Skip to content

Latest commit

 

History

History
1848 lines (1494 loc) · 119 KB

iam-account_management.md

File metadata and controls

1848 lines (1494 loc) · 119 KB
copyright lastupdated keywords subcollection
years
2019, 2023
2023-01-18
account management, access, access policy, account administrator, user management, account management services, use account management services to grant users in the account access to invite users to the account, billing service, support center service, identity service, global catalog service, enterprise service, license service, entitlement service, license and entitlement service, access management service, catalog management service, cloud shell service, software instance service
account

{{site.data.keyword.attribute-definition-list}}

Assigning access to account management services

{: #account-services}

As the account owner or the administrator of an account management service, you can grant users access to invite users to the account, track billing and usage, and work with support cases. Users with account management access policies can also manage service IDs, access policies, catalog entries, access groups, resources for the {{site.data.keyword.compliance_short}} service, and work with Context-based restrictions. {: shortdesc}

Assigning access in the console

{: #console-acct-mgmt} {: ui}

To assign access to one or all account management services, complete the following steps:

  1. In the {{site.data.keyword.cloud}} console, click Manage > Access (IAM), and then select Users.
  2. Click the user that you want to assign access, then go to Access > Assign access.
  3. For the service, select All Account Management Services or select a specific account management service. Then, click Next.
  4. Scope the access to All resources or Specific resources. Then, click Next.
  5. Select any combination of roles or permissions, and click Review.
  6. Click Add to add your policy configuration to your policy summary.
  7. Click Assign.

To grant another user full access to the account for the purposes of managing user access and all IAM-enabled account resources, you must assign two policies. To create the first policy, select All Identity and Access enabled services with the Administrator platform role and Manager service role. To create the second policy, select All Account Management services with the Administrator role assigned.

Users with the Administrator role for account management services can change the access of other users and remove users from the account, including other users with the administrator role. {: important}

Assigning access to IAM account management services in the console

{: #console-iam-services} {: ui}

You can assign access to All IAM Account Management services, which is a subset of account management services that includes IAM Identity, IAM Access Management, IAM User Management, IAM Groups, and future IAM services. To assign access to this group of services, you must be the account owner, or a user that's assigned the administrator role on All IAM Account Management services or All Account Management services.

Some roles that you might assign on a policy for All IAM Account Management services affect only certain resources. For example, the role Service ID Creator is relevant to only the IAM Identity service. {: note}

To assign access to All IAM Account Management services, complete the following steps:

  1. In the {{site.data.keyword.cloud}} console, click Manage > Access (IAM), and then select Users.
  2. Click the user that you want to assign access, then go to Access policies > Assign access.
  3. For the service, select All IAM Account Management services. Then, click Next.
  4. Select any combination of roles or permissions, and click Review.
  5. Click Add to add your policy configuration to your policy summary.
  6. Click Assign.

Actions and roles for account management services

{: #account-management-actions-roles} {: ui}

The following tables outline the actions that users can take when they are assigned a specific role for each account management service. Review the information to ensure that you are assigning the correct level of access to your users.

All account management services

{: #all-account-management}

To quickly give users a wide range of account management access, you can assign a policy on all account management services. Depending on the role that you select, all applicable actions per the selected role for each account management service can be completed by the subject of the policy.

Roles Actions
Viewer All viewer role actions for the account management services
Operator All operator role actions for the account management services
Editor All editor role actions for the account management services and the ability to create resource groups
Administrator All administrator role actions for the account management services and the ability to create resource groups
{: caption="Table 1. Roles and example actions for a policy on all account management services" caption-side="top"}

Billing

{: #billing-acct-mgmt}

You can give users access to update account settings, view subscriptions, view offers, apply subscription and feature codes, update spending limits, and track usage by using the Billing service.

Roles Actions
Viewer View account feature settings \n \n View subscriptions in account \n \n View account name \n \n View subscription balances and track usage
Operator View account feature settings \n \n View subscriptions in account \n \n View and change account name
Editor View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage
Administrator View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage \n \n Create an enterprise
{: caption="Table 2. Roles and example actions for the Billing service" caption-side="top"}

It's possible to view subscription balances and usage from the Account settings page, but you can't view the Account settings page with the Viewer or Operator roles. To access the Account settings page and your subscription information from that page, you need the Editor role or higher. {: note}

Catalog management

{: #catalog-management-account-management}

You can give users access to view private catalogs and catalog filters, create private catalogs, add software to private catalogs, and set catalog filters.

