Instance-level vs. object-level access

There are two levels of users to consider when granting access to your Concert instance and the objects (your application and environment data) contained within it. Add instance-level users to grant access to your Concert instance. As you add data to Concert, you must define object-level permissions to grant access to specific applications and environments.

Instance-level access

Instance users defined in your connected user management service are granted some level access to your Concert instance based on the assigned instance-level role. Instance-level users and roles are typically managed in an external system that varies based on your Concert deployment method.

The following table presents the instance-level user management options for each Concert deployment method with a link to the relevant instructions.

Concert deployment method	Managing instance-level users	Related resources
SaaS	Use IBM SaaS Console to add users to your Concert instance, assign roles, and more.	Getting started with IBM SaaS Console Granting access through service IDs and API keys
On-premises deployment to OpenShift® Container Platform (managed by CPFS)	If you are managing the OCP deployment through IBM Cloud Pak® foundational services (CPFS), then you must configure the LDAP integration to import users and user groups from CPFS.
On-premises deployment to a Kubernetes cluster without using CPFS	If you are not managing the deployment using CPFS, you can integrate with an OIDC-enabled Keycloak client to authenticate instance users and manage roles.
On-premises deployment to a virtual machine (VM)	Integrate with an OIDC-enabled Keycloak client to authenticate instance users and manage roles.

Object-level users and roles

Object-level users have some level of access to your Concert instance based on the assigned instance-level role. Instance-level users and roles are typically managed in an external system that varies based on your Concert deployment method.