Managing user access
Use IBM Cloud® Identity and Access Management to grant permissions to Schematics workspaces and actions.
As the IBM Cloud® account owner, you need to ensure that you control user access to Schematics workspaces and the actions in your account. IBM Cloud Schematics integrate with IBM Cloud® Identity and Access Management (IAM) to securely authenticate users for platform services and control access to the resources. IAM uses the concept of resource groups, access groups, roles, and access policies to manage the access to IBM Cloud® resources. For more information about how IAM works and how you can use resource groups, access groups, and access policies to organize Schematics access for a team, see What is IBM Cloud® Identity and Access Management?
Overview of Schematics service access roles and required permissions
Grant access to IBM Cloud Schematics by assigning IBM Cloud® Identity and Access Management (IAM) service access roles to your users.
Who must grant access to IBM Cloud Schematics?
As the account owner or an authorized account administrator, you can assign IAM service access roles to your users. The IAM service access roles determine the actions that you can perform on an IBM Cloud Schematics resource, such as a workspace or an action. To avoid assigning access policies to individual users, consider creating IAM access groups.
Is access to IBM Cloud Schematics sufficient to manage IBM Cloud resources?
No. If you are assigned an IBM Cloud Schematics service access role, you can view, create, update, or delete workspaces and actions in IBM Cloud Schematics. However, to manage other IBM Cloud resources with Schematics, you must be assigned the IAM platform or service access role for the individual IBM Cloud resource that you want to work with. see the documentation for your resource to determine the access policies that you need to work with your resource.
Schematics Platform roles and service roles
The user roles exist at both the platform (account) and service level. If you are unsure about what a platform or a service role allows a user to do remember that platform roles interact mainly with IBM Cloud services like the resource controller or Cloud Identity and Access Management. Roles inside of a service, on the other hand, interact mainly with the relevant API, which in this case is the Schematics API.
Platform roles
Platform roles be assigned over an entire account, over particular service instances, or within objects inside of a service instance.
- Administrator: Has the full spectrum of rights over a particular action and its child actions. It includes to invite new users and assign roles over the object (only administrators can assign roles). Note that administrators do not have service roles by default. They can, however, assign roles to themselves.
- Editor: Can view, create, and delete instances at the account level, except invite new users, manage the account, and assign access policies. Has limited use for actions within a service instance, beyond the ability to view them.
- Operator: Can view instances at the account level, but cannot edit them. Has limited use for actions within a service instance, beyond the ability to view them.
- Viewer: Can view instances at the account level, but cannot edit them. Has limited use for actions within a service instance, beyond the ability to view them.
Service roles
While an account-level role gives a user particular permissions over service instances by default, roles can also be assigned over a particular service instance. Service roles can be applied to the three first class objects within a service instance: the instance as a whole, particular workspace, and action. However, these permissions can be assigned more granularly where necessary. For example giving a user the Manager role over only a particular workspace or resource and some lesser level of permission over the instance as a whole.
Service roles can be assigned per-instance or for all instances in an account.
- Reader: You can perform read-only actions within a service such as viewing service-specific resources. For example, read the action definition, KMS settings, workspace details, agent configuration settings, and so on.
- Writer: You can perform create, edit, and read service specific resources operation. For example, create and update workspace, action, agent, and so on.
- Manager: In addition to writer access, you have complete privilege as defined by the service. A Manager, for example, has all the permissions that a Reader has and more.
Roles and permissions about Schematics offerings
The list provides the details about the roles and permission needed for the Schematics offerings.
Workspace permissions
Review the following table to see what permissions you need to work with Schematics workspaces.
Activities | Reader | Writer | Manager | Account owner |
---|---|---|---|---|
View workspace |
||||
View workspace activities |
||||
View workspace logs |
||||
Create workspace |
||||
Update workspace |
||||
Delete workspace |
||||
Freeze and unfreeze workspace |
||||
View the readme of a template |
||||
Create Terraform execution plan |
||||
Apply a Terraform template |
||||
Destroy workspace resources |
Action permissions
Review the following table to see what permissions you need to work with Schematics actions.
