copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2023-01-18 |
catalog, private catalogs, IAM access, roles, private catalog service, access groups, permissions, IAM, catalog management, access group |
account |
{{site.data.keyword.attribute-definition-list}}
{: #catalog-access}
As the account owner, you assign users specific catalog management access depending on what tasks they are performing. To streamline the process of assigning access, you can use access groups to organize a set of users into a single entity. That way, you can assign a single policy to the group one time, and then add or remove users from the group as needed. {: shortdesc}
For more details, see Managing access in {{site.data.keyword.cloud_notm}}.
{: #catalog-access-groups-console} {: ui}
See the following sections for details about creating your access groups and assigning specific IAM policies to each one.
{: #catalog-access-console-admin} {: ui}
Administrator access is required for setting account-level filters to the {{site.data.keyword.cloud_notm}} catalog.
- Log in to your {{site.data.keyword.cloud_notm}} account.
- Go to Manage > Access (IAM) > Access groups in the {{site.data.keyword.cloud_notm}} console.
- Click Create.
- Enter
private-catalog-admins
as the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Administrator role.
- Click Review.
- Click Add to add your policy configuration to your policy summary.
- Assign.
{: #catalog-access-console-editor} {: ui}
Editor access is required for creating private catalogs, setting filters at the private catalog level, adding your software to your private catalog, and updating, deprecating, and restoring your software.
- Go to Access groups, and click Create.
- Enter
private-catalog-editors
as the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Editor role.
- Click Add to add your policy configuration to your policy summary.
- Select Kubernetes Service from the list of services.
- Select your cluster, and then select the Administrator and Manager roles.
- Click Add.
- Select Schematics from the list of services.
- Select the Manager role.
- Click Review.
- Click Add > Assign.
{: #catalog-access-console-viewer} {: ui}
Viewer access is required for viewing private catalogs, the filtered {{site.data.keyword.cloud_notm}} catalog, and the filter settings.
- Go to Access groups, and click Create.
- Enter
private-catalog-viewers
as the group name, and click Create. - Click Access > Assign access.
- Select Catalog Management from the list of services.
- Select the catalog that you want users to access.
- In the Platform access section, select the Viewer role.
- Click Review.
- Click Add to add your policy configuration to your policy summary.
- Click Assign.
You also need to have viewer access on the resource group to which your private catalog is assigned. You can assign your private catalog to a resource group when you complete the steps for creating your private catalog. For more information, see Customizing the IBM Cloud catalog for all account users.
To assign viewer access to your private catalog's resource group, use the following steps:
- Go to Users and select the user.
- Select Access > Assign access.
- Select All Identity and Access enabled services from the list of services.
- Scope the access to Specific resources based on selected attributes, and select your private catalogs resource group.
- For Platform access, select the Viewer role.
- Click Add > Assign.
{: #catalog-access-console-users} {: ui}
After you set up your access groups, complete the following steps to add users to the groups:
- Go to Users, and click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Select one of the three access groups you previously created, and click Add > Invite.
- Repeat the steps to add users to your other access groups.
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
{: #catalog-access-groups-cli} {: cli}
To assign access, run the ibmcloud iam user-policy-create
command.
{: #catalog-access-cli-admin} {: cli}
Run the following command to assign administrator access:
ibmcloud iam user-policy-create USER_NAME --roles Administrator --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-editor} {: cli}
Run the following command to assign editor access:
ibmcloud iam user-policy-create USER_NAME --roles Editor --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-viewer} {: cli}
Run the following command to set viewer access:
ibmcloud iam user-policy-create USER_NAME --roles Viewer --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-users} {: cli}
To add users to an access group by using the CLI, run the ibmcloud iam access-group-user-add
command.
ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]
{: codeblock}
For example the following command adds user [email protected]
to the example_group
access group.
