Setting IAM policies for your App ID instances

5 min read

Setting IAM policies for your App ID instances

IBM® Cloud App ID is now an IBM Cloud Identity and Access Management enabled service!


What is App ID?

Application security can be incredibly complicated. For most developers, it’s one of the hardest parts of creating an app. How can you be sure that you are protecting your users information? By integrating App ID into your apps, you can secure resources and add authentication; even when you don’t have a lot of security experience.

By requiring users to sign in to your app, you can store user data such as app preferences or information from the public social profiles, and then use that data to customize each experience of your app. App ID provides a log in framework for you, but you can also bring your own branded sign in screens when working with cloud directory.

How does IAM affect you?

IAM enables IBM Cloud account owners to define policies in their account for other users, with varying levels of access. For example, certain users can have Read only access to one instance of App ID but Write access to another. You can control who is allowed to create, update, and delete instances.

As the account owner, you have Administrator and Manager access roles to all of the IAM enabled resources in your account. What does that mean? Put simply, as an Administrator, you can view, create, update, or delete any IAM enabled instance in your account, as well as the ability to assign policies. The Manager role allows you to perform every action within the service instance itself. So, for App ID, this means that you can update your login configuration or enable different identity providers. Check out our docs for more detailed explanations of the roles.

It’s awesome! Right?

How do I set up access policies?

Configuring access policies is actually a pretty simple process. So, if you’re the account owner, you just have to complete the following steps.

  • Be sure that you’re logged in to your account as the account owner.

  • Create an instance of App ID from the catalog.

You’ll notice that the service is now created within the context of a resource group.




Note: Users with access rights to an existing Cloud Foundry (CF) App ID instances (A CF instance will be listed under “Cloud Foundry Services” in your main console dashboard)

Cloud Foundry Services

will still have the same permissions in the App ID dashboard in accordance with their CF organization and space policies. However, they will not have the same access to the App ID management REST API. It is strongly encouraged to migrate the CF instance to a new IAM enabled App ID instance and to apply the appropriate IAM roles and policies for other users in your account as soon as possible to avoid lapses in access.

  • In the Manage tab of the console, click Security > Identity and Access > Users. You will see a list of users that have any kind of access to your account. If you’re the only one with access to your account, then you will be the only person on the list.  
  • Click Invite users. Enter the email address of the user that you’d like to collaborate with.

  • In the Access section, select the following service instance.

  • Assign the user the platform role of Viewer and click Save.
  • In another browser, log in to the user’s account. You will see the instance of App ID listed in the IBM Cloud dashboard. However, if you try to open it, you’ll get an error message that says that you’re unauthorized.

Note: If you are using an existing Cloud Foundry App ID instance with an existing user that has access rights to the CF space, then you will be authorized. 

  • In the browser where you’re logged in as the account owner, give the same user the service access role of Reader.
  • In the browser where you’re logged in as the user, try to open the instance of App ID again. Now, you’ll be able to access the App ID dashboard, but you’ll still be unable to edit it. If you try to make any change, such as changing the identity provider, you’ll receive an error message.
    error message
  • Back in the browser where you’re logged in as the account owner, give the same user Writer or Manager


  • In the browser where you’re logged in as the user, try to open the instance of App ID again. Now, you’ll be able to make changes. Try updating the identity provider configuration to see.

What if I have more than one instance of App ID?

Remember the update to resource groups? Now you can apply policies at the resource group level. This allows you to define rules to a group of instances per their type or usage. For example, you could divide your resource groups by development, test, production and limit those who have access to each group of instances.

What if I have questions?

Please don’t hesitate to reach out for help or with feedback. You can find us on Slack, DeveloperWorks with the appid tag, or Stack Overflow with the ibm-appid tag.


Are you going to be at THINK? We are! Come hang out and learn about App ID.

8515 User Experience: “Adding Identity and Access Management to Cloud Apps and Resources Is Easy” — Come See us!

Cloud Security Ped – #25

Be the first to hear about news, product updates, and innovation from IBM Cloud