPolicyTemplates(listPolicyTemplatesOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policyTemplateCollection, "", " ")
fmt.Println(string(b))
Removing policy template references by using the API
Removing the reference to a policy template from an access group or trusted profile template revokes the permissions that the policy grants to members. You can remove a policy template reference from an IAM template in a Draft state. However, you can't remove a policy template that's referenced in a committed or assigned trusted profile or access group template.
If you want to assign a different policy in a committed or assigned access group or trusted profile template, you must create a new version. For more information, see Creating a new version of access group templates and trusted profile templates.
To remove a policy template from access group or trusted profile templates, call the IAM Policy Management API as shown in the following sample request:
curl -X DELETE 'https://iam.test.cloud.ibm.com/v1/policy_assignments/$POLICY_ASSIGNMENT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Deleting a policy template by using the API
Deleting a policy template deletes all version of the template. You can delete a policy template that's referenced in a draft or committed trusted profile or access group template. However, the policy template reference becomes invalid and you must remove it before you can assign the trusted profile or access group template to child accounts.
In the case that you want to delete a policy template that's referenced in a trusted profile or access group template that's assigned to child accounts, you must remove the trusted profile or access group template assignment from those child accounts. For more information, see Removing an assignment for access group templates and trusted profile templates.
To delete a policy template, call the IAM Policy Management API as shown in the following sample request:
curl -X DELETE 'https://iam.test.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
deletePolicyTemplateOptions := iamPolicyManagementService.NewDeletePolicyTemplateOptions(
examplePolicyTemplateID,
)
response, err := iamPolicyManagementService.DeletePolicyTemplate(deletePolicyTemplateOptions)
if err != nil {
panic(err)
}
if response.StatusCode != 204 {
fmt.Printf("\nUnexpected response status code received from DeletePolicyTemplate(): %d\n", response.StatusCode)
}
Deleting a policy template version by using the API
To delete only a specific version, call the IAM Policy Management API as shown in the following sample request:
curl -X DELETE 'https://iam.test.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
deletePolicyTemplateVersionOptions := iamPolicyManagementService.NewDeletePolicyTemplateVersionOptions(
examplePolicyTemplateID,
examplePolicyTemplateVersion,
)
response, err := iamPolicyManagementService.DeletePolicyTemplateVersion(deletePolicyTemplateVersionOptions)
if err != nil {
panic(err)
}
if response.StatusCode != 204 {
fmt.Printf("\nUnexpected response status code received from DeletePolicyTemplateVersion(): %d\n", response.StatusCode)
}