Creating custom user access roles in IBM Cloud IAM
If you require user access roles with different permissions than the predefined roles, you can create custom roles in IBM Cloud.
Creating custom roles
The predefined roles might not cover your exact business needs. In this case, you can create custom roles for an IAM-enabled service. Custom roles can be assigned to access groups or to individual users. Custom roles can combine any number of permissions (also called actions) for a specific service. At least one Service-level action must be added to create the new role.
- Required permissions
- To create, edit or delete custom roles on IBM Cloud, you must have the following IBM Cloud account management roles and permissions:
- Editor - Can edit and update the role display name, description, and the actions mapped to it.
- Administrator - Can create, edit, update, and delete custom roles and assign access to users.
To create a custom IAM Service role:
- Go to Administer > Access (IAM). Then, select Roles in the IBM Cloud console.
- Click Create.
- Enter a name for your role. The name is required and can be up to 50 characters long. Users see this role name in the IBM Cloud console when they assign access to the service.
- Enter an ID for the role. This ID is required and is used in the CRN, which is read by APIs. The role ID must begin with a capital letter and use alphanumeric characters only. This ID must be 30 characters or less and can’t be updated.
- Optional: Enter a description that helps the users identify the role. This description also shows in the console when a user assigns access to the service.
- Select the service for which the role will provide access. For IBM Knowledge Catalog and Watson Studio, select the IBM Cloud Pak for Data service.
- Review the available actions, and click Add for all actions that you want in your new role. You must add at least one action to successfully create the new role. Actions correspond to the permissions you will be assigning to users. Actions have the scope of Platform or Service as shown in the Type column.
- Click Create when you're done adding actions.
If you edit a custom role, the changes are immediately applied to all access groups and to all individuals who are assigned the role.
If you delete a custom role, it is automatically removed from any access policies that use it. User's access for that action will be removed. If a service removes an action that you used in a custom role, the custom role might become invalid.
Parent topic: Adding users to the account