By Gita Nallapati
New Feature: Access Groups
IBM Cloud introduces access groups in April 2018 as the platform’s newest feature that makes organizing users and streamlining the assignment of access easier than ever! Previously, IBM Cloud Identity Access and Management (IAM) required access policies to be set for individual users and service IDs. Now with access groups, you can organize users and service IDs into a group and manage access by assigning policies to the group. This will save you time and effort and make your IBM Cloud security efforts more efficient!
How does it work?
To set up an access group, go to Manage > Security > Identity and Access, then click on Access Groups in the left hand menu.
Click the Create+ button to set up a new access group, and type a name and an optional description.
To add users, select the name of the access group that you’ve created, and click Add users.
Select the users from the list that you’d like to add, and then click Add to group. To add service IDs from your account, repeat this process using the Service IDs tab. Note that Access Groups can contain users, Service IDs, or a mix of both.
To assign access for this group, select the Access policies tab, and click Assign Access+.
Then choose the type of access you’d like to assign and proceed.
After you assign access, you’ll be able to view and modify access policies for the group from the Access policies tab for your group.
You can also edit the group name or description or choose to remove the group at anytime. Click on the access group you’d like to manage, then click the ellipses on the right to open the list of options for updating or removing the group.
To remove an access group from the access groups tab, click the ellipses and click remove in the drop down menu that appears. Note that removing a group removes all users and service IDs from the group as well as the access you assigned them as part of the group.
To further streamline access policy assignments, you can set up Resource Groups (RGs) taking into account the set of instances for which an access group would need access policies. For more information on how to assign access to resources and resource groups, please see Resource Groups and Access Management blog.
You can assign policies to an access group, and also assign different policies to the individual IDs within the group if you’d like.
Using access groups and resource groups together is the most efficient way to manage policy.When you add resources to a RG, think about grouping a set of service instances that you’ll want a set of users in your account to all have access to. Then, once your access group is set up, it is easier than ever to give a set of users access to all resources you’ve organized in a single RG by using a single policy.