| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2022-11-05 |
schematics, automation, terraform |
schematics |
{{site.data.keyword.attribute-definition-list}}
{: #access}
Use {{site.data.keyword.iamlong}} to grant permissions to {{site.data.keyword.bpshort}} Workspaces and actions. {: shortdesc}
As the {{site.data.keyword.cloud_notm}} account owner, you want to ensure that you control user access to workspaces and the actions in your account. {{site.data.keyword.bplong_notm}} integrate with {{site.data.keyword.iamlong}} (IAM) to securely authenticate users for platform services and control access to resources. IAM uses the concept of resource groups, access groups, roles, and access policies to manage the access to {{site.data.keyword.cloud}} resources. For more information about how IAM works and how you can use resource groups, access groups, and access policies to organize {{site.data.keyword.bpshort}} access for a team, see What is {{site.data.keyword.iamlong}}?
{: #access-roles} {: help} {: support}
Grant access to {{site.data.keyword.bplong_notm}} by assigning {{site.data.keyword.iamlong}} (IAM) service access roles to your users. {: shortdesc}
Who must grant access to {{site.data.keyword.bplong_notm}}?
As the account owner or an authorized account administrator, you can assign IAM service access roles to your users. The IAM service access roles determine the actions that you can perform on an {{site.data.keyword.bplong_notm}} resource, such as a workspace or an action. To avoid assigning access policies to individual users, consider creating IAM access groups.
Is access to {{site.data.keyword.bplong_notm}} sufficient to manage {{site.data.keyword.cloud_notm}} resources?
No. If you are assigned an {{site.data.keyword.bplong_notm}} service access role, you can view, create, update, or delete workspaces and actions in {{site.data.keyword.bplong_notm}}. However, to manage other {{site.data.keyword.cloud_notm}} resources with {{site.data.keyword.bpshort}}, you must be assigned the IAM platform or service access role for the individual {{site.data.keyword.cloud_notm}} resource that you want to work with. see the documentation for your resource to determine the access policies that you need to work with your resource.
{: #workspace-permissions}
Review the following table to see what permissions you need to work with {{site.data.keyword.bpshort}} Workspaces.
| Activities | Reader | Writer | Manager | Account owner |
|---|---|---|---|---|
View workspace |
 |
|
|
|
View workspace activities |
|
|
|
|
View workspace logs |
|
|
|
|
Create workspace |
|
|
||
Update workspace |
|
|
|
|
Delete workspace |
|
|
||
Freeze and unfreeze workspace |
|
|
|
|
View the readme of a template |
|
|
|
|
Create Terraform execution plan |
|
|
|
|
Apply a Terraform template |
|
|
|
|
Destroy workspace resources |
|
|
|
|
| {: row-headers} | ||||
| {: class="comparison-table"} | ||||
| {: caption="User permissions for {{site.data.keyword.bpshort}} Workspaces" caption-side="top"} | ||||
| {: summary="The table shows user permissions by access role. Rows are to be read from the left to right, with the access role in column one, and the permission descriptions in column two."} |
{: #action-permissions}
Review the following table to see what permissions you need to work with {{site.data.keyword.bpshort}} Actions.
| Activities | Reader | Writer | Manager | Account owner |
|---|---|---|---|---|
View action |
|
|
|
|
View action jobs |
|
|
|
|
View job logs |
|
|
|
|
Create action |
|
|
||
Update action |
|
|
|
|
Delete action |
|
|
||
Run check action job |
|
|
|
|
Run an action |
|
|
|
|
| {: row-headers} | ||||
| {: class="comparison-table"} | ||||
| {: caption="User permissions for {{site.data.keyword.bpshort}} Actions" caption-side="top"} | ||||
| {: summary="The table shows user permissions by access role. Rows are to be read from the left to right, with the access role in column one, and the permission descriptions in column two."} |
{{site.data.keyword.bpshort}} Blueprints is a Beta feature that is available for evaluation and testing purposes. It is not intended for production usage. Refer to the list of limitations for the Beta release. {: beta}
{: #blueprint-permissions}
Review the following table to see what permissions you need to work with {{site.data.keyword.bpshort}} Blueprint.
