Viewing Resource Access in IBM Cloud

5 min read

By: Ben Lopez, Michelle Kaufman, Chris Hatko, and Ramiya Ramanathan

October has been a very busy month for the IBM Cloud platform team.

Adding to the momentum of IBM Cloud platform enhancements—like our new invite user experience that includes the ability to view action-to-role mappings that enable you to assign access with ease and confidence—is our new resource access report feature.

Have you ever wanted to know which users and service IDs in your account have access to a specific IBM Cloud resource? We understand it has been difficult for account owners and administrators to find out who or what has access to certain resources in an account. As accounts grow in size and complexity, the ability to track access to resources is important for both organizational and compliance-based reasons. 

Until now, this task has been a manual process that required administrators to view the assigned access for individual users, access groups, service IDs, and services one-by-one. The introduction of the resource access report is a big step forward in providing you with a simple and quick method to see access rights to a resource in an IBM Cloud account. 

You might already be familiar with the Resource list page in the IBM Cloud console, which is a one-stop-shop for viewing all resources created in an account. From this convenient view, you can easily drill down into any IAM-enabled resource to find out who has access and what level of access they are assigned. 

Ensure you have access to this capability

Before you try it out, there are a few things to know about the report:

  • The access report option is displayed for everyone, but only account owners or users assigned to at least the Administrator role on the selected resource can download the report.
  • Depending on your assigned access, you might be able to view just the IDs. If you have full access, you can see all details, including user names, access group names, access group memberships, and dynamic rules that provide the access. Check the value that is set for the fullReport flag. If it is set to false, you don't have full access to view all display names, memberships, or rules.
  • The report is a snapshot of the access to the resource at the time you download the report. It doesn't provide a log of historical access to the resource. 

For more information about what you'll see based on your assigned access, check out the documentation.

Download the access report for a resource

If you have the authority to download the access report, you can complete the following steps:

  1. Go to the Resource list in your account.
  2. From the Actions menu for the row of the resource that you want a report for, click Export access report.
  3. Click Download JSON to get the report.

Note: The report includes details about the selected resource, but does not include details about its sub-resources. 

Analyze the results of the access report 

For the selected resource within the account, the JSON file includes the following information. 

  • The resource display name.
  • The information for the user who generated the report, such as IBMid, display name, and email address.  
  • A flag called fullReport, which is determined by the user's level of access in the account. If set to true, you can view all the details in the report. 
  • Subjects who have access to the resource, including their assigned roles and the actions mapped to each role.
  • The IDs of the policies that provide the access.
blfix

Questions and feedback

As always, we are excited to deliver another highly requested feature to our users. We hope this has a positive impact on your experience with IBM Cloud, and we can't wait for you to start using it more. Feel free to let us know what you think by using the Feedback button on any page in the IBM Cloud console. Have a happy and productive fourth quarter!

Be the first to hear about news, product updates, and innovation from IBM Cloud