| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2021-06-04 |
catalog, private catalogs, IAM access, roles, private catalog service, access groups, permissions, IAM, catalog management, access group |
account |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:tip: .tip} {:note: .note} {:important: .important} {:ui: .ph data-hd-interface='ui'} {:cli: .ph data-hd-interface='cli'} {:api: .ph data-hd-interface='api'} {:java: .ph data-hd-programlang='java'} {:python: .ph data-hd-programlang='python'} {:javascript: .ph data-hd-programlang='javascript'} {:curl: .ph data-hd-programlang='curl'} {:go: .ph data-hd-programlang='go'}
{: #catalog-access}
As the account owner, you assign users specific catalog management access depending on what tasks they are performing. To streamline the process of assigning access, you can use access groups to organize a set of users into a single entity. That way, you can assign a single policy to the group one time, and then add or remove users from the group as needed. {: shortdesc}
For more details, see Managing access in {{site.data.keyword.cloud_notm}}.
{: #catalog-access-groups-console} {: ui}
See the following sections for details about creating your access groups and assigning specific IAM policies to each one.
{: #catalog-access-console-admin} {: ui}
Administrator access is required for setting account-level filters to the {{site.data.keyword.cloud_notm}} catalog.
- Log in to your {{site.data.keyword.cloud_notm}} account.
- Go to Manage > Access (IAM) > Access groups.
- Click Create.
- Enter
private-catalog-adminsas the group name, and click Create. - Click Access policies > Assign access.
- Select Account management.
- Select Catalog Management from the What type of access do you want to assign? list.
- Select the catalog that you want users to access.
- In the Platform access section, select the Administrator role.
- Click Add > Assign.
{: #catalog-access-console-editor} {: ui}
Editor access is required for creating private catalogs, setting filters at the private catalog level, adding your software to your private catalog, and updating, deprecating, and restoring your software.
- Go to Access groups, and click Create.
- Enter
private-catalog-editorsas the group name, and click Create. - Click Access policies > Assign access.
- Select Account management.
- Select Catalog Management from the What type of access do you want to assign? list.
- Select the catalog that you want users to access.
- In the Platform access section, select the Editor role.
- Click Add.
- Select IAM services > Kubernetes Service.
- Select your cluster, and then select the Administrator and Manager roles.
- Click Add.
- Select IAM services > Schematics.
- Select the Manager role.
- Click Add > Assign.
{: #catalog-access-console-viewer} {: ui}
Viewer access is required for viewing private catalogs, the filtered {{site.data.keyword.cloud_notm}} catalog, and the filter settings.
- Go to Access groups, and click Create.
- Enter
private-catalog-viewersas the group name, and click Create. - Click Access policies > Assign access.
- Select Account management.
- Select Catalog Management from the What type of access do you want to assign? list.
- Select the catalog that you want users to access.
- In the Platform access section, select the Viewer role.
- Click Add > Assign.
You also need to have viewer access on the resource group to which your private catalog is assigned. You can assign your private catalog to a resource group when you complete the steps for creating your private catalog. For more information, see Customizing the IBM Cloud catalog for all account users.
To assign viewer access to your private catalog's resource group, use the following steps:
- Go to Users and select the user.
- Select Access policies > Assign access.
- From the Assign users additional access section, select IAM services.
- Select All Identity and Access enabled services and your private catalogs resource group from the What type of access do you want to assign? list.
- In the Platform access section, select the Viewer role.
- Click Add > Assign.
{: #catalog-access-console-users} {: ui}
After you set up your access groups, complete the following steps to add users to the groups:
- Go to Users, and click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Select one of the three access groups you previously created, and click Add > Invite.
- Repeat the steps to add users to your other access groups.
{: #catalog-access-groups-cli} {: cli}
To assign access, run the ibmcloud iam user-policy-create command.
{: #catalog-access-cli-admin} {: cli}
Run the following command to assign administrator access:
ibmcloud iam user-policy-create USER_NAME --roles Administrator --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-editor} {: cli}
Run the following command to assign editor access:
ibmcloud iam user-policy-create USER_NAME --roles Editor --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-viewer} {: cli}
Run the following command to set viewer access:
ibmcloud iam user-policy-create USER_NAME --roles Viewer --service-name globalcatalog-collection
{: codeblock}
{: #catalog-access-cli-users} {: cli}
To add users to an access group by using the CLI, run the ibmcloud iam access-group-user-add command.
ibmcloud iam access-group-user-add GROUP_NAME USER_NAME [USER_NAME2...]