In addition to the listed blueprints activities and permission, you must check whether you have related workspace permissions for blueprint config create, blueprint run apply, blueprint config delete, and blueprint run destroy activities to execute successfully.
{: important}
| Activities | Reader | Writer | Manager | Account owner |
|---|---|---|---|---|
View blueprint |
|
|
|
|
View blueprint logs |
|
|
|
|
blueprint config create |
|
|
||
blueprint config update |
|
|
|
|
blueprint config delete |
|
|
||
blueprint run apply |
|
|
|
|
blueprint run destroy |
|
|
|
|
| {: row-headers} | ||||
| {: class="comparison-table"} | ||||
| {: caption="User permissions for {{site.data.keyword.bpshort}} Blueprint" caption-side="top"} | ||||
| {: summary="The table shows user permissions by access role. Rows are to be read from the left to right, with the access role in column one, and the permission descriptions in column two."} |
{: #kms-permissions}
Review the following table to see what permissions you need to work with {{site.data.keyword.bpshort}} key management system.
| Activities | Reader | Writer | Manager | Account owner |
|---|---|---|---|---|
View KMS instances |
|
|
|
|
Read KMS settings |
|
|
|
|
Update the KMS settings |
|
|
|
|
| {: row-headers} | ||||
| {: class="comparison-table"} | ||||
| {: caption="User permissions for {{site.data.keyword.bpshort}} KMS" caption-side="top"} | ||||
| {: summary="The table shows user permissions by access role. Rows are to be read from the left to right, with the access role in column one, and the permission descriptions in column two."} |
{: #access-setup}
As the {{site.data.keyword.cloud_notm}} account owner or authorized account administrator. Create an IAM access group for your users and assign service access policies to {{site.data.keyword.bplong_notm}} and the resources that you want your users to work with.
{: shortdesc}
-
Invite users to your {{site.data.keyword.cloud_notm}} account.
-
Define your teams and create an IAM access group for each team.
-
Create a resource group for each teams. So that you can organize access to their {{site.data.keyword.cloud_notm}} services and workspaces in your account, and bundle them under one common view and billing process. If you want to keep your {{site.data.keyword.bpshort}} Workspaces and actions separate from the {{site.data.keyword.cloud_notm}} resources, you must create multiple resource groups.
-
Assign access to your IAM access group. Consider the following guidelines when you assign access to an IAM access group:
- Make sure to scope access of your group to the resource group that you created for this team.
- If you want your team to have access to multiple resource groups, such as the Administrator and Manager permissions on all resources in resource group A, but Viewer access for the resources in resource group B, you must create multiple access policies.
- The resource group of the {{site.data.keyword.bpshort}} Workspaces or action can be different from the resource group of the {{site.data.keyword.cloud_notm}} resources that you want to work with.
- For a team to use {{site.data.keyword.bpshort}}, you must assign the appropriate service access role for {{site.data.keyword.bpshort}}, and the permissions that are required for the {{site.data.keyword.cloud_notm}} resources that this team manages with {{site.data.keyword.bpshort}}. You can review the documentation for each of the {{site.data.keyword.cloud_notm}} services to find the appropriate IAM access policy.
{: #access-tag}
You can now centrally manage access tags to the {{site.data.keyword.bpshort}} Workspaces in your account at scale. Tags contains the metadata values in the form of key and value to help you organize your cloud data. Tags are essential, as it helps to efficiently optimize your workspace within your account. Following steps helps to create and associate access tags for {{site.data.keyword.bpshort}} Workspaces in your account.
- To create an access tag, see Create an access management tag.
- To associate access tags, see Attach your access management tag to a {{site.data.keyword.bpshort}} Workspaces
For more information about managing access tags, see Controlling access to resources by using tags.