Controlling access through IAM
IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and consistently control access to all cloud resources in the IBM Cloud. You grant permissions through policies that you define on the IBM Cloud Monitoring service in the account.
Users in an account must be assigned a platform role to manage instances and to launch the monitoring UI from the IBM Cloud. In addition, users must have a service role that defines the permissions to work with IBM Cloud Monitoring.
The policy determines the actions the user can perform within the context of the selected service or instance. The actions are customized and defined with operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. Some of the options include the following:
- Access to all IAM-enabled services in your account
- Access across all instances of the service in a single region in your account
- Access to an individual service instance in your account
- Access to all instances of the service within the context of a resource group
- Access to all instances of the service in a single region within the context of a resource group
- Access to all IAM-enabled services within the context of a resource group
Roles define the actions that a user or serviceID can run. There are different types of roles in the IBM Cloud:
- Platform management roles enables users to perform tasks on service resources at the platform level, for example assigning user access for the service, creating or deleting service IDs, creating instances, assigning policies for your service to other users, and binding instances to applications.
- Service access roles enables users to be assigned varying levels of permission when calling the service's API or running actions in the monitoring UI.
To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times for each individual user or service ID.
If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.
Managing access by using access groups
To manage access groups, you must be the account owner, administrator or editor on all Identity and Access-enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.
Use the following actions to manage IAM access groups in the IBM Cloud:
Managing access by assigning policies directly to users
To manage access or assign new access to users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.
Use the following actions to manage IAM policies in the IBM Cloud:
- To grant permissions to a user, see Assigning access.
- To revoke permissions, see Removing access.
- To review a user's permissions, see Reviewing your assigned access.
IBM Cloud platform roles
Users must be granted a platform role to allow them to view and manage the IBM Cloud Monitoring service in your account. You can grant permissions to work with all the instances in the IBM Cloud account or you can restrict access to individual instances.
The folling table identifies the platform role that you can grant a user in the IBM Cloud to run the specified platform actions:
| Platform actions | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|
Grant other account members access to work with the service |
 |
|||
Provision a service instance |
|
|
||
Delete a service instance |
|
|
||
Create a service ID |
|
|
||
View details of a service instance |
|
|
|
|
View service instances in the Observability Monitoring dashboard |
|
|
|
|
A user with an administrator role automatically has the service manager role permissions.
IBM Cloud service roles
The following table identifies the service role that you can grant a user in the IBM Cloud to run the specified actions:
| Action | Description | Manager | Writer | Reader | Administrator |
|---|---|---|---|---|---|
sysdig-monitor.launch.admin |
Run priviledge tasks. | |
|
||
sysdig-monitor.launch.viewer |
Perform read-only actions within a service. | |
|
||
sysdig-monitor.secure.manager [*] |
Run priviledge tasks. | |
|
||
sysdig-monitor.secure.user [*] |
Perform read-only actions within a service. | |
|
||
sysdig-monitor.secure.viewer [*] |
Perform read-only actions within a service. | |
|||
sysdig-monitor.agent-installation.read |
Agent installation access. | |
|
|
|
sysdig-monitor.agent.cli.agent-network-calls-to-remote-pods |
Access to network calls for the CLI. | |
|
|
|
