Setting up IAM access groups
IAM access groups are created and managed entirely on IBM Cloud. Access groups expedite the assignment of IAM roles to Cloud Pak for Data as a Service users. Familiarity with the IBM Cloud IAM component, access groups, Platform roles, and Service roles is required to assign IAM roles with appropriate access rights to work with Cloud Pak for Data as a Service services.
Required roles To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
- Account owner
- Administrator or editor for All Identity and Access enabled services
- Administrator or editor on the IAM Access Groups account management service in the account
- Administrator or editor for the All Account Management services
Watch this video to see how to set up two example access groups in IBM Cloud to expedite the role assignments to Cloud Pak for Data as a Service users.
This video provides a visual method as an alternative to following the written steps in this documentation.
To create an access group:
The following instructions describe how to create the Account-Administrator access group, one of the example groups described in the Using the example access groups topic.
- From Cloud Pak for Data as a Service, click Administration > Access (IAM) to open the Manage access and users page in your IBM Cloud account.
- Select Access groups to see a list of available groups. All accounts have the default Public Access group, which contains all users and Service IDs in the account.
- Click Create to create a new access group. Enter Account-Administrator for the name (or the name you choose for the group) and a description. Access group names must be unique. A description helps you remember the purpose of the access group.
- Create the group.
- Click Access>Assign access to add access policies to the group.
- For Service, select All Identity and Access enabled services (or the service the group will access) and click Next. Access to All Identity and Access enabled services is usually assigned only to Administrators.
- For Resources, select All resources for the scope and click Next.
- For Resource group access, select Administrator and click Next.
- For Roles and actions, select the following to assign access for the example Account-Administrator group:
- Manager for Service access
- Administrator for Platform access
- Review the parameters, then click Add and Assign.
To add users to an access group:
- From Cloud Pak for Data as a Service, click Administration > Access (IAM). The Manage access and users page in your IBM Cloud account opens in a separate window.
- Select Access groups to see a list of available groups.
- Select the access group that you want to populate with users.
- Checkmark one or more users to add as members of the access group and click Add users.
You have successfully created the Account-Administrator access group and populated it with members. Repeat these steps for each example access group to create a baseline set of access groups. See Using the example access groups for the suggested roles to assign to each example access group.
Parent topic: Working with IAM access groups