0 / 0
Setting up IAM access groups

Setting up IAM access groups

IAM access groups are created and managed entirely on IBM Cloud. Access groups expedite the assignment of IAM roles to Cloud Pak for Data as a Service users. Familiarity with the IBM Cloud IAM component, access groups, Platform roles, and Service roles is required to assign IAM roles with appropriate access rights to work with Cloud Pak for Data as a Service services.

Required roles
To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
  • Account owner
  • Administrator or Editor for All Identity and Access enabled services
  • Administrator or Editor on the IAM Access Groups account management service in the account
  • Administrator or Editor for the All Account Management services

Watch this video to see how to set up two example access groups in IBM Cloud to expedite the role assignments to Cloud Pak for Data as a Service users.

This video provides a visual method to learn the concepts and tasks in this documentation.

To create an access group:

The following instructions describe how to create the Account-Administrator access group, one of the example groups described in the Using the example access groups topic.

  1. From Cloud Pak for Data as a Service, click Administration > Access (IAM) to open the Manage access and users page in your IBM Cloud account.
  2. Select Access groups to see a list of available groups. All accounts have the default Public Access group, which contains all users and Service IDs in the account.
  3. Click Create to create a new access group. Enter Account-Administrator for the name (or the name you choose for the group) and a description. Access group names must be unique. A description helps you remember the purpose of the access group.
  4. Create the group.
  5. Click Access>Assign access to add access policies to the group.
  6. For Service, select All Identity and Access enabled services (or the service the group will access) and click Next. Access to All Identity and Access enabled services is usually assigned only to Administrators.
  7. For Resources, select All resources for the scope and click Next.
  8. For Resource group access, select Administrator and click Next.
  9. For Roles and actions, select the following to assign access for the example Account-Administrator group:
  • Manager for Service access
  • Administrator for Platform access
  1. Review the parameters, then click Add and Assign.

To add users to an access group:

  1. From Cloud Pak for Data as a Service, click Administration > Access (IAM). The Manage access and users page in your IBM Cloud account opens in a separate window.
  2. Select Access groups to see a list of available groups.
  3. Select the access group that you want to populate with users.
  4. Checkmark one or more users to add as members of the access group and click Add users.

You have successfully created the Account-Administrator access group and populated it with members. Repeat these steps for each example access group to create a baseline set of access groups. See Using the example access groups for the suggested roles to assign to each example access group.

Modifying access groups

You can modify an access group after you create it. You can add and delete members, add and delete access policies, and make other modifications as needed. When you modify the access policies, the new policies are immediately applied to all members of the group.

Learn more

Parent topic: Working with IAM access groups

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more