October 24, 2023 By Carlos Gomez
Addison Martin
5 min read

Enterprise-managed identity and access management (IAM) enables cloud administrators to centrally configure access and security settings for the entire organization. To learn about the basics, see “How enterprise-managed IAM works.”

The case study in this blog post shows how to easily and securely implement and manage a site reliability engineering (SRE) team’s access across an enterprise.

Case study

A large banking client has a centralized site reliability engineering (SRE) team that manages operations for all resources in the organization. The client uses federation to authenticate users to IBM Cloud enterprise accounts. All teams use Kubernetes and IBM Cloud Databases resources as part of their deployment. The SRE team needs operational access to these resources for every team in every account under the company’s IBM Cloud enterprise.

As the teams introduce new resources, the SRE team manages those resources, as well. Manually managing this access setup across a growing number of accounts is error-prone, time-consuming and does not meet certain audit controls since the assigned access can be updated by the child account administrators.

By using enterprise-managed IAM templates to define access for their SRE team and assign them to the organization’s accounts, the client’s process changed from an ongoing effort to a one-time setup activity. Now, SRE access is included in both established and newly created accounts. Additionally, this access cannot be updated by the child account administrator.

In this post, we’ll provide step-by-step instructions on how to apply this solution in your organization.


  1. Be in the root enterprise account.
  2. Make sure that the enterprise user performing this task has Template Administrator and Template Assignment Administrator roles on IAM services and at least the Viewer role on the Enterprise service. For more information, see “Assigning access for enterprise management.
  3. Make sure that child accounts enable the enterprise-managed IAM setting. For more information, see “Opting in to enterprise-managed IAM for new and existing accounts.”


First, create a trusted profile template for the SRE team members and add access policy templates to manage all IBM Cloud Kubernetes Service clusters and IBM Cloud Databases for MongoDB instances in the child accounts. Next, assign the trusted profile template to the account group containing the account(s) to manage. Finally, we’ll grant additional access policy templates to the SRE team by creating a new trusted profile template version with the additional access required and updating the existing assignment accounts.

To implement this solution, we’ll complete the following steps:

  1. Create a trusted profile template.
  2. Add a trust relationship.
  3. Add access policy templates.
  4. Review and commit the trusted profile template.
  5. Assign the trusted profile template.

Then, we’ll update the assignment with these steps:

  1. Create a new template version.
  2. Add an additional access policy template.
  3. Review and commit the trusted profile template.
  4. Update the existing assignment to version 2.

Steps to create and assign a template

1. Go to Manage > Access (IAM). In the Enterprise section, click Templates > Trusted Profiles > Create. Click Create to create a trusted profile template for the SRE team:

2. Add a trust relationship to dynamically add the SRE team to the trusted profile based on your Identity provider (IdP):

This will be based on the claims available by your IdP:

3. Go to the Access tab to create access policies:

Administrator role for the IBM Cloud Kubernetes Service:

Administrator role for IBM Cloud Databases for MongoDB:

4. Review and commit the trusted profile and policies templates. Committing templates prevents them from being changed:

5. Assign the trusted profile template to the account group. By selecting the entire account group, the system will automatically assign templates to the new accounts when they are added or moved in:

After the assignment is complete, the members of the SRE team can log in to the accounts under the account group and have the required access to perform their duties.

As your teams and cloud workloads grow, you might need to enable the SRE team to manage other resources. In the following example, we are granting the SRE team access to manage IBM Cloudant in addition to their existing access.

Steps to update a template and assignment

1. First, since we need to update an assigned template, we need to create a new version of the SRE team template:

2. Since we want to expand the SRE team access, we’ll create a new policy template with access to Cloudant resources:

3. Commit the trusted profile template and policy template:

4. Now, we need to update the assignment from version 1 to version 2. First, switch to template version 1:

In the Assignments tab, update the assignment:

Once the assignment is complete, the SRE team will now be able to manage IBM Cloudant resources in addition to the existing IBM Cloud Kubernetes Service and IBM Cloud Databases for MongoDB access.


Enterprise-managed identity and access management (IAM) is a powerful solution that simplifies and centralizes access and security configuration. In this article, we explored how this approach can be a game-changer for managing access to resources across a growing number of accounts.

The challenges faced by the banking client in managing access for their SRE team across multiple accounts were complex and time-consuming. However, by leveraging enterprise-managed IAM templates, they transformed an ongoing effort into a one-time setup activity. This streamlined access provisioning and enhanced security by ensuring that access control remained consistent and enforced across accounts.

Other interface samples

Included below are the equivalent steps needed to complete this use case using the command line interface and Terraform:

Ready to simplify access management? Learn more about enterprise-managed IAM

Was this article helpful?

More from Cloud

The recipe for RAG: How cloud services enable generative AI outcomes across industries

4 min read - According to research from IBM®, about 42% of enterprises surveyed have AI in use in their businesses. Of all the use cases, many of us are now extremely familiar with natural language processing AI chatbots that can answer our questions and assist with tasks such as composing emails or essays. Yet even with widespread adoption of these chatbots, enterprises are still occasionally experiencing some challenges. For example, these chatbots can produce inconsistent results as they’re pulling from large data stores…

Rethink IT spend in the age of generative AI

3 min read - It’s the burning question for today’s CIOs: what do you spend your IT budget on? Cloud costs were already a challenge—in a recent survey, 24% estimated they wasted software spend. The explosion of generative AI makes it critical for organizations to consider frameworks like FinOps and technology business management (TBM) for visibility and accountability of all tech spend. But what does this all mean in practice? How can organizations shift to a more disciplined, value-driven approach to IT spend? What…

Announcing Dizzion Desktop as a Service for IBM Virtual Private Cloud (VPC)

2 min read - For more than four years, Dizzion and IBM Cloud® have strategically partnered to deliver incredible digital workspace experiences to our clients. We are excited to announce that Dizzion has expanded their Desktop as a Service (DaaS) offering to now support IBM Cloud Virtual Private Cloud (VPC). Powered by Frame, Dizzion’s cloud-native DaaS platform, clients can now deploy their Windows and Linux® virtual desktops and applications on IBM Cloud VPC and enjoy fast, dynamic, infrastructure provisioning and a true consumption-based model.…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters