Assigning separate user access to dedicated hosts and dedicated groups
This tutorial demonstrates how to use resource groups and access groups to give users access to resources on dedicated hosts without allowing them to see or interact with these hosts directly.
The fictional user profile Employee Example is used to show how to give a user access to resources in a dedicated host group without giving them the ability to interact directly with the dedicated hosts in the group. For example, users can provision an instance on the dedicated host group, and the instance is automatically assigned to a dedicated host within the group. However, in this example of resource group configuration, users don't have authority to create or delete a dedicated host.
Objectives
- Create two separate resource groups, Admin resources and Users resources.
- Create a dedicated host in the Admin resources resource group.
- Create the dedicated host that is associated dedicated host group in the Users resources resource group.
- Create an access group to assign the Operator role to the resource group, Users resources.
- Invite your user, Employee Example, to the access group so that they can provision instances to the dedicated host group.
- Restrict Employee Example from interacting directly with the dedicated hosts by excluding Employee Example from access to the Admin resources resource group.
Before you begin
This tutorial requires the following prerequisites.
- An IBM Cloud billable account.
- Active IBM Cloud accounts for users who are to receive access.
- An existing SSH Key
Create resource groups
You can use resource groups to organize dedicated hosts and dedicated host groups. The first step in our example is to create two separate resource groups. The first resource group is for the dedicated host. The second resource group is for the dedicated host group.
Creating a dedicated host resource group
Complete the following steps to create a resource group for the dedicated host.
- Log in to the IBM Cloud console.
- Click Manage > Account.
Manage menu - From the Account page, click Resource groups > Create.
- Give the resource group a unique name such as Admin resources.
- Click Add.
Creating a dedicated host group resource group
Complete the following steps to create a resource group for the dedicated host group.
- Click Manage > Account.
- From the Account page, click Resource groups > Create.
- Give the resource group a unique name such as Users resources.
- Click Add.
Creating a dedicated host and dedicated host group
When you create a dedicated host, you assign it to a resource group. As part of the dedicated host creation process, you define a dedicated host group for the dedicated host. You can assign the dedicated host group to a separate resource group, so you can apply permissions separately for the dedicated host and the dedicated host group.
Complete the following steps to create a dedicated host and dedicated host group in their respective resource groups: Admin resources and Users resources.
- Click the menu icon
> Infrastructure. - From the VPC Infrastructure page, click Dedicated hosts > Create.
- Give the dedicated host a unique name such as Example Dedicated Host.
- Change the selected resource group from Default to Admin resources.
- Click New dedicated group to begin creation of a dedicated host group.
New dedicated group - On the new window, give the dedicated host group a unique name such as Example Dedicated Host Group.
- Change the resource group from Default to Users resources.
- Click Create > Create dedicated host to create the dedicated host.
Creating a VPC and subnet in the Users resources resource group
- Open IBM Cloud console.
- Click Navigation menu icon
> Infrastructure 
> Network > VPCs and click Create. - Enter a name for the VPC, such as
my-vpc. - Select Users resources as the resource group for the VPC.
- Create the default access control list for new subnets in this VPC.
- Select whether the default security group allows inbound SSH and ping traffic to virtual server instances in this VPC.
- Clear the Default address prefixes option so you don't need to assign default address prefixes to each zone in your VPC. After you create your VPC, you can go to its details page and set your own address prefixes.
- Enter a name for the new subnet in your VPC, such as
my-subnet. - Select User resources as the resource group for the subnet.
- Select Dallas 2 as the location for the subnet.
The region that you select is used as the region of the VPC. All additional resources that you create in this VPC are created in the selected region.
- Enter an IP range for the subnet in CIDR notation, for example:
10.240.0.0/24. In most cases, you can use the default IP range. If you want to specify a custom IP range, you can use the IP range calculator to select a different address prefix or change the number of addresses.
A subnet cannot be resized after it is created.
- Click Create virtual private cloud.
Creating a virtual server instance and Block Storage volume
Be sure to select VPC infrastructure from the menu icon.