Activities | Reader | Writer | Manager | Account owner |
---|---|---|---|---|
View action |
||||
View action jobs |
||||
View job logs |
||||
Create action |
||||
Update action |
||||
Delete action |
||||
Run check action job |
||||
Run an action |
Agent permissions
The following are the different permissions that you an user need to create and deploy the Schematics agent.
- Permission to deploy an agent
- Permission for agent to connect with Schematics
- Permission to users to manage agents
Permission to deploy an agent
Agent recommends to use a service ID and API key to provision the prerequisite the IBM Cloud resources such as IBM Cloud Kubernetes Service or Red Hat OpenShift, IBM Cloud Object Storage, and IBM Cloud Object Storage bucket.
Following are the maximum permission and roles that services should have to deploy an agent.
Resources | Service role | Platform role |
---|---|---|
IBM Cloud Kubernetes Service |
Manager | Viewer |
Resource Group |
Administrator | |
Red Hat OpenShift or Kubernetes Service |
Object Writer | Administrator |
IBM Cloud Object Storage |
Object Writer ++ | Administrator ++ |
IBM Cloud Object Storage bucket |
Object Writer + Writer | Administrator |
Schematics |
Manager | Operator |
Permission for agent to connect with Schematics
Consider the following access are provided for an agent to connect with Schematics.
- You need administrator permission to access the resources such as IBM Cloud Kubernetes Service, Red Hat OpenShift, IBM Cloud Object Storage, and so on.
- You need Manager service role access, Operator role permission, and assign access to the trusted profile to connect.
Permission for users to manage agents
Review the following table to see what identity and permissions you need to use the Schematics Agent.
In addition to the listed agent activities and permission, you must ensure you have permissions to run agent create
, agent plan
, agent apply
, agent delete
, and agent destroy
activities to execute successfully.
Activities | Reader | Writer | Manager | Account owner |
---|---|---|---|---|
View agents |
||||
View agent logs |
||||
Agent apply |
||||
Agent create |
||||
Agent delete |
||||
Agent destroy |
||||
Agent plan |
||||
Agent update |
KMS permissions
Review the following table to see what permissions you need to work with Schematics key management system.
Activities | Reader | Writer | Manager | Account owner |
---|---|---|---|---|
View KMS instances |
||||
Read KMS settings |
||||
Update the KMS settings |
Setting up access for your users
As the IBM Cloud account owner or authorized account administrator. Create an IAM access group for your users and assign service access policies to IBM Cloud Schematics and the resources that you want your users to work with.
-
Define your teams and create an IAM access group for each team.
-
Create a resource group for each teams. So that you can organize access to their IBM Cloud services and workspaces in your account, and bundle them under one common view and billing process. If you want to keep your Schematics workspaces and actions separate from the IBM Cloud resources, you must create multiple resource groups.
-
Assign access to your IAM access group. Consider the following guidelines when you assign access to an IAM access group:
- Make sure to scope access of your group to the resource group that you created for this team.
- If you want your team to have access to multiple resource groups, such as the Administrator and Manager permissions on all resources in resource group A, but Viewer access for the resources in resource group B, you must create multiple access policies.
- The resource group of the Schematics workspaces or action can be different from the resource group of the IBM Cloud resources that you want to work with.
- For a team to use Schematics, you must assign the appropriate service access role for Schematics, and the permissions that are required for the IBM Cloud resources that this team manages with Schematics. You can review the documentation for each of the IBM Cloud services to find the appropriate IAM access policy.
Manage access tag in your account
You can now centrally manage access tags to the Schematics workspaces in your account at scale. Tags contains the metadata values in the form of key and value to help you organize your cloud data. Tags are essential, as it helps to efficiently optimize your workspace within your account. Following steps helps to create and associate access tags for Schematics workspaces in your account.
- To create an access tag, see Create an access management tag.
- To associate access tags, see Attach your access management tag to a Schematics workspaces
For more information about managing access tags, see Controlling access to resources by using tags.