Managing Power Virtual Servers (IAM)
Identity and access management (IAM) enables you to securely authenticate users, control access to Power® Virtual Server resources with resource groups, and allow access to specific resources for a set of users with access groups. IAM is your one-stop shop for all user and resource management in the IBM Cloud.
For more information about IAM, review the following information:
Platform access roles
You can use platform access roles to enable users to complete tasks on IBM Cloud resources, such as creating users or adding services.
The following table displays the IAM platform access roles and the corresponding type of control that is allowed by Power Virtual Server:
Platform access role | Type of access allowed |
---|---|
Viewer | View instances and list instances. |
Operator | View instances and list instances. |
Editor | View instances, list instances, create instances, and delete instances. |
Administrator | View instances, list instances, create instances, delete instances, and assign policies to other users. |
Service access roles
You can use the service access roles to define what actions users can perform on Power Virtual Server resources. The following table displays the IAM service access roles and the corresponding actions that a user can complete with Power Virtual Server:
Service access role | Description of actions |
---|---|
Reader | View all resources (such as SSH keys, storage volumes, and network settings). You cannot make any changes to the resources. |
Manager |
You can configure all resources. The following are some of the actions that you can perform:
|
To see the complete list of actions for each specific role, see the Manage authorizations page in IBM Cloud.
Resources supported for Power Virtual Server IAM access policies
When you assign access to the Power Virtual Server service, you can scope access to any of the following resources:
-
All resources
-
Specific resources, which supports the following selections:
- Resource group
- Service instance
Although you can select a Resource type from the Attribute type drop-down, it is not supported. Any roles and actions that are assigned against Resource type are ignored.
Access roles requirements for Power Virtual Server
Power Virtual Server requires additional access for features such as Direct Link, Transit Gateway service, Virtual Private Cloud, and so on. You may require additional access based on your resource requirements. For example, to create a Cloud connection you will need Editor access to Direct Link service.
The following table displays the additional access roles required for the corresponding type of services that is allowed by Power Virtual Server:
Additional access role | Resources Attributes |
---|---|
Editor, Manager, Operator, Reader, Viewer | Power Virtual Server service |
Editor, Manager, Operator, Reader, Viewer, VPN Client | VPC Infrastructure Services service |
Editor, Operator, Viewer | Transit Gateway service |
Reader, Viewer | All resources in account (Including future IAM enabled services) |
Editor, Operator, Viewer | Direct Link service |
Viewer | All resource group |
User access scenarios
See Managing access to resources for information on how to manage or assign access by using IAM policies.