Opting in to enterprise-managed IAM

Enterprise-managed IAM centrally administers access within an enterprise by assigning preconfigured IAM resources, such as access groups, trusted profiles, and settings, to child accounts. New and existing accounts must opt-in to leverage the efficiency and enhanced security that is offered by enterprise-managed IAM.

You can sort accounts by going to Manage > Enterprise > Accounts and filtering on Enterprise-managed IAM.

Enabling enterprise-managed IAM for existing accounts

As the owner of a child account, you can opt in to enterprise-managed IAM by completing the following steps:

In the IBM Cloud console, go to Manage > Account > Account settings.
Go to Enterprise-managed IAM and click On.

Enabling enterprise-managed IAM for new accounts

As an enterprise user with the Administrator role on the Enterprise service, you can enable enterprise-managed IAM when you create a new account. To create an account with enteprise-managed IAM enabled, complete the following steps:

In the IBM Cloud console, switch to the enterprise account and go to Manage > Enterprise.
Click Create account.
Enterprise-managed IAM is On by default.
Click Create.

To disable enterprise-managed IAM in an account, the account owner must open a support case.

Existing accounts by using the API

As the owner of a child account, you can opt-in to enterprise-managed IAM. To opt-in to enterprise-managed IAM in a child account, call the Enterprise Management API as shown in the following example:

curl -s -L -X PATCH "https://accounts.test.cloud.ibm.com/v1/accounts/$ACCOUNT/traits" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d "{
    \"enterprise_iam_managed\": true
}"

New accounts by using the API

As an enterprise user with the Administrator role on the Enterprise service, you can enable enterprise-managed IAM when you create a new account. To create an account with enterprise-managed IAM enabled, call the Enterprise Management API as shown in the following example:

curl -X POST "https://enterprise.cloud.ibm.com/v1/accounts -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json' -d '{
  "parent": "crn:v1:bluemix:public:enterprise::a/$ENTERPRISE_ACCOUNT_ID::account-group:$ACCOUNT_GROUP_ID",
  "name": "Example Account",
  "owner_iam_id": "$OWNER_IAM_ID"
  "traits": { "enterprise_iam_managed": true }
}'

To disable enterprise-managed IAM in an account, the account owner must open a support case.

New accounts by using Terraform

As an enterprise user with the Administrator role on the Enterprise service, you can enable enterprise-managed IAM when you create a new account.

Before you can create an account with enterprise-managed IAM enabled by using Terraform, make sure that you have completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Complete the following steps to create an account with enterprise-managed IAM enabled:

In your Terraform configuration file, find the Terraform code that you used to create the enterprise and note the CRN of the parent, which can be an account group or the enterprise.

Create a new child account with enterprise-managed IAM enabled by including the traits argument with the property enterprise_iam_managed = true.

 resource "ibm_enterprise_account" "enterprise_account" {
   parent = "parent"
   name = "name"
   owner_iam_id = "owner_iam_id"
 }

 resource "ibm_enterprise_account" "enterprise_import_account"{
   parent = "parent"
   enterprise_id = "enterprise_id"
   account_id = "account_id"
   traits {
     mfa = "NONE"
     enterprise_iam_managed = true
   }
 }

For more information, see the argument reference details on the Terraform Enterprise Management page.

After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

To disable enterprise-managed IAM in an account, the account owner must open a support case.