Assigning access to Workload Protection

Access to Workload Protection is controlled by IBM Cloud® Identity and Access Management (IAM). Every user that accesses the Workload Protection service in your account must be assigned an access policy with an IAM role. The policy determines which actions a user can perform within the context of Workload Protection.

Users in an account must be assigned a platform role to manage instances and to launch Workload Protection from IBM Cloud. In addition, users must have a service role that defines the permissions to work with Workload Protection.

To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times for each individual user or service ID. For more information, go to How IAM access works.

Managing access by using access groups

To manage access groups, you must be the account owner, administrator, or editor on all Identity and Access-enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.

Use the following actions to manage IAM access groups in the IBM Cloud:

Managing access by assigning policies directly to users

To manage access or assign new access to users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.

Use the following actions to manage IAM policies in the IBM Cloud:

To grant permissions to a user, see Assigning access to resources.
To revoke permissions, see Removing access.
To review a user's permissions, see Reviewing assigned access.

IBM Cloud platform roles

Users must be granted a platform role to allow them to view and manage the Workload Protection service in your account. You can grant permissions to work with all the instances in the IBM Cloud account or you can restrict access to individual instances.

The following table identifies the platform role that you can grant a user in the IBM Cloud to run the specified platform actions:

IAM user roles and actions
Platform actions	Administrator	Editor	Operator	Viewer
`Grant other account members access to work with the service`
`Provision a service instance`
`Delete a service instance`
`Create a service ID`
`View details of a service instance`
`View service instances in the Observability Monitoring dashboard`

IBM Cloud service roles

The following table identifies the service role that you can grant a user in the IBM Cloud to run the specified actions:

Service roles and actions
Actions	Manager	Writer	Reader
`Manage access keys`
`Manage Secure API Tokens`
`Create, configure, and delete teams`
`Configure and remove notifications channels`
`Configure and remove agents`
`Create, delete, and edit content in the UI`
`Manage runtime policies`
`Manage image scanning policies`
`Manage Activity Audit`
`Send container images to the scanning queue`
`Create, update and remove alerts`
`View reports and image scanning results`
`View platforms, frameworks, rules and policies`
`View events`

IAM actions

The following table identifies the IAM actions that are assigned to the platform and service roles for the Workload Protection service:

IAM actions assigned to platform and service roles
Role type	Role	IAM actions
Platform	`administrator`	`sysdig-secure.launch.admin` `sysdig-secure.launch.user` `sysdig-secure.launch.viewer`
Service	`manager`	`sysdig-secure.launch.admin` `sysdig-secure.launch.user` `sysdig-secure.launch.viewer`
Service	`writer`	`sysdig-secure.launch.user` `sysdig-secure.launch.viewer`
Service	`reader`	`sysdig-secure.launch.viewer`

How do I know which access policies are set for me?

You can see which access policies are set for you in the IBM Cloud console.

Go to Access IAM users.
Click your name in the user table.
Click the Access policies tab to see your access policies.
Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.