Roles Actions
Viewer View account-level filters set for the {{site.data.keyword.cloud_notm}} catalog \n \n View private catalogs
Operator Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Editor Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Administrator Set account-level filters for the {{site.data.keyword.cloud_notm}} catalog \n \n Create, update, and delete private catalogs \n \n Publish {{site.data.keyword.IBM_notm}}-approved products \n \n Assign access policies
Publisher Publish products that are approved by {{site.data.keyword.IBM_notm}} from a private catalog
{: caption="Table 3. Roles and example actions for the catalog management service" caption-side="top"}

Context-Based Restrictions

{: #cbr-account-management}

You can give users access to view, create, update, and remove network zones. To create a context-based restriction rule for a service, you must be assigned an IAM policy with the Administrator role the service you are creating a rule against. For example, if you want to create a rule to protect a Key Protect instance, you must be assigned the Administrator role on the Key Protect service and the Viewer role or higher on the Context-based restrictions service.

The Viewer role on the Context-based restrictions service allows you to add network zones to your rule. {: note}

Roles Actions
Viewer View network zones
Editor View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
Administrator View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
{: caption="Table 4. Roles and example actions for the context-based restrictions service" caption-side="top"}

Enterprise

{: #enterprise-account-management}

You can use the Enterprise service to assign users access to manage an enterprise by creating accounts within the enterprise, assigning accounts to account groups, naming account groups, and more. This type of policy works only if it is assigned within the enterprise account.

Roles Actions
Viewer View the enterprise, account groups, and accounts
Operator Not applicable
Editor View and update the enterprise name and domain, create accounts and account groups, view usage reports, and import accounts.
Administrator View and update the enterprise name and domain, create accounts and account groups, move accounts between account groups, import existing accounts, and view usage reports
Usage report viewer View the enterprise, accounts, and account groups and view usage reports for all accounts in the enterprise.
{: caption="Table 5. Roles and example actions for the Enterprise service" caption-side="top"}

Global catalog

{: #global-catalog-account-management}

You can give users access to view private products in the catalog or change the visibility of private products for other users in the account.

Roles Actions
Viewer View private services
Operator View private services
Editor Change object metadata but can't change visibility for private services
Administrator Change object metadata or visibility for private services, and restrict visibility of a public service
{: caption="Table 6. Roles and example actions for the Global Catalog service" caption-side="top"}

IAM Access Groups

{: #access-groups-account-management}

You can give users access to view, create, edit, and delete access groups in the account by using the IAM Access Groups service.

Roles Actions
Viewer View access groups and members
Operator Not applicable
Editor View, create, edit, and delete groups \n \n Add or remove users from groups
Administrator View, create, edit, and delete groups \n \n Add or remove users including other administrators \n \n Assign access to a group \n \n Manage access for working with access groups \n \n Enable or disable public access to resources at the account level
{: caption="Table 7. Roles and example actions for the IAM access groups service" caption-side="top"}

IAM Identity service

{: #identity-service-account-management}

You can give users access to manage service IDs and identity providers (IdPs) by using the IAM Identity service. These actions apply to service IDs and IdPs within the account that the user didn't create. All users can create service IDs. They are the administrator for those IDs, and they can create the associated API key and access policies, but only users with the operator and administrator role can create IdPs. This account management service applies to the ability to view, update, delete, and assign access to service IDs in the account created by other users.

Roles Actions
Viewer View IDs
Operator Create and delete IDs and API keys \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Delete trusted profiles
Editor Create and update IDs and API keys \n \n View and update IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Update trusted profiles
Administrator Create, update, and delete IDs and API keys \n \n Assign access policies to IDs \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Create trusted profiles
User API Key Creator Can create API keys when the account setting to restrict API key creation is enabled.
Service ID Creator Can create service IDs when the account setting to restrict service ID creation is enabled.
{: caption="Table 8. Roles and example actions for the IAM Identity service" caption-side="top"}
{: #identity-service-acct-mgmt-ui}

{{site.data.keyword.cloud-shell_notm}} settings

{: #shell-service-account-management}

You can assign users access to view and update {{site.data.keyword.cloud-shell_notm}} settings for the account. Only the account owner or a user with the {{site.data.keyword.cloud-shell_notm}} administrator role can view and update the settings.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Not applicable
Administrator View and update {{site.data.keyword.cloud-shell_notm}} settings
Cloud Operator Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources.
Cloud Developer Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources and develop applications for {{site.data.keyword.cloud_notm}} (Web Preview enabled).
File Manager Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}}resources and manage files in your workspace (File Upload and File Download enabled).
{: caption="Table 9. Roles and example actions for the {{site.data.keyword.cloud-shell_notm}} service" caption-side="top"}

License and entitlement

{: #license-entitlement-management}

You can assign users access to manage licenses and entitlements within an account. Any member of an account can view and use an account’s entitlement.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Editors can create entitlements and view, update, bind, or delete only the entitlements they acquired.
Administrator Administrators can create entitlements and view, update, bind, or delete any entitlements in the account.
{: caption="Table 10. Roles and example actions for the license and entitlement service" caption-side="top"}

Partner Center

{: #pc-buildgrow-account-management}

You can give users access to view and edit partner profile details, offers, fast tracks, and to create and view support cases.

Roles Actions
Viewer View details about partner profile, offers, fast tracks, support cases.
Editor View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
Operator
Administrator View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
{: caption="Table 11. Roles and example actions for the Partner Center service" caption-side="top"}

Partner Center - Sell

{: #prod-lifecycle-account-management}

You can give users access to onboard, validate, and publish software.

Roles Actions
Administrator Create, edit, validate, and publish products
Editor Validate and edit products
Approver Approves or rejects a workflow instance's task
{: caption="Table 12. Roles and example actions for the Partner Center - Sell service" caption-side="top"}

Role Management

{: #custom-roles-account-management}

You can give users access to create, update, and delete custom roles for services in the account.

Roles Actions
Viewer View custom roles
Operator Not applicable
Editor Edit and update custom roles in an account
Administrator Create, edit, update, and delete custom roles in an account
{: caption="Table 13. Roles and example actions for the Access management service" caption-side="top"}

{{site.data.keyword.compliance_short}}

{: #security-compliance-account-management}

You can give users access to create, update, and delete resources for the {{site.data.keyword.compliance_short}} service in the account that you are assigned access.

Roles Actions
Viewer Access the {{site.data.keyword.compliance_short}} dashboard to view current posture and results \n \n View created resources such as scopes, credentials, or rules \n \n View global settings for the service
Operator Create an audit log for monitoring compliance activity
Editor Create, update, or delete objects such as scopes, credentials, and collectors \n \n Update the parameter settings of a goal \n \n Create, update, or delete rules and templates \n \n Edit global admin settings for the service
Administrator Perform all platform actions based on the resource that this role is being assigned, including assigning access policies to other users.
Manager Permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader Perform read-only actions within a service such as viewing service-specific resources.
Writer Permissions beyond the reader role, including creating and editing service-specific resources.
{: caption="Table 14. Roles and example actions for the {{site.data.keyword.compliance_short}} service" caption-side="top"}

To access all of the {{site.data.keyword.compliance_short}}, you must also assign permissions for the Security Advisor service. For more information, see Assigning access for the Security and Compliance Center. {: note}

Software instance

{: #sw-instance-account-management}

You can give users access to create, delete, or update a software instance. And, you can give users access to view the details page and the logs for the software instance.

Roles Actions
Viewer View the software instance details page
Operator Update a software instance \n \n View the details page for the software instance
Editor Create, delete, update a software instance \n \n View the details page for the software instance
Administrator Create, delete, update a software instance \n \n View the details page for the software instance \n \n View the logs for the software instance \n \n Assign IAM permissions
{: caption="Table 15. Roles and example actions for the Software instance service" caption-side="top"}

Support center

{: #support-center-account-management}

You can give users access to manage support cases.

Roles Actions
Viewer View cases \n \n Search cases
Operator Not applicable
Editor View cases \n \n Search cases \n \n Update cases \n \n Create cases
Administrator View cases \n \n Search cases \n \n Update cases \n \n Create cases
{: caption="Table 16. Roles and example actions for the Support Center service" caption-side="top"}

Assign users the viewer role on the user management service in addition to a support center access policy so the user can see all cases in the account regardless of user list visibility settings. If the user list visibility is set to be restricted, this can limit a user's ability to view, search, and manage support cases in an account that they didn't open themselves. {: tip}

User management

{: #user-management-account-management}

You can give users access to view users in an account, invite and remove users, and view and update user profile settings.

