November 8, 2018 | Written by: Tim Brantner, Chris Lynk, and Jeff Rosas
Categorized: Security | What's New
Share this post:
More flexibility and control for IBM Cloud account management services
IBM Cloud is excited to announce more flexibility and control for account management services like billing, user management, and global catalog. This update means that key account management functions such as tracking usage, viewing billing information, inviting users, and more can now be granted to other users in your account with IBM Cloud Identity and Access Management (IAM) policies.
We also heard from our users that they needed more granular account-wide access management capabilities to isolate account management tasks. Tasks like managing billing being isolated from resource management tasks like creating resources. Previously, granting access for All Identity and Access enabled services included all account management services. Now, we have logically separated the policy management of account management services from resources and resource groups. This means there will be two policies now (versus a single policy) going forward, including one for All account management services and the other for All resources in account (including future IAM enabled services), as shown below:
How do I try it out?
Get started in the following simple ways:
1) Go to the Users list and select a user to get started.
2) Click on Access Groups and select the access group to which you want to assign access:
- Select the Access Policies tab, and click the Assign access button
- On the Choose Access Type page (see below), select the Assign access to account management services option
- Options to try:
- Choose to assign access to All Account Management Services for your main administrator
- Choose a specific account management service, such as User Management, for more specific administrator capability
- To give a user account admin level rights or the ability to manage user access as well as all account resources, you must assign two policies: Administrator level for All Identity and Access Enabled Services and Administrator level for b (as seen below)