Onboarding LDAP users

When you install Monitoring as part of the IBM Cloud Pak® for Multicloud Management, you can use role-based access control (RBAC) to limit user access in a multi-tenant environment. You can import LDAP users, create an account, onboard the users, set up a team, and add your managed cluster to the team.

Also review: IAM roles and actions
Example of using role-based access control (RBAC) to limit user access

Identity and Access Management (IAM) roles are assigned to users or user groups when you add them to a team in IBM Cloud Pak® for Multicloud Management. Monitoring is updated with users who are assigned to teams in IBM Cloud Pak® for Multicloud Management.

Note: The Monitoring module does not support LDAP groups. It requires that users are directly added to the team. For more information about API calls that can be made to script this, see IAM APIs.

• Review and familiarize yourself with multi-tenancy in the IAM guide for IBM Cloud Pak® for Multicloud Management. For more information, see Multi-tenancy .
  Note: multitenancy is in an experimental state. For the best experience, stick to using the default account.

• You must set up an LDAP connection in IBM Cloud Pak® for Multicloud Management. From the navigation menu, select Administer > Identity & Access. Select Create Connection. The "LDAP Connection" page is displayed. For more information, see Configuring LDAP connection .

• Install the cloudctl CLI. For more information, see Installing IBM Cloud Pak CLI (cloudctl) . The instructions also include the step to install kubectl CLI. You might need to use the kubectl CLI to complete some steps.

Required user type or access level: Cluster administrator

Procedure

1. Log in to IBM Cloud Pak® for Multicloud Management as a cluster administrator.

   cloudctl login -a https://<cluster-domain-name>:443
   

2. Import users from the LDAP connection into IBM Cloud Pak® for Multicloud Management.

   cloudctl iam user-import -c LDAPID -u USERID
   

   This step imports the LDAP user in to IBM Cloud Pak® for Multicloud Management. Repeat this command for each LDAP user.

   You can use this command to find the LDAP ID:

   cloudctl iam ldaps
   

3. Retrieve the ACCOUNT_ID:

   cloudctl iam accounts
   

   An account ID is returned, for example,

   ID                     Name
   id-mycluster-account   mycluster Account
   

   You use this ACCOUNT_ID in the following steps.

4. Onboard LDAP users. LDAP users can be onboarded with either the PRIMARY_OWNER role or MEMBER role. The user that is onboarded with the PRIMARY_OWNER role takes on Account Administrator privileges. The users who are added with the MEMBER role cannot log in to IBM Cloud Pak® for Multicloud Management until they are added to a team in step 8. Onboard the LDAP users imported in step 2 to the account retrieved in step 3.

   cloudctl iam user-onboard ACCOUNT_ID -r accountRole -u user1ID,user2ID,...
   OPTIONS:
   --role value, -r value Account role for user (PRIMARY_OWNER or MEMBER)
   -u value, --users value User or list of users to onboard onto account
   

   • Note: An LDAP user can be onboarded to only ONE account. If a user is mistakenly onboarded to multiple accounts, delete the user and onboard the user again.
   • Important: If a user role in a team needs to be changed, the user needs to log back in to IBM Cloud Pak® for Multicloud Management. Expect to wait up to 2 hours before the new roles are refreshed. For an immediate role assignment, remove the imported LDAP user from IAM and reimport the user.

5. Create a namespace.

   • To use the console, see Creating a namespace .

   • You can use the kubectl create namespace command to create a new namespace or use an existing one.

     kubectl create namespace <my-namespace>
     

     For more information about creating a namespace, see Creating a namespace .

6. Create a team for the ACCOUNT_ID retrieved in step 3.

   • To use the console, see Create teams.

   • To use the cloudctl CLI, run the following commands:

      cloudctl login -a https://<cluster-domain-name>:443
     

      cloudctl iam team-create NAME
     

     Note: A team ID is returned. Use this TEAM_ID in the next step to add users to the team.

7. Add the users that were onboarded with the MEMBER role in step 4 to the team.

   • To use the console, see Add users to a team .
   • To use the cloudctl CLI, run the following commands:

     cloudctl iam team-add-users TEAM_ID ROLE -u user2
     

     For example,

     cloudctl iam team-add-users my-team Administrator -u user2ID
     

     For more information about each ROLE you can assign, see IAM roles and actions.

8. Add Managed resources to the team. From the IBM Cloud Pak® for Multicloud Management navigation menu, select Administer > Identity and Access > Teams. Select the team that you created in step 6. Select Resources. Select Manage Resources. A list of resources that are available is displayed. Select your managed cluster and click Save.

   For more information, see Add resources to a team .

Note: Administrators on a team can access all resources under an account (tenant), whether the resources are explicitly listed on a team they are a part of or not.

• For more information about Identity and Access Management (IAM) concepts in IBM® Cloud Pak for Multicloud Management, see the IAM Guide .

• You can assign an IAM role to users or user groups when you add them to a team. For more information about IAM roles and actions, see the Role-based access control (RBAC) for clusters

IAM roles and actions

Name                   ID                                                    Description
Viewer                 crn:v1:icp:private:iam::::role:Viewer                 Viewers can take actions that do not change state (i.e. read only).
ClusterAdministrator   crn:v1:icp:private:iam::::role:ClusterAdministrator   ClusterAdministrators can take all actions including the ability to manage access control.
Administrator          crn:v1:icp:private:iam::::role:Administrator          Administrators can take all actions including the ability to manage access control.
Editor                 crn:v1:icp:private:iam::::role:Editor                 Editors can take actions that can modify the state and create/delete sub-resources.
Operator               crn:v1:icp:private:iam::::role:Operator               Operators can take actions required to configure and operate resources.
Auditor                crn:v1:icp:private:iam::::role:Auditor                Auditors can take all actions related to auditing.
AccountAdministrator   crn:v1:icp:private:iam::::role:AccountAdministrator   AccountAdministrators can take all actions related to the administration of account.

Example of using role-based access control (RBAC) to limit user access

This is an example of using role-based access control (RBAC) to limit user access in a multitenancy environment. This example describes an Identity and Access Management (IAM) scenario for users of Monitoring.

In the IBM Cloud Pak® for Multicloud Management, an LDAP server connection is configured, and accounts and teams are created. The users are assigned to teams with roles, and resources are added to teams for restricted access.

1. The Cluster Admin onboards 3 LDAP users to id-mycluster-account as MEMBERs.

2. The Cluster Admin creates two teams:

   • TEAM-TEST: The managed cluster resource 'DEV' (namespace) is assigned to TEAM-TEST.
   • TEAM-BUILD: The managed cluster resource 'PROD' (namespace) is assigned to TEAM-BUILD.

3. A user svtuser1 is onboarded to TEAM-TEST with an 'Operator' role. When svtuser1 logs on to the IBM Cloud Pak® for Multicloud Management console and selects Event Management, they are able to view Kubernetes resources collected in the 'DEV' cluster. They are not able to view Kubernetes resources collected in the 'PROD' cluster.

4. A user blduser1 is onboarded to TEAM-BUILD with an 'Operator' role. When blduser1 logs on to the IBM Cloud Pak® for Multicloud Management console and selects Event Management, they are able to view Kubernetes resources collected in the 'PROD' cluster. They are not able to view Kubernetes resources collected in the 'DEV' cluster.

5. The Cluster Admin is able to view all Kubernetes resources collected in both the 'DEV' and 'PROD' clusters.

Important: If a user is assigned a role in a team and that role needs to be changed, then the user needs to log back in. It can take up to 2 hours before the new roles are synced up. An alternative option, is to remove the imported LDAP user from IAM and reimport them. This enables an immediate role assignment.

For more information about Identity and Access Management (IAM) concepts in IBM® Cloud Pak for Multicloud Management, see the IAM Guide.