{: codeblock}
For example the following command adds user name@example.com to the example_group access group.
ibmcloud iam access-group-user-add example_group name@example.com
{: codeblock}
{: #catalog-access-groups-api} {: api}
To assign access, call the IAM Policy Management API as shown in the follwing example. Replace the role_id vaiable with the role you want to assign: Viewer, Editor, or Administrator.
curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
"type": "access",
"description": "Editor role for SERVICE_NAME RESOURCE_NAME",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles":[
{
"role_id": "crn:v1:bluemix:public:iam::::role:Editor"
}
],
"resources":[
{
"attributes": [
{
"name": "accountId",
"value": "$ACCOUNT_ID"
},
{
"name": "serviceName",
"value": "$SERVICE_NAME"
},
{
"name": "resource",
"value": "$RESOURCE_NAME",
"operator": "stringEquals"
}
]
}
]
}'{: codeblock} {: curl}
SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
.name("iam_id")
.value(EXAMPLE_USER_ID)
.build();
PolicySubject policySubjects = new PolicySubject.Builder()
.addAttributes(subjectAttribute)
.build();
PolicyRole policyRoles = new PolicyRole.Builder()
.roleId("crn:v1:bluemix:public:iam::::role:Viewer")
.build();
ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
.name("accountId")
.value(exampleAccountId)
.operator("stringEquals")
.build();
ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
.name("serviceType")
.value("service")
.operator("stringEquals")
.build();
ResourceTag policyResourceTag = new ResourceTag.Builder()
.name("project")
.value("prototype")
.operator("stringEquals")
.build();
PolicyResource policyResources = new PolicyResource.Builder()
.addAttributes(accountIdResourceAttribute)
.addAttributes(serviceNameResourceAttribute)
.addTags(policyResourceTag)
.build();
CreatePolicyOptions options = new CreatePolicyOptions.Builder()
.type("access")
.subjects(Arrays.asList(policySubjects))
.roles(Arrays.asList(policyRoles))
.resources(Arrays.asList(policyResources))
.build();
Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();
System.out.println(policy);{: codeblock} {: java}
const policySubjects = [
{
attributes: [
{
name: 'iam_id',
value: exampleUserId,
},
],
},
];
const policyRoles = [
{
role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
},
];
const accountIdResourceAttribute = {
name: 'accountId',
value: exampleAccountId,
operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
name: 'serviceType',
value: 'service',
operator: 'stringEquals',
};
const policyResourceTag = {
name: 'project',
operator: 'stringEquals',
value: 'prototype',
};
const policyResources = [
{
attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
tags: [policyResourceTag],
},
];
const params = {
type: 'access',
subjects: policySubjects,
roles: policyRoles,
resources: policyResources,
};
iamPolicyManagementService.createPolicy(params)
.then(res => {
examplePolicyId = res.result.id;
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});{: codeblock} {: javascript}
policy_subjects = PolicySubject(
attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(
role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(
name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
name='serviceType', value='service')
policy_resource_tag = ResourceTag(
name='project', value='prototype')
policy_resources = PolicyResource(
attributes=[account_id_resource_attribute,
service_name_resource_attribute],
tags=[policy_resource_tag])
policy = iam_policy_management_service.create_policy(
type='access',
subjects=[policy_subjects],
roles=[policy_roles],
resources=[policy_resources]
).get_result()
print(json.dumps(policy, indent=2)){: codeblock} {: python}
subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
Name: core.StringPtr("iam_id"),
Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("accountId"),
Value: core.StringPtr(exampleAccountID),
Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
Name: core.StringPtr("serviceType"),
Value: core.StringPtr("service"),
Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
Name: core.StringPtr("project"),
Value: core.StringPtr("prototype"),
Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
Attributes: []iampolicymanagementv1.ResourceAttribute{
*accountIDResourceAttribute, *serviceNameResourceAttribute},
Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
options := iamPolicyManagementService.NewCreatePolicyOptions(
"access",
[]iampolicymanagementv1.PolicySubject{*policySubjects},
[]iampolicymanagementv1.PolicyRole{*policyRoles},
[]iampolicymanagementv1.PolicyResource{*policyResources},
)
policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(policy, "", " ")
fmt.Println(string(b)){: codeblock} {: go}
{: #expected-response-access}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}{: codeblock} {: curl}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}{: codeblock} {: java}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}{: codeblock} {: javascript}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}{: codeblock} {: python}
{
"id": "12345678-abcd-1a2b-a1b2-1234567890ab",
"type": "access",
"description": "Viewer role access for all instances of SERVICE_NAME in the account.",
"subjects": [
{
"attributes": [
{
"name": "iam_id",
"value": "IBMid-123453user"
}
]
}
],
"roles": [
{
"roles_id": "crn:v1:bluemix:public:iam::::role:Viewer"
}
],
"resources": [
{
"attributes": [
{
"name": "accountId",
"value": "ACCOUNT_ID",
"operator": "stringEquals"
},
{
"name": "serviceName",
"value": "SERVICE_NAME",
"operator": "stringEquals"
}
]
},
{
"tags": [
{
"name": "project",
"value": "moonshot",
"operator": "stringEquals"
},
{
"name": "pipeline",
"value": "test",
"operator": "stringEquals"
}
]
}
],
"href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
"created_at": "2018-08-30T14:09:09.907Z",
"created_by_id": "USER_ID",
"last_modified_at": "2018-08-30T14:09:09.907Z",
"last_modified_by_id": "USER_ID",
"state": "active"
}{: codeblock} {: go}
{: #catalog-access-api-users} {: api}
To add users to an access group by using the API, call the IAM Access Groups API as shown in the following example.