Roles Actions
Viewer View users in the account \n \n View user profile settings
Operator View users in the account \n \n View user profile settings
Editor View, invite, remove, and update users from the account \n \n View and update user profile settings
Administrator View, invite, remove, and update users from the account \n \n View and update user profile settings
{: caption="Table 17. Roles and example actions for the User Management service" caption-side="top"}

The viewer role on the user management service is a role that is commonly assigned for users assigned a role to view or manage support cases. If an account owner restricts the visibility of the user list in the IAM settings, users can't see support cases that are opened by other users in the account. However, if they are assigned the viewer role for the user management service, the user list visibility setting doesn't affect the ability to view cases in the account. {: tip}

Account management service names

{: #account-management-servicenames} {: api}

If you are assigning access by using the CLI or API, the account management services use the following attributes and values:

Account management service Attribute and value
Billing serviceName=billing
Catalog management serviceName=globalcatalog-collection
Context-based restrictions serviceName=context-based-restrictions
Enterprise serviceName=enterprise
Global catalog serviceName=globalcatalog
IAM Access Groups service serviceName=iam-groups
IAM Identity service serviceName=iam-identity
{{site.data.keyword.cloud-shell_notm}} serviceName=cloudshell
License and entitlement serviceName=entitlement
Role management serviceName=iam-access-management
{{site.data.keyword.compliance_short}} serviceName=security-compliance
Support center serviceName=support
User management serviceName=user-management
All Account Management services serviceType=platform_service
All IAM Account Management services service_group_id=IAM
{: caption="Table 1. Account management service names" caption-side="top"}

Assigning access by using the API

{: #api-acct-mgmt} {: api}

The following example assigns a policy with the Administrator role on the IAM Access groups account management service.

curl -X POST \
'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: $TOKEN'\
-H 'Content-Type: application/json'\
-d '{
  "type": "access",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "iam-groups"
        }
      ]
    }
  ]
}'

{: curl} {: codeblock}

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value("EXAMPLE_USER_ID")
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

PolicyRole policyRoles = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Administrator")
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value("exampleAccountId")
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceName")
        .value("iam-groups")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
        .type("access")
        .subjects(Arrays.asList(policySubjects))
        .roles(Arrays.asList(policyRoles))
        .resources(Arrays.asList(policyResources))
        .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

{: java} {: codeblock}

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: "exampleUserId",
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: 'exampleAccountId',
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceName',
  value: 'iam-groups',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

{: javascript} {: codeblock}

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
  name='serviceName', value='iam-groups')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_name_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

{: python} {: codeblock}

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr("ACCOUNT_ID"),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceName"),
  Value:    core.StringPtr("iam-groups"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

{: go} {: codeblock}

The following example assigns a policy with the Administrator role on All Account Management services.

curl -X POST \
'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: $TOKEN'\
-H 'Content-Type: application/json'\
-d '{
  "type": "access",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceType",
          "value": "platform-service"
        }
      ]
    }
  ]
}'

{: curl} {: codeblock}

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value("EXAMPLE_USER_ID")
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

PolicyRole policyRoles = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Administrator")
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value("exampleAccountId")
        .operator("stringEquals")
        .build();

ResourceAttribute serviceTypeResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceType")
        .value("platform-service")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceTypeResourceAttribute)
        .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
        .type("access")
        .subjects(Arrays.asList(policySubjects))
        .roles(Arrays.asList(policyRoles))
        .resources(Arrays.asList(policyResources))
        .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

{: java} {: codeblock}

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: "exampleUserId",
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: 'exampleAccountId',
  operator: 'stringEquals',
};
const serviceTypeResourceAttribute = {
  name: 'serviceType',
  value: 'platform-service',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceTypeResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

{: javascript} {: codeblock}

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
  name='serviceType', value='platform-service')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_type_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

{: python} {: codeblock}

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr("ACCOUNT_ID"),
  Operator: core.StringPtr("stringEquals"),
}
serviceTypeResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceType"),
  Value:    core.StringPtr("platform-service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceTypeResourceAttribute},
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

{: go} {: codeblock}

Assigning access to IAM services by using the API

{: #api-iam-services} {: api}

You can assign access to All IAM Account Management services, which is a subset of account management services that includes IAM Identity, IAM Access Management, IAM User Management, IAM Groups, and future IAM services. To assign access to this group of services, you must be the account owner, or a user that's assigned the administrator role on All IAM Account Management services or All Account Management services.