sysdig-monitor.agent.cli.agent-status |
Access to agent status from the CLI. | |
|
|
|
sysdig-monitor.agent.cli.view |
Access to view the CLI. | |
|
|
|
sysdig-monitor.agent.cli.view-configuration |
Access to view the configuration from the CLI. | |
|
|
|
sysdig-monitor.alert-events.edit |
Edit alert events. | |
|
|
|
sysdig-monitor.alert-events.read |
View alert events. | |
|
|
|
sysdig-monitor.alert.edit |
Edit alerts. | |
|
|
|
sysdig-monitor.alerts.read |
View alerts. | |
|
|
|
sysdig-monitor.api-token.edit |
Edit API tokens. | |
|
|
|
sysdig-monitor.api-token.read |
View API tokens. | |
|
|
|
sysdig-monitor.captures.edit |
Edit captures. | |
|
|
|
sysdig-monitor.captures.read |
View captures. | |
|
|
|
sysdig-monitor.custom-events.edit |
Edit custom events. | |
|
|
|
sysdig-monitor.custom-events.read |
View custom events. | |
|
|
|
sysdig-monitor.dashboard-metrics-data.read |
Read dashboard metrics. | |
|
|
|
sysdig-monitor.dashboard.edit |
Edit dashboards. | |
|
|
|
sysdig-monitor.dashboards.read |
View dashboards. | |
|
|
|
sysdig-monitor.datastream.read |
View datastreams. | |
|
|
|
sysdig-monitor.downtimes.read |
View downtimes. | |
|
|
|
sysdig-monitor.events-forwarder.read |
View events forwarding. | |
|
|
|
sysdig-monitor.explore.edit |
Modify the Explore view. | |
|
||
sysdig-monitor.explore.read |
Use the Explore view. | |
|
|
|
sysdig-monitor.file-storage-config.read |
View file storage configuration. | |
|
|
|
sysdig-monitor.global.notification-channels.read |
View global notification channels. | |
|
|
|
sysdig-monitor.groupings.edit |
Edit groups | |
|
|
|
sysdig-monitor.groupings.read |
View groups | |
|
|
|
sysdig-monitor.helmsrenderer.read |
Access the helm renderer. | |
|
|
|
sysdig-monitor.infrastructure.read |
Access infrastructure. | |
|
|
|
sysdig-monitor.integrations.read |
Access integrations. | |
|
|
|
sysdig-monitor.manual-integrations.edit |
Edit manual integrations. | |
|
|
|
sysdig-monitor.memberships.edit |
Edit memberships. | |
|||
sysdig-monitor.metrics-data.read |
View metrics data. | |
|
|
|
sysdig-monitor.metrics-descriptors.read |
View metrics descriptors. | |
|
|
|
sysdig-monitor.notification-channels.edit |
Edit notification channels. | |
|
||
sysdig-monitor.notification-channels.view |
View notification channels. | |
|
|
|
sysdig-monitor.overviews.read |
View overviews. | |
|
|
|
sysdig-monitor.promcat.integration.edit |
Edit PromCat integrations. | |
|
|
|
sysdig-monitor.promcat.integrations.read |
View PromCat integrations. | |
|
|
|
sysdig-monitor.promcat.integrations.validates |
Test to see if PromCat integrations are properly configured. | |
|
|
|
sysdig-monitor.promql-metadata.read |
View PromQL metadata. | |
|
|
|
sysdig-monitor.providers.read |
View providers. | |
|
|
|
sysdig-monitor.spotlight.read |
View Spotlight. | |
|
|
|
sysdig-monitor.sysdig-storage.read |
View service storage use. | |
|
|
|
sysdig-monitor.team.sharing.groupings.toggle |
Configure team sharing. | |
|
||
sysdig-monitor.teams.manage |
Configure teams. | |
|
||
sysdig-monitor.teams.read |
View team configurations. | |
|||
sysdig-monitor.token.view |
View tokens. | |
|
|
|
sysdig-monitor.user.read |
View users. | |
|||
sysdig-monitor.system-role.admin |
Configure system roles. | |
|
||
sysdig-monitor.platform-metric.publish [**] |
[*] - This service role is used when IBM Cloud Monitoring is connected to an IBM Cloud Security and Compliance Center Workload Protection instance. This role must also be defined for IBM Cloud Security and Compliance Center Workload
Protection. For more information about IBM Cloud Security and Compliance Center Workload Protection functions, see the IBM Cloud Security and Compliance Center Workload Protection documentation.
[**] - This service role is for internal use only and will not be used in your environment.
The sysdig-monitor.launch.viewer action must be assigned at a minimum to access the instance. If not assigned, an error will be returned.
An additional role of Supertenant Metrics Publisher is a role that you will see in IAM. This role is for internal use only and will not be used in your environment.
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud UI console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
- Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.