ibmcloud iam access-group-user-add example_group [email protected]
{: codeblock}
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
{: #catalog-access-groups-api} {: api}
To assign access, call the IAM Policy Management API as shown in the follwing example. Replace the role_id
vaiable with the role you want to assign: Viewer
, Editor
, or Administrator
.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Editor role for SERVICE_NAME RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'
{: codeblock} {: curl}
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Viewer")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("service")
.operator("stringEquals")
.build();
ResourceTag policyResourceTag = new ResourceTag.Builder()
.name("project")
.value("prototype")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.addTags(policyResourceTag)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);
{: codeblock} {: java}
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'service',
operator: 'stringEquals',
};
const policyResourceTag = {
name: 'project',
operator: 'stringEquals',
value: 'prototype',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
tags: [policyResourceTag],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
{: codeblock} {: javascript}
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='service')
policy_resource_tag = ResourceTag(
name='project', value='prototype')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute],
tags=[policy_resource_tag])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2))
{: codeblock} {: python}
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
Name: core.StringPtr("project"),
Value: core.StringPtr("prototype"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b))
{: codeblock} {: go}
{: #expected-response-access}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{: codeblock} {: curl}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{: codeblock} {: java}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{: codeblock} {: javascript}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{: codeblock} {: python}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}
{: codeblock} {: go}
{: #catalog-access-api-users} {: api}
To add users to an access group by using the API, call the IAM Access Groups API{: external} as shown in the following example.
curl -X PUT -H "Authorization: {iam_token}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"members": [ {"iam_id": "IBMid-user1", "type": "user"}, {"iam_id": "iam-ServiceId-123", "type": "service"} ]}' "{base_url}/groups/{access_group_id}/members"
{: codeblock} {: curl}
AddGroupMembersRequestMembersItem member1 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("IBMid-user1")
.type("user")
.build();
AddGroupMembersRequestMembersItem member2 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("iam-ServiceId-123")
.type("service")
.build();
AddMembersToAccessGroupOptions addMembersToAccessGroupOptions = new AddMembersToAccessGroupOptions.Builder()
.accessGroupId(testGroupId)
.addMembers(member1)
.addMembers(member2)
.build();
Response<AddGroupMembersResponse> response = service.addMembersToAccessGroup(addMembersToAccessGroupOptions).execute();
AddGroupMembersResponse addGroupMembersResponse = response.getResult();
System.out.println(addGroupMembersResponse);
{: codeblock} {: java}
const groupMember1 = {
iam_id: 'IBMid-user1',
type: 'user',
};
const groupMember2 = {
iam_id: 'iam-ServiceId-123',
type: 'service',
};
const params = {
accessGroupId: testGroupId,
members: [groupMember1, groupMember2],
};
iamAccessGroupsService.addMembersToAccessGroup(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
{: codeblock} {: javascript}
member1 = AddGroupMembersRequestMembersItem(
iam_id='IBMid-user1', type='user')
member2 = AddGroupMembersRequestMembersItem(
iam_id='iam-ServiceId-123', type='service')
members = [member1, member2]
add_group_members_response = iam_access_groups_service.add_members_to_access_group(
access_group_id=test_group_id,
members=members
).get_result()
print(json.dumps(add_group_members_response, indent=2))
{: codeblock} {: python}
groupMembers := []iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("IBMid-user1"),
Type: core.StringPtr("user"),
},
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("iam-ServiceId-123"),
Type: core.StringPtr("service"),
},
}
addMembersToAccessGroupOptions := iamAccessGroupsService.NewAddMembersToAccessGroupOptions(testGroupID)
addMembersToAccessGroupOptions.SetMembers(groupMembers)
addGroupMembersResponse, response, err := iamAccessGroupsService.AddMembersToAccessGroup(addMembersToAccessGroupOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(addGroupMembersResponse, "", " ")
fmt.Println(string(b))
{: codeblock} {: go}
Or, you can give users access by adding trusted profiles to your access groups. For more information, see What makes a good trusted profiles strategy? and Creating trusted profiles.
{: #expected-response-api}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{: codeblock} {: curl}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{: codeblock} {: java}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{: codeblock} {: javascript}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{: codeblock} {: python}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}
{: codeblock} {: go}
{: #catalog-access-terra-users} {: terraform}
Before you can add users to your access groups by using Terraform, make sure that you have completed the following:
- Install the Terraform CLI and configure the {{site.data.keyword.cloud_notm}} Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on {{site.data.keyword.cloud}}. The plug-in abstracts the {{site.data.keyword.cloud_notm}} APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf
. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation{: external}.
Use the following steps to add users to your access groups
-
In your Terraform configuration file, find the Terraform code that you used to create the access group and note the
access_group_id
assigned to your access group. -
Add a member to the access group.
resource "ibm_iam_access_group_members" "accgroupmem" { access_group_id = ibm_iam_access_group.accgroup.id ibm_ids = ["[email protected]"] }
{: codeblock}
For more information, see the argument reference details on the Terraform Identity and Access Management (IAM){: external} page.
-
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories{: external}.
terraform init
{: pre}
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform{: external}.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
{: pre}
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
{: pre}
-