IAM platform and service access roles

Platform access roles enable users to perform tasks on service resources at the platform level. For example, you can assign user access for the service, create or delete instances, and bind instances to applications. Review the following table for the actions available to platform access roles for Satellite.

You cannot scope access policies to a particular Satellite Config resource. Instead, scope the policy to the IBM Cloud Satellite service so that users can list Satellite Config resources.

Satellite Config uses a custom IAM service access role, Deployer, in addition to the standard Reader, Writer, and Manager roles. You can assign users the Deployer role so that they can deploy existing configurations to your clusters, but cannot add or edit the actual configurations for your apps.

IBM Cloud Satellite

Review the available platform and service roles and the actions mapped to each to help you assign access. If you're using the CLI or API to assign access, use satellite for the service name.

Table 146. Platform roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the platform role name and the column headers identify the specific information available about each role.
Role	Description
Administrator	As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users.
Editor	As an editor, you can perform all platform actions except for managing the account and assigning access policies.
Operator	As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard.
Viewer	As a viewer, you can view service instances, but you can't modify them.

Table 146. Service roles - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table has row and column headers. The row headers provide the service role name and the column headers identify the specific information available about each role.
Role	Description
Deployer	This role allow the user to deploy satellite-config managed contents to managed clusters
Manager	As a manager, you have permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader	As a reader, you can perform read-only actions within a service such as viewing service-specific resources.
Satellite Cluster Creator	As a Satellite Cluster Creator you have the ability create new Red Hat OpenShift on IBM Cloud OpenShift Clusters in the Satellite Location
Satellite Link Administrator	The Satellite Link Administrator is able to create, edit, update, and delete Satellite Link Endpoints and Sources
Satellite Link Source Access Controller	Allows the subject to enable access to Link Endpoint from a Link Source
Writer	As a writer, you have permissions beyond the reader role, including creating and editing service-specific resources.

Table 146. Service actions - IBM Cloud Satellite
Use the tab buttons to change the context of the table. This table provides the available actions for the service, descriptions of each, and the roles that each action are mapped to.
Action	Description	Roles
`satellite.dashboard.view`		Administrator, Editor, Operator
`satellite.config-configuration.create`	create configuration for the satellite config. You can create one or more configurations for your org.	Administrator, Manager
`satellite.config-configuration.read`	list all the configurations for your org, or get details about one configuration	Manager, Reader
`satellite.config-configuration.update`	updates fields in configuration	Manager, Writer
`satellite.config-configuration.delete`	delete a configuration	Administrator, Manager
`satellite.config-configuration.manageversion`	change your configuration version	Manager, Writer
`satellite.config-subscription.create`	create a subscription for a configuration	Deployer, Manager
`satellite.config-subscription.read`	read subscriptions for your org	Deployer, Manager, Reader
`satellite.config-subscription.update`	update subscription name and other relevant fields	Deployer, Manager
`satellite.config-subscription.delete`	delete a subscription	Deployer, Manager
`satellite.config-subscription.setversion`	set the configuration version on this subscription	Deployer, Manager
`satellite.config-cluster.attach`	attach cluster to a cluster group	Administrator, Manager, Satellite Cluster Creator
`satellite.config-cluster.read`	read cluster list for for an org or details about a given cluster	Administrator, Manager, Reader
`satellite.link.create`	Create Link instance for the Satellite Location.	Administrator
`satellite.config-organization.read`	allow to access the organization info	Administrator, Deployer, Manager, Reader, Satellite Cluster Creator
`satellite.config-organization.manage`	allow to read the org_key for an organization	Manager
`satellite.resource.get`	read resource under a cluster or from a cluster group	Administrator, Manager, Reader
`satellite.api.globalaccess`	global access satellite api for special users	Administrator, Manager
`satellite.config-cluster.register`	register cluster to the satellite config	Administrator, Manager, Satellite Cluster Creator
`satellite.config-cluster.detach`	detach cluster	Administrator, Manager
`satellite.config-clustergroup.read`	read cluster group for all its resources	Administrator, Manager, Reader
`satellite.config-clustergroup.manage`	create or delete a cluster group	Administrator, Manager
`satellite.location.create`	create satellite location to be added to the existing locations	Administrator
`satellite.location.read`	read satellite location	Administrator, Editor, Operator, Satellite Cluster Creator, Satellite Link Administrator, Viewer
`satellite.location.update`	edit an existing satellite location information	Administrator, Editor, Operator
`satellite.location.delete`	delete a satellite location belonged to you	Administrator, Operator
`satellite.config-clustergroup.setversion`	set the configuration version on this cluster group	Administrator, Deployer, Manager
`satellite.resource.servicelevelread`	Service level read of resources	Administrator, Manager
`satellite.link.get`	Get configuration and status of a Link instance.	Administrator, Editor, Operator, Satellite Link Administrator, Viewer
`satellite.link.delete`	Delete a Link instance of a Satellite Location.	Administrator, Operator
`satellite.link-endpoints.list`	List all Link Endpoints of a Satellite Location.	Administrator, Editor, Operator, Satellite Link Administrator, Viewer
`satellite.link-endpoints.create`	Create a Link Endpoint with specified configuration.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoints.get`	Get configuration and status of a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator, Viewer
`satellite.link-endpoints.update`	Modify configuration of a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoints.delete`	Delete a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoint-certs.get`	Get certificate/key of a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoint-certs.upload`	Upload certificate/key for a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoint-certs.delete`	Delete certificate/key of a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-sources.list`	List all ACL Sources of a Link instance.	Administrator, Editor, Operator, Satellite Link Administrator, Viewer
`satellite.link-sources.create`	Create a ACL Source for a Link instance.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-sources.delete`	Delete a ACL Source of a Link instance.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoint-sources.list`	List ACL Sources used by a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Administrator, Viewer
`satellite.link-endpoint-sources.update`	Update ACL Sources enable/disable state of a Link Endpoint.	Administrator, Editor, Operator, Satellite Link Source Access Controller
`satellite.link-sources.update`	Modify IP address/subnets list of a ACL Source configured for the specified Link instance.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.config-cluster.update`	Update cluster registration	Manager
`satellite.location.cluster-create`	Enables the user to create Red Hat OpenShift on IBM Cloud clusters in the Satellite Location	Administrator, Satellite Cluster Creator
`satellite.link-endpoints.import`	Import Endpoint from previous export.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-endpoints.export`	Export Endpoint configuration to an archive file.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-source-endpoints.list`	List Source status for all Endpoints.	Administrator, Editor, Operator, Satellite Link Administrator
`satellite.link-source-endpoints.update`	Update Source status for listed Endpoints.	Administrator, Editor, Operator, Satellite Link Source Access Controller