What's New

Introducing Identity & Access Management

Share this post:

As of May 23rd IBM Bluemix Container Service now provides a native Kubernetes operations experience while removing the burden of maintaining master nodes. Kubernetes itself is based on the Docker engine for managing software images and instantiating containers. Get the details.

Authors: Nancy Li & Deanna Brown

What is Identity & Access Management?

IBM Cloud Identity & Access Management enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Bluemix Cloud Platform. This is a core capability of platform which means it’s no extra cost to you.

In May 2017, we are introducing a new feature for the Bluemix Cloud Platform to provide a unified experience for managing user identity and access in IBM Bluemix Cloud. The initial release includes:
  • Unified user management across the Bluemix Platform and Infrastructure services – you can add and delete users in an account for both platform and infrastructure services
  • API keys for user authentication – create and manage API keys that allow you to easily authenticate when using the CLI or APIs that can be used across multiple services
  • Fine-grained access control – assign users access to individual services or service instances
This initial release includes some key capabilities needed to manage users and their access. Be on the lookout for more advanced capabilities coming soon!

New Features

Unified user management across Bluemix Platform and Infrastructure services

There is a new unified user management console for you to manage your users across both Bluemix Platform and Infrastructure services.  If you have a Bluemix PaaS account linked to a Bluemix IaaS account, it is no longer necessary to add users to both accounts.


API keys for user authentication

Bluemix API keys enable users to conveniently authenticate when using CLIs or APIs. The same key can be used across multiple services. Each user can have multiple API keys to support key rotation scenarios, as well as scenarios using different keys for different purposes to limit the exposure of a single key. When authenticating with an API key, users have the same access controls as when they authenticate with their user names and passwords.


Fine-grained access control

Bluemix is transitioning to a new, cloud-wide fine-grained access control capability. With access control, you can give users access to only the resources they need in an individual service or service instance level. Three pre-defined roles are supported: Admin, Editor, and Viewer. These give you the ability to control the types of actions users can perform against the resources they have access to.
The Access Control UI provides a simplified way of specifying policies for the resources within your account. After you’ve selected the user you want to set access policies for, it enables you to select a service from the list of services that are enabled with identity and access management. You can optionally select a region or a specific instance of the service. Then, you select the role that you want to assign the user for that resource or set of resources.
Initially, the account owner has the ability to set access for any resource within the account. The account owner can give others the ability to manage access within the account by assigning them the Administrator role on the account.
To start, you can use identity and access management to control access to the Kubernetes-based IBM containers service and its resources. Watch for additional services to adopt the new access control model soon.

Why move to a new model?

The new access control model has several advantages over the previous access control model, which was based on a user’s roles in Cloud Foundry orgs and spaces. You can now set access at a much finer-grained level, down to the individual service or service instance level, and can grant a user different roles for different resources. You can also manage access for resources across the cloud consistently, including resources outside of Cloud Foundry.
Services that have not yet been enabled for the new access control model will continue to rely on a user’s role in a Cloud Foundry space to determine whether a user has permission to access resources. The new Access Control UI enables users to manage access for both services with the new model enabled and the legacy Cloud Foundry model.


More What's New stories
May 7, 2019

We’ve Moved! The IBM Cloud Blog Has a New URL

In an effort better integrate the IBM Cloud Blog with the IBM Cloud web experience, we have migrated the blog to a new URL: www.ibm.com/cloud/blog.

Continue reading

May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

May 6, 2019

Are You Ready for SAP S/4HANA Running on Cloud?

Our clients tell us SAP applications are central to their success and strategy for cloud, with a deadline to refresh the business processes and move to SAP S/4HANA by 2025. Now is the time to assess, plan and execute the journey to cloud and SAP S/4HANA

Continue reading