Getting Started with IAM

Access to IBM Cloud Virtual Private Cloud (VPC) resources for users in your account is controlled by IBM Cloud Identity and Access Management (IAM). Every user that accesses infrastructure services resources in your account must be assigned one or more access policies that define their IAM roles. The policies determine what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Each user must also have access to the resource group that contains the infrastructure resources. A resource group organizes account resources in customizable groupings so that you can quickly assign access to more than one resource at a time. Every resource that is managed by IAM belongs to a resource group within your account.

After defining the scope of the access policy, you assign a role that determines the user's level of access.

IAM roles and actions

The following table details what actions are mapped to platform management roles within the VPC Infrastructure Services service. Platform management roles enable users to perform tasks on resources at the platform level, for example assign user access for the service, create or delete resources, and bind instances to applications.

Scroll for moreScroll for more

Platform management role Description of actions Example actions

Administrator All actions, including managing accounts and assigning access policies to other users

Add and remove users
Assign roles for each user

Editor All actions that can modify the state of the resource (such as create, delete, and edit) as well as create and delete subresources

Create, delete, and edit VPCs
Attach and detach volumes

Operator All Viewer actions, plus actions that change the association of the resource to other resources.

Associate a floating IP with a virtual server instance (if we have Editor access to the instance)
Create an instance in your VPC (if we have Editor access to instances)

Viewer Actions that don't change the state of resources

View and list subnets
View monitoring and log data

Platform management role	Description of actions	Example actions
Administrator	All actions, including managing accounts and assigning access policies to other users	Add and remove users Assign roles for each user
Editor	All actions that can modify the state of the resource (such as create, delete, and edit) as well as create and delete subresources	Create, delete, and edit VPCs Attach and detach volumes
Operator	All Viewer actions, plus actions that change the association of the resource to other resources.	Associate a floating IP with a virtual server instance (if we have Editor access to the instance) Create an instance in your VPC (if we have Editor access to instances)
Viewer	Actions that don't change the state of resources	View and list subnets View monitoring and log data

Tips

Access to a container resource doesn't automatically grant access to its subresources. For example, granting access to a VPC doesn't grant access to subnets in that VPC.
Similarly, access to a subresource does not grant access to its container resource. For example, granting access to a subnet doesn't grant access to that subnet's VPC.
In general, to change the relationship between multiple resources, the user must have access to each resource. For example, to attach a network interface to a security group, the user must have access to both the network interface and the security group. For more information, see Required permissions for VPC resources.

For more information about assigning user roles in the UI, see Managing user permissions for VPC resources.

You can also assign user roles by using IBM Cloud® Command Line Interface (CLI). You can select resource(s) by using resource attributes. For more information, see VPC resource attributes.

Resources and resource groups

A resource group is a collection of resources, such as an entire VPC or a single subnet, that are associated for the purpose of establishing authorization and usage. You can think of a resource group as a collection of infrastructure resources that might be used by a project, a department, or a team.

Large enterprises might divide a VPC into various resource groups, whereas smaller companies might need only one resource group because all team members have access to the entire VPC. If we are familiar with OpenStack, a resource group is similar in concept to a Project in OpenStack Keystone.

Assignment of a resource to a resource group can be done only when the resource is created. Resources can't change resource groups after they are created.

If we want to use multiple resource groups, it’s good to have a plan for how we want to assign the resources and the users in your organization to each resource group.

For more information about IAM, resource groups, and access groups in general, refer to these IBM Cloud topics: