IBM Cloud Docs
Assigning access to projects

Assigning access to projects

Projects are controlled by IBM Cloud Identity and Access Management (IAM). As an administrator on a project, you can grant users access to view and edit projects, approve changes, and deploy or destroy configuration resources. Projects also requires authorization with other IBM Cloud services in order for users to validate and deploy configurations.

Actions and roles for the IBM Cloud Projects service

The following table includes the actions that users can take when they are assigned a specific role on the IBM Cloud Projects service. Review the following information to make sure that you are assigning the correct level of access to your users.

Access roles for projects
Role Definition Project Permissions
Viewer Viewers can perform read-only actions within a project. View a project (including the project.json)

Find a project by using Global Search

Operator Operators can perform the same actions as viewers, with more permissions beyond the viewer role, including planning project deployments All viewer project permissions

Validate a configuration

Edit a configuration

Editor Editors can perform the same actions as operators, with more permissions beyond the operator role, including creating projects and deploying resources. All viewer and operator project permissions

Create a project

Edit a project

Edit project settings

Delete a project

Create a configuration

Discard a draft configuration

Approve configuration changes

Deploy configuration changes

Destroy resources

Create an environment

Edit an environment

Delete an environment

Administrator Administrators can perform the same actions as editors, with more permissions beyond the editor role, including updating project statuses and planning new or changed project deployments. All viewer, operator, and editor project permissions

Force approve changes that failed validation

In addition to access on the IBM Cloud Projects service, you must be assigned the following IAM privileges on the project tooling resources within the account:

  • The Viewer role on the resource group for the project, which allows a resource group for the project to be selected to deploy the tooling services.

Assigning access in the console

To assign access to the IBM Cloud Projects service, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and then select Access groups.
  2. Select the access group that you want to assign access to, then go to Access > Assign access.
  3. For the service, select IBM Cloud Projects. Then, click Next.
  4. Scope the access to All resources or Specific resources. Then, click Next.
  5. Select any combination of roles or permissions, and click Next.
  6. Optionally, add conditions to the policy. Then, click Review.
  7. Click Add to add your policy configuration to your access summary.
  8. Click Assign.

It's a best practice to assign access to an access group and then add users to the access group, instead of assigning access to users one by one. However, you can assign access to a single user by going to Manage > Access (IAM) > Users and selecting the user you want to assign access to.

Granting access between the Projects service and other IBM Cloud services

Before a project can validate or deploy configurations, the Projects service must be authorized in your account to communicate with other IBM Cloud services. The following table lists the required authorizations. This authorization is only required once.

An IAM administrator or a user with the required roles on those services can automatically grant authorizations by creating a project in your account, or they can create the service to service authorizations manually.

Projects service to service authorizations
Role Source Target Source account
Manager and Administrator IBM Cloud Projects service Schematics service This account
Viewer IBM Cloud Projects service Resource group only

All resource groups in the account

This account
Viewer IBM Cloud Projects service Catalog Management service This account
Viewer and SecretsReader IBM Cloud Projects service Secrets Manager service This account