Managing subscriptions, instances, and users

Use the IBM® SaaS console to manage your accounts and subscriptions, create and delete instances of App Connect Enterprise as a Service, and assign roles to your users.

About this task

The IBM SaaS console is provided with App Connect Enterprise as a Service to manage your account in the following ways:
  • View information about your account, such as the subscriptions in your account.
  • View information about your subscriptions, including usage statistics and details about the instances in your subscription.
  • Add users to your account, subscriptions, and service instances.
  • Assign roles to control how your users access your resources.

The person who creates the App Connect Enterprise as a Service subscription is designated as the subscription owner and account owner. When you provision an instance of App Connect Enterprise as a Service, you receive an email that contains a link to access the IBM SaaS console. You can also access the console by clicking your initials on the App Connect Enterprise as a Service header. The actions that you can complete in the IBM SaaS console differ for trial and Enterprise (paid) subscriptions. For example, in a trial subscription, you can create only one service instance in the console, but in an Enterprise subscription, you can create up to three instances. In a trial subscription, the subscription owner can use the console to upgrade the subscription to a paid plan.

App Connect Enterprise as a Service uses role-based access control (RBAC) to manage users' access to resources. When you add a user to App Connect Enterprise as a Service, you assign them to a role that defines their access to the account, subscription, or service instance. For example, if you choose a scope of Accounts for your user, you can choose a role of Account admin, Account owner, or Account viewer. Similarly, if you add a user to a subscription, you can choose a role of Subscription admin, Subscription owner, or Subscription viewer. You can assign a user to more than one role, but the role with greater privileges takes precedence.

If you add a user to a service instance, you can choose from roles that define access to administer the instance, or define access to resources in App Connect Enterprise as a Service.
  • The Service admin and Service owner roles provide access to administer the service instance in the console, including deleting the instance and managing users and API keys.
  • The Service user role provides access to view information about the service instance in the console, but not modify anything.
  • The App Connect viewer role provides read-only access to all resources in the App Connect instance. A user with this role can't create, modify, or delete any App Connect resource. For example, the user can view the Templates page, but can't create a flow from a template. And a user with this role doesn't see quick links on the App Connect Designer home page to create or deploy flows. This role also restricts the user from viewing information about the instance in the IBM SaaS console.
  • The App Connect editor role provides full access to App Connect resources. A user with this role can view instance settings and users in the console, but can't modify them.
  • The App Connect admin role provides full access to all App Connect resources. A user with this role also has full access to instance settings in the console, and can add, remove, and modify users, including assigning users to predefined roles.
Note:
  • If you were previously assigned to the admin or user roles, you might not be able to view your service instance in the IBM SaaS console. Ask the subscription owner to give you account-level permissions for the account that is associated with your service instance.
  • If you're assigned to one of the new App Connect-scoped roles, you might not have access to the IBM SaaS console to complete tasks such as managing API keys. Ask the account owner to assign you to an account-scoped role.

Procedure

  • To view the status of a trial subscription, upgrade to a paid subscription, or view billing and usage data, open the IBM SaaS console by using the link in your welcome email. Alternatively, click your initials on the App Connect Enterprise as a Service header and select IBM SaaS Console.
  • To add an instance to a paid subscription, open the IBM SaaS console and click Create instance. You can create up to three instances for a paid subscription. For more information, see Using the IBM SaaS console with accounts.
  • To invite users to an account, subscription, or service instance, open the IBM SaaS console, click Access management, then click Add users. You can also create a user group, assign it to a role, then add users to that user group.
    Users receive an email with a link to your App Connect Enterprise as a Service instance. After you add a user, you can assign them to a role or delete them.
  • To assign a user to a role, select the relevant scope, and a subscription and service instance, if appropriate, then select the relevant role.
    For more information, see Using the IBM SaaS console with accounts.
  • To restrict access to public APIs, a user with an admin role can create a service ID, assign that ID to a role, then use the ID to create am API key.
    For example, an administrator creates an API key for a service ID that is assigned to the App Connect viewer role. A user can use that API key to call GET operations for App Connect APIs. However, when they use the key to make a POST, PUT, or DELETE operation, they see a message that they have insufficient permissions to complete the operation.

    If a user creates a personal API key in the IBM SaaS console, that key has the same privileges as the user. For more information, see Granting access through service IDs and API keys from the IBM SaaS console.