- In the IBM Cloud console, go to Navigation Menu icon > Infrastructure > Compute > Virtual server instances.
- Click Create and enter the information in Table 1.
- Click Create virtual server instance when you are ready to provision.
| Field | Value |
|---|---|
| Name | Required; provide a name for your virtual server instance. |
| Virtual private cloud | Block Storage server instance |
| Resource group | User resources |
| Location | Dallas 2 |
| SSH Key | You must select an existing public SSH key or click Create an SSH key to create a new one. For more information about creating an SSH key, see Creating your SSH key using the UI. SSH keys are used to securely connect to the instance after it's running. |
| Note: SSH keys can either be RSA or Ed25519. You can generate new RSA key pairs using the UI. Pre-existing RSA and Ed25519 SSH keys can be uploaded. Ed25519 can be used only if the operating system supports this key type. Ed25519 can't be used with Windows or VMware images. | |
| For more information, see SSH keys. | |
| Data volumes | You can add one or more secondary data volumes to be included when you provision the instance. To add a volume, click Create and specify the information in Table 2. When finished, click Save. |
| Network interfaces | Assign networking options to connect into the IBM Cloud VPC. You can create and assign up to five network interfaces to each instance. |
| Attached Block Storage volume | You can add one or more secondary data volumes to be included when you provision the instance. To add a volume, click New Block Storage volume and specify the information in Table 2. When finished, click Create volume. |
| Virtual Private Cloud | Select 'my-vpc' for the Virtual Private Cloud |
| Field | Value |
|---|---|
| Name | Specify a unique, meaningful name for your volume, for example, 'my-data-volume' You can later edit the name if you want. Volume names must be unique the entire VPC infrastructure. |
| Size | Enter a volume size in GBs. Volume sizes can be between 10 GB and 2 TBs. |
| Encryption | Encryption with IBM-managed keys is enabled by default on all volumes. You can also choose Customer Managed and use your own encryption key. For more information about one-time setup procedure, see Prerequisites for setting up customer-managed encryption. |
A Block Storage volume is created and attached to the virtual server instance. On the instance details page, the Attached Block Storage volumes list is updated to show the new volume.
Creating an access group for the dedicated host group
To simplify changes in permissions, you can add users to an access group. Access groups apply permissions to all of the users in the group. You can add multiple users to an access group.
Use the following steps to create an access group with an access policy that assigns the User resources resource group the operator role. With Example Dedicated Host Group existing in the User resources resource group, users in the access group can provision instances to Example Dedicated Host Group.
- Click Manage > Access (IAM).
- On the Access (IAM) page, click Access groups > Create.
- On the open window, enter a unique name for the access group such as User access.
- Enter Provides access to resources on the dedicated host group. in the description text box.
- On the User access page, click the Access policies tab > Assign access.
- On the Assign access to User access, click IAM services.
Access policies - In Which service do you want to assign access to?, click VPC Infrastructure Services.
- In How do you want to scope the access?, select Resources based on selected attributes.
- Click the Resource group box.
- Select the User resources as the resource group.
- Click the Resource type box and select Virtual Server for VPC option.
- In Platform access select the Viewer, Operator, and Editor options.
- Click Assign > Yes.
Clicking the numbers on the permission options shows the list of actions that these permissions allow. For more information about IAM roles, see Getting Started with IAM.
Inviting and adding users
Users with an active IBM Cloud account must be invited for permissions to be applied. Invite Employee Example to the access group with the email address that is associated with their account so that they can provision virtual server instances to the dedicated host group.
Without permissions to the Example Dedicated Host in the Admin resources resource group, Employee Example cannot provision instances directly to the dedicated host or perform actions on the dedicated host, such as delete the host.
- Go to the IAM users page in the IBM Cloud console by clicking Manage > Access (IAM).
- From the Manage access and users page, click Users > Invite users.
- To invite Employee Example, enter example@ibm.com in the text box.
- Click Add on User access to select the access group.
- Click Invite.