curl -X PUT -H "Authorization: {iam_token}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"members": [ {"iam_id": "IBMid-user1", "type": "user"}, {"iam_id": "iam-ServiceId-123", "type": "service"} ]}' "{base_url}/groups/{access_group_id}/members"{: codeblock} {: curl}
AddGroupMembersRequestMembersItem member1 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("IBMid-user1")
.type("user")
.build();
AddGroupMembersRequestMembersItem member2 = new AddGroupMembersRequestMembersItem.Builder()
.iamId("iam-ServiceId-123")
.type("service")
.build();
AddMembersToAccessGroupOptions addMembersToAccessGroupOptions = new AddMembersToAccessGroupOptions.Builder()
.accessGroupId(testGroupId)
.addMembers(member1)
.addMembers(member2)
.build();
Response<AddGroupMembersResponse> response = service.addMembersToAccessGroup(addMembersToAccessGroupOptions).execute();
AddGroupMembersResponse addGroupMembersResponse = response.getResult();
System.out.println(addGroupMembersResponse);{: codeblock} {: java}
const groupMember1 = {
iam_id: 'IBMid-user1',
type: 'user',
};
const groupMember2 = {
iam_id: 'iam-ServiceId-123',
type: 'service',
};
const params = {
accessGroupId: testGroupId,
members: [groupMember1, groupMember2],
};
iamAccessGroupsService.addMembersToAccessGroup(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});{: codeblock} {: javascript}
member1 = AddGroupMembersRequestMembersItem(
iam_id='IBMid-user1', type='user')
member2 = AddGroupMembersRequestMembersItem(
iam_id='iam-ServiceId-123', type='service')
members = [member1, member2]
add_group_members_response = iam_access_groups_service.add_members_to_access_group(
access_group_id=test_group_id,
members=members
).get_result()
print(json.dumps(add_group_members_response, indent=2)){: codeblock} {: python}
groupMembers := []iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("IBMid-user1"),
Type: core.StringPtr("user"),
},
iamaccessgroupsv2.AddGroupMembersRequestMembersItem{
IamID: core.StringPtr("iam-ServiceId-123"),
Type: core.StringPtr("service"),
},
}
addMembersToAccessGroupOptions := iamAccessGroupsService.NewAddMembersToAccessGroupOptions(testGroupID)
addMembersToAccessGroupOptions.SetMembers(groupMembers)
addGroupMembersResponse, response, err := iamAccessGroupsService.AddMembersToAccessGroup(addMembersToAccessGroupOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(addGroupMembersResponse, "", " ")
fmt.Println(string(b)){: codeblock} {: go}
{: #expected-response-api}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}{: codeblock} {: curl}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}{: codeblock} {: java}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}{: codeblock} {: javascript}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}{: codeblock} {: python}
{
"members": [
{
"iam_id": "$IBM_ID",
"type": "user",
"created_at": "2019-01-01T01:01:00Z",
"created_by_id": "CREATOR_ID",
"status_code": 200
},
{
"iam_id": "$SERVICE_ID",
"status_code": 400,
"trace": "12345678-abcd-1a2b-a1b2-1234567890ab",
"errors": [
{
"code": "error_occurred",
"message": "The service id is missing or incorrect"
}
]
}
]
}{: codeblock} {: go}