Best practices for assigning access in an enterprise

How enterprise-managed IAM access works

Centrally manage identity and access management (IAM) for your organization by using IAM templates to assign access and manage security settings. Create templates for IAM resources in your enterprise accountA unique account within an enterprise that manages users and access for account organization and enterprise billing. to standardize access groups, trusted profiles, and security settings across accounts in your organization. After you assign an IAM template, the child accounts that you select are assigned an enterprise-managed IAM resource with the associated attributes, like settings, policies and action controls. Action controls determine whether administrators of IAM services in child accounts can modify the enterprise-managed resource in their account.

Users in a child account can determine that an IAM resource comes from an enterprise-managed IAM template by the enterprise-managed tag on the resource in the console. The API response for enterprise-managed IAM resources in child accounts includes a “template” section.

Depending on how you configure the action controls for an IAM template, child accounts might modify the IAM resource that you assigned. In this case, only that instance of the resource is impacted. An instance of the same IAM resource in a different account isn't affected.

One advantage of IAM templates is the reduced time and effort to manage access in your organization. For example, instead of creating an access group with the same permissions in each account, create one access group template at the enterprise level, and assign that access group template to child accounts. The assignment creates the access group and its associated policies in each child account, saving you from manually creating hundreds of policies. Learn about other strategies for Reducing time and effort to manage access.

IAM templates help prevent policy drift by using the practice of immutable infrastructure. Immutable infrastructure is a DevOps practice that helps ensure all enterprise-managed IAM resources remain in a consistent state, reducing the risk of configuration errors. With immutable infrastructure, any changes to a template are made by creating a new instance or version of the template, rather than modifying an existing one. This means that the history of the template can be easily traced, as each instance or version represents a specific point in time. Tracking changes through the creation of new instances provides an audit trail that can help identify and address any security issues, making your IAM resources more reliable and secure. For more information about auditing enterprise IAM events, see Monitoring enterprise IAM templates.

With enterprise-managed IAM, you can grow your organization at scale. By assigning instances of templates as needed, you can avoid the complexity and risk of modifying existing instances. This way, it's easier to assign existing templates to new accounts.

Test a new template version in select accounts before you assign it to wider audiences. You can roll back to a past version if the new version doesn't behave the way that you want.

When should I use an IAM template?

To know when to use a template to assign access or manage child account settings in your enterprise, consider the following factors:

Number of child accounts

If you have many child accounts, it can be time-consuming and error-prone to manually configure access policies and settings for each account. In this case, by using IAM templates, you can save time and ensure consistency across all accounts.

Common access requirements

If all or most of the child accounts require the same access policies, it makes sense to use a template to apply these policies uniformly. This ensures that all accounts have the necessary permissions to perform their intended tasks.

Security requirements

If you have strict security requirements, such as compliance with industry regulations or company policies, IAM templates can ensure that all child accounts are configured to meet those requirements and stay compliant. This can help reduce the risk of security breaches and unauthorized access.

Changes to access policies

If you need to update access policies for multiple child accounts, IAM templates can make the process more efficient. Instead of manually updating each account, you can update the template and apply the changes to all accounts at once.

Secure by default

If you need to ensure that new accounts are configured to your standards by default, you can assign an IAM template to an account group. Assigning a template at the account group level ensures that new accounts that you create within that account group, or existing account that you move to it, are automatically assigned the same template.

Access group templates

An access group template is a predefined access group with a set of associated access policies that can be applied to one or multiple child accounts or account groupsAn organizational unit for accounts within an enterprise. An account group can contain accounts or other account groups.. Access group templates can include permissions for different services and resources, and the level of access for the group. By using access group templates, enterprise administrators can ensure that child accounts with common access requirements are configured with the same access policies, reducing the risk of misconfigurations and unauthorized access.

For more information, see Creating enterprise-managed access group templates.

Trusted profile templates

With trusted profile templates, you can automatically grant federated users access to child accounts with conditions based on SAML attributes from your corporate directory. You can skip the account invitation process and define conditions that map the people in your organization to the right account. This way, the right access is already set up for them when they apply a trusted profile.

For more information, see Creating enterprise-managed trusted profile templates.

Settings templates

Enterprise-managed settings templates ensure that IAM settings, like restricting domains for account invitations and setting limits for login sessions, are consistent across multiple accounts. You can assign a settings template to existing accounts and to accout groups to help streamline the process of creating new accounts that are secure by default. By selecting an account group, you assign a settings template to existing and future child accounts of that group. Administrators can apply the appropriate template to an account group to ensure that new accounts are configured consistently and in compliance with organizational policies and best practices. This can save time and reduce the risk of misconfiguration or security vulnerabilities.

For more information, see Creating enterprise-managed settings templates.

Access policy templates

Access policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.

Spend less time on configuring individual policies and use access policy templates to quickly grant the right access in access group and trusted profile templates. For more information, see Creating access policy templates.

Action controls

Action controls are a mechanism to define the operations that administrators of IAM services in child accounts can take on the enterprise-managed IAM resources that you assign to their account. For example, by default an action control prevents access group administrators from adding access policies to an enterprise-managed access group.

Action controls are available only for access group templates.

For access group templates, the best practice is to restrict changes to policies, but to allow access group administrators to add members. This way, you can create role-based access group templates with the right access for those roles and delegate managing membership to the access group administrators in child accounts. Learn more about the available action controls for access group members, dynamic rules, and access policies.

How can I grant access to child account resources with IAM templates?

Resources that users provision in your enterprise reside in child accounts. The best way to organize resources in child accounts is by using access management tags. When you assign IAM templates across multiple accounts, the access policies must contain a resource pattern that's applicable to all child accounts that you target. For example, you can't specify a resource group in an enterprise-managed IAM policy because the GUID that identifies a resource group is unique. However, you can specify a pattern that matches common access management tags in your organization.

Some services, like account management services, don't have provisionable resources, so you don't need to scope policies for those services to specific resources.

Use IAM templates to grant access in child accounts to resources like all of a service's resources, all resources with a specific tag, or all resources in the account. Review the following sample access policies to help you determine how you might want to grant access in access group and trusted profile templates.

Compare access groups and trusted profiles

Access groups are best used for granting access for a user's day-to-day work, while trusted profiles are suited for granting federated users the level of access they need to complete a specialized and specific set of tasks within a limited time period. These are usually critical tasks that you would want to avoid doing unintentionally in daily work. With trusted profiles, federated users don't need to onboard to IBM Cloud, they are granted access to IBM Cloud resources in an account by way of the trust relationship. If a federated user leaves your company, you can simply delete their corporate identity in your directory, which then also removes access to IBM Cloud. Time-based access with trusted profiles allows frequent authentication checks for reduced security risks.

Use the following table to understand the differences between using access groups and trusted profiles to make the best decision for your use case.

Access groups and trusted profiles can be used separately or hand-in-hand for user and access management, depending on your organization's needs.

For example, for the CustApp project, you might choose to create an IAM Admin trusted profile with the following policies:

• Administrator for access groups CustApp-Dev/Test/Prod. This way, the administrator can grant and revoke access to users by adding them to and removing them from access groups.
• Administrator for IAM Identity account management service. This way, the administrator can manage service IDs, trusted profiles, rules, and so on.
• Editor for User Management account management service. This way, the administrator can invite users to the account, view users in account, and so on.

With this trusted profile, the administrator can add developers to an access group with broad access policies to complete day-to-day actions and tasks in the development and test environments. Access for operations on the production environment can be set up in a trusted profile named Operator-Profile. This way, the developer can change job roles by logging in and applying the Operator-Profile when they need to take any operation actions on the CustApp in production.

If you have administrator access through a trusted profile, it is not recommended to invite users to an account while the profile is applied. Users should be invited by true account owners or administrators, or an error might occur.

Reducing time and effort to manage access

There is a limit on the total number of policies that are allowed in an account. You can use a few strategies to ensure that you don't reach the limit and to reduce the amount of time that you spend managing access for the identities in your account (users, service IDs, or trusted profiles):

• Use the principle of least privilege and assign only the access that is necessary. This can help you ensure that the identities in your account are limited to only the actions that you want to allow. For example, time-based conditions for access policies grant access during only the timeframe you specify, reducing the opportunity for attack in the event of a security breach. For more information, see Limiting access with time-based conditions.
• Add resources to a resource group to further minimize the number of necessary policies. For example, you might have a team working on a project that uses specific resources in your account. Add the team members to an access group or trusted profile with a policy that assigns access to only the resources that are in a specific resource group. This way, you don't need to assign a policy to each resource for each team member.
• Use access groups to streamline managing access for identities that require the same level of access. You can set up an access group with a specific policy defined, and then add those identities to the group. If the group members need more access later on, you simply define a new policy for the access group.
• Use access management tags to control access to the resources and service IDs in your account at scale. By assigning access only to resources and service IDs that have specific tags that are attached to them, you can avoid multiple updates to your defined policies. For more information, see Controlling access to resources by using tags.
• Use trusted profiles to automatically grant federated users and compute resources access to your account. This way, federated users can be mapped to one or more trusted profiles during login by evaluating SAML-based attributes to determine which profiles they can apply. Using trusted profiles for compute resources helps you avoid storing credentials to run applications and the management and rotation of credentials. You can also add trusted profiles to access groups to leverage the set of policies you have already created.
• Assign access by using a group of services so that you need only a single policy to assign access to multiple services. This way, you decrease the number of policies in your account and reduce the time and effort to manage access.
  • All Identity and Access enabled services: All catalog services that use IAM for access management.
  • All Account Management services: Platform services, such as billing and usage, license and entitlements, enterprises, and more. For more information, see Assigning access to account management services.
  • All IAM Account Management services: A subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users, IAM Groups, and future IAM services.

Removing access for inactive identities and inactive policies can reduce the risk of unauthorized access to your IBM Cloud resources and help you manage access more efficiently. For more information, see Identifying inactive identities and Auditing access policies.

For more information about IAM access and the available features, see How IBM Cloud IAM works.

Use cases for assigning enterprise-managed IAM templates

Review the following use cases to develop a customized plan that suits the needs of your enterprise. For each use case, it's recommended to use enterprise-managed IAM templates to maintain consistency and compliance by centrally managing IAM for an organization.