IBM Cloud Docs
Using IAM permissions with IBM Cloud Transit Gateway

Using IAM permissions with IBM Cloud Transit Gateway

IBM Cloud® Transit Gateway uses the IBM Cloud Identity and Access Management (IAM) platform access roles to manage access to the service's resources. IAM access roles allow account administrators to assign different levels of permission for using the service. The following tables provide the list of actions that you can take against the IBM Cloud Transit Gateway service and its resources depending on a user's assigned roles.

Platform-access roles

IBM Cloud Transit Gateway supports Administrator, Editor, Operator, and Viewer platform-access roles.

Table 1. IAM platform-access user roles and actions
Role Description of Actions Actions
Administrator Can perform all actions, including managing gateways and connections, and assign IBM Cloud Transit Gateway IAM access policies to other users. Create gateways
Delete gateways
Edit gateways
Add or remove gateway connections
Accept or reject a cross account connection request
Edit gateway connections
Update user access policies for the service
Editor Can perform all actions, including managing gateways and connections, but cannot assign IBM Cloud Transit Gateway IAM access policies to other users. Create gateways
Delete gateways
Edit gateways
Add or remove gateway connections
Accept or reject a cross account connection request
Edit gateway connections
Operator and Viewer Can only perform actions that don't change the state of resources. List gateways
Get gateways
List a gateway's connections
View a gateway's connections
View incoming connection requests

To add or remove connections to VPCs, or to accept or reject a cross account connection request, you must also have Administrator or Editor platform-access role permission to the VPC being connected to. See VPC: Getting started with IAM for more information.

To add or remove connections to Direct Links, you must also have Administrator or Editor platform-access role permission to the Direct Link being connected to. See Managing access for IBM Cloud Direct Link for more information.

Service name

The service name that you designate will vary depending on how you access IBM Cloud Transit Gateway. If you are using the IBM Cloud CLI, APIs, or Terraform, then you should use transit for your service name. If you are using the UI, Transit Gateway should be the service name.