Working with IAM access groups
Every Cloud Pak for Data as a Service user requires a set of roles that includes IAM roles on IBM Cloud and collaborator roles for workspaces on Cloud Pak for Data as a Service. You can expedite the assignment of IAM roles to users by creating IAM access groups on IBM Cloud, assigning roles to the groups, and then adding users to the groups.
To use IAM Access groups as user groups, you must enable account scoping. By setting the resource scope to the current account, users cannot access resources outside of their account, regardless of membership. The scope applies to projects, catalogs, and spaces.
To enable account scoping:
- From the navigation menu, select Administration > Account and billing > Account to open the account settings window.
- Set Resource scope to On.
After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.
- You can assign Viewer, Editor or Admin roles to user groups when you add collaborators to projects and spaces.
- If a member of the group leaves, you can remove the user from the group rather than looking at all of the assets the user has access to.
User groups are only available in projects that have the Restrict who can be a collaborator option enabled. See Creating a project on how to restrict collaborator eligibility in projects.
By assigning users to one or more access groups, you are granting them the permissions they need to work with the services in Cloud Pak for Data as a Service. You can assign users to more than one access group to provide the appropriate access.
Access groups provide permissions for Service access and Platform access on IBM Cloud. Since Cloud Pak for Data as a Service runs on IBM Cloud, users must be assigned both Service and Platform permissions. Service permissions apply to individual services and define operations permitted within the service. Platform permissions define operations on the cloud platform such as provisioning or deletion of services.
You can also assign roles to individual users, but remember that individually-assigned roles are not updated when access groups are updated. When you assign roles to individual users, you must update each user individually to make changes.
Access groups are more efficient than assigning individual users when assigning collaborators to catalogs and categories. For billable IBM Knowledge Catalog plans, you can assign an access group as a collaborator to a catalog and assign an access group as a collaborator to a category.
- Required roles
- To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
-
- Account Owner
-
- Administrator or Editor for All Identity and Access enabled services
-
- Administrator or Editor on the IAM Access Groups account management service in the account
-
- Administrator or Editor for the All Account Management services
Public access group
Every IBM Cloud account contains the default Public Access group. The Public Access group contains all users and Service IDs in an account. In IBM Knowledge Catalog, the predefined Public access user group is automatically added as a collaborator with the Viewer role to top-level categories. See Categories for governance artifacts (IBM Knowledge Catalog).
IBM Cloud IAM limits
IBM Cloud IAM places limits on the number of access groups per account and per user, as well as other limits. If a limit is exceeded, you receive an exception and cannot create any new access groups beyond that limit. For a list of all IAM limits, see IBM Cloud docs: IBM Cloud IAM limits.
Example access groups
The example IAM access groups provide a starting point for providing basic access to Cloud Pak for Data as a Service services. You can edit the example access groups as needed for your implementation. For a description of the example access groups and suggested roles, see Using the example access groups.
Learn more
- Setting up access groups
- Using the example access groups
- IBM Cloud docs: Assigning access to resources by using access groups
Parent topic: Setting up the platform