Setting up IAM access groups
IAM access groups are created and managed entirely on IBM Cloud. Access groups expedite the assignment of IAM roles to Cloud Pak for Data as a Service users. Familiarity with the IBM Cloud IAM component, access groups, Platform roles, and Service roles is required to assign IAM roles with appropriate access rights to work with Cloud Pak for Data as a Service services.
- Required roles
- To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
- Account owner
- Administrator or Editor for All Identity and Access enabled services
- Administrator or Editor on the IAM Access Groups account management service in the account
- Administrator or Editor for the All Account Management services
Watch this video to see how to set up two example access groups in IBM Cloud to expedite the role assignments to Cloud Pak for Data as a Service users.
This video provides a visual method to learn the concepts and tasks in this documentation.
To use IAM Access groups as user groups, you must enable account scoping. By setting the resource scope to the current account, users cannot access resources outside of their account, regardless of membership. The scope applies to projects, catalogs, and spaces.
To enable account scoping:
- From the navigation menu, select Administration > Account and billing > Account to open the account settings window.
- Set Resource scope to On.
To create an access group:
The following instructions describe how to create the Account-Administrator access group, one of the example groups described in the Using the example access groups topic.
- From Cloud Pak for Data as a Service, click Administration > Access (IAM) to open the Manage access and users page in your IBM Cloud account.
- Select Access groups to see a list of available groups. All accounts have the default Public Access group, which contains all users and Service IDs in the account.
- Click Create to create a new access group. Enter Account-Administrator for the name (or the name you choose for the group) and a description. Access group names must be unique. A description helps you remember the purpose of the access group.
- Create the group.
- Click Access>Assign access to add access policies to the group.
- For Service, select All Identity and Access enabled services (or the service the group will access) and click Next. Access to All Identity and Access enabled services is usually assigned only to Administrators.
- For Resources, select All resources for the scope and click Next.
- For Resource group access, select Administrator and click Next.
- For Roles and actions, select the following to assign access for the example Account-Administrator group:
- Manager for Service access
- Administrator for Platform access
- Review the parameters, then click Add and Assign.
To add users to an access group:
- From Cloud Pak for Data as a Service, click Administration > Access (IAM). The Manage access and users page in your IBM Cloud account opens in a separate window.
- Select Access groups to see a list of available groups.
- Select the access group that you want to populate with users.
- Checkmark one or more users to add as members of the access group and click Add users.
You have successfully created the Account-Administrator access group and populated it with members. Repeat these steps for each example access group to create a baseline set of access groups. See Using the example access groups for the suggested roles to assign to each example access group.
After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.
- You can assign Viewer, Editor or Admin roles to user groups when you add collaborators to projects and spaces.
- If a member of the group leaves, the IBM Cloud account administrator can remove the user from the group rather than looking at all of the assets the user has access to.
User groups are only available in projects that have the Restrict who can be a collaborator option enabled. See Creating a project on how to restrict collaborator eligibility in projects.
Modifying access groups
You can modify an access group after you create it. You can add and delete members, add and delete access policies, and make other modifications as needed. When you modify the access policies, the new policies are immediately applied to all members of the group.
Learn more
Parent topic: Working with IAM access groups