IBM Cloud Docs
Assigning access to individual topics and subscriptions

Assigning access to individual topics and subscriptions

This tutorial shows you how to assign access roles for users against Topics and Subscriptions, by creating and modifying IAM access policies. The details of the IAM roles are as follows:

Applicable roles:
  1. Reader: To enable access to topics/subscriptions in an instance, a user must at least have Reader level privileges to the particular Event Notifications instance. With only Reader access, the user can only view and cannot edit any resources in the Event Notifications instance.
  2. Writer: Only Writer role is applicable for given topics/subscriptions. When an Event Notifications instance is accessed by a user with Writer role,the user can only update topics and/or subscriptions.

A user cannot be assigned Manager Role to delete specific topics/subscriptions. This action can be carried out by a user who is assigned the Manager role to the whole Event Notifications instance.

Before you begin

If you are already managing instances of Event Notifications or IAM, you do not need to create more. However, as this tutorial will modify and configure the instance we are working with, make sure that any accounts or services are not being used in a production environment.

For this tutorial, you need:

  • An IBM Cloud® Platform account
  • An instance of IBM Cloud Event Notifications
  • To complete the steps to manage access to the service, you should be the owner of the Event Notifications instance. In other words, your user ID needs administrator platform permissions to use the IAM service. You may have to contact or work with an account administrator.

Grant Reader access to Event Notifications instance

To enable access to topics/subscriptions in an instance, the user must at least have Reader level privileges to the particular Event Notifications instance.

  1. Navigate to IAM by following the Manage drop-down menu, and selecting Access (IAM). Follow the Users link in the navigation menu, and select the user requiring limited access.
  2. Click on Access tab. Click on the Assign access button. Select the Access policy tile and select Event Notifications.
  3. Select the radio toggle next to Specific resources. Select Service Instance from the Attribute type drop-down menu. Select the Event Notifications instance which you want to assign access.
    Selecting Event Notifications Instance.
    Create a new policy
  4. In the Roles and access section, select the role Reader. You'll also need the Platform Viewer role, if you don't already have it, in order to view the UI.
    Selecting Roles for Event Notification instance.
    Create a new policy
  5. Click Next and include conditions if needed which is optional.
  6. Click Add.

Grant Writer access to specific Environment

We'll repeat the step 1, but this time we'll use Topic ID/Subscription ID resource attribute and select Writer role.

In an access policy , we can have either Topic ID or Subscription ID. Both cannot be present in the same access policy. If you want an access policy for more than 1 topic/subscription , create separate access policies for each topic/subscription.

Only Writer role is applicable for given Topics/Subscriptions. Reader Role is already assigned at instance level in Step 1. So we do not need to assign Reader role for given topics/subscriptions. Manager Role is not applicable for topics/subscriptions.

  1. Navigate to the Topics/Subscriptions section of your Event Notifications instance and copy
  • The Topic ID if you want to create an access policy for a topic OR

Accessing Topic ID
Create a new policy

  • The Subscription ID if you want to create an access policy for a subscription.

Accessing Subscription ID
Create a new policy

  1. Click on the Assign access button. Select the Access policy tile and select Event Notifications.
  2. Select the radio toggle next to Specific resources. Select Topic ID/Subscription ID from the Attribute type drop-down menu. Paste the Topic/Subscription ID that you had copied previously.
    Selecting specific Topic/Subscription
    Create a new policy
  3. In the Roles and access section, select the role Writer.
    Selecting Roles for specific Topic/Subscription
    Create a new policy
  4. Click Next and include conditions if needed which is optional.
  5. Click Add.

Review access policies

At this stage, you should have two access policies created as shown below. One access policy with Reader & Viewer roles for the instance, another with Writer role for the topics/subscriptions.

Reviewing Access Policies
Create a new policy

Verify that it works

When this Event Notifications instance is accessed by a user with Writer role, the user can only update topics and/or subscriptions.

When a user tries to perform any action such as editing topics or subscriptions, for which the user is not assigned Writer Role, the action is denied as shown below.

  • UI output:

Access denied to Topic/Subscription as shown in the UI
Create a new policy

  • API/CLI/Terraform output with status code 403:
{
  "status_code":403,
  "trace":"e7bed498-6a41-4af0-89dc-cc08c4dc0e45",
  "errors": [{"code":"authorization_error",
  "message":"Unfortunately you don't have a permission to access requested resource",
  "more_info":"https://test.cloud.ibm.com/apidocs/event-notifications#event-notifications-api-authentication" }]
}