Some roles that you might assign on a policy for All IAM Account Management services affect only certain resources. For example, the role Service ID Creator (crn:v1:bluemix:public:iam-identity::::serviceRole:ServiceIdCreator) is relevant to only the IAM Identity service. {: note}

The following example assigns a policy with the Administrator role on All IAM Account Management services:

curl -X POST \
'https://iam.cloud.ibm.com/v1/policies' \
-H 'Authorization: $TOKEN'\
-H 'Content-Type: application/json'\
-d '{
  "type": "access",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Administrator"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "service_group_id",
          "value": "IAM"
        }
      ]
    }
  ]
}'

{: curl} {: codeblock}

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value("EXAMPLE_USER_ID")
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

PolicyRole policyRoles = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Administrator")
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value("exampleAccountId")
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("service_group_id")
        .value("IAM")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(service_group_idResourceAttribute)
        .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
        .type("access")
        .subjects(Arrays.asList(policySubjects))
        .roles(Arrays.asList(policyRoles))
        .resources(Arrays.asList(policyResources))
        .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

{: java} {: codeblock}

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: "exampleUserId",
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Administrator',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: 'exampleAccountId',
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'service_group_id',
  value: 'IAM',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, service_group_idResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

{: javascript} {: codeblock}

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='example_user_id')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:iam::::role:Administrator')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(
  name='service_group_id', value='IAM')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_group_id_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

{: python} {: codeblock}

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("exampleUserID"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr("ACCOUNT_ID"),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("service_group_id"),
  Value:    core.StringPtr("IAM"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *service_group_idResourceAttribute},
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

{: go} {: codeblock}

Actions and roles for account management services

{: #account-management-actions-roles-api} {: api}

The following tables outline the actions that users can take when they are assigned a specific role for each account management service. Review the information to ensure that you are assigning the correct level of access to your users.

All account management services

{: #all-account-management-api}

To quickly give users a wide range of account management access, you can assign a policy on all account management services. Depending on the role that you select, all applicable actions per the selected role for each account management service can be completed by the subject of the policy.

Roles Actions role_ID value
Viewer All viewer role actions for the account management services crn:v1:bluemix:public:iam::::role:Viewer
Operator All operator role actions for the account management services crn:v1:bluemix:public:iam::::role:Operator
Editor All editor role actions for the account management services and the ability to create resource groups crn:v1:bluemix:public:iam::::role:Editor
Administrator All administrator role actions for the account management services and the ability to create resource groups crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 2. Roles and example actions for a policy on all account management services" caption-side="top"}

Billing

{: #billing-acct-mgmt-api}

You can give users access to update account settings, view subscriptions, view offers, apply subscription and feature codes, update spending limits, and track usage by using the Billing service.

Roles Actions role_ID value
Viewer View account feature settings \n \n View subscriptions in account \n \n View account name \n \n View subscription balances and track usage crn:v1:bluemix:public:iam::::role:Viewer
Operator View account feature settings \n \n View subscriptions in account \n \n View and change account name crn:v1:bluemix:public:iam::::role:Operator
Editor View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage crn:v1:bluemix:public:iam::::role:Editor
Administrator View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage \n \n Create an enterprise crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 3. Roles and example actions for the Billing service" caption-side="top"}

It's possible to view subscription balances and usage from the Account settings page, but you can't view the Account settings page with the Viewer or Operator roles. To access the Account settings page and your subscription information from that page, you need the Editor role or higher. {: note}

Catalog management

{: #catalog-management-account-management-api}

You can give users access to view private catalogs and catalog filters, create private catalogs, add software to private catalogs, and set catalog filters.

Roles Actions role_ID value
Viewer View account-level filters set for the {{site.data.keyword.cloud_notm}} catalog \n \n View private catalogs crn:v1:bluemix:public:iam::::role:Viewer
Operator Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters crn:v1:bluemix:public:iam::::role:Operator
Editor Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters crn:v1:bluemix:public:iam::::role:Editor
Administrator Set account-level filters for the {{site.data.keyword.cloud_notm}} catalog \n \n Create, update, and delete private catalogs \n \n Publish {{site.data.keyword.IBM_notm}}-approved products \n \n Assign access policies crn:v1:bluemix:public:iam::::role:Administrator
Publisher Publish products that are approved by {{site.data.keyword.IBM_notm}} from a private catalog crn:v1:bluemix:public:globalcatalog-collection::::serviceRole:Promoter
{: caption="Table 4. Roles and example actions for the catalog management service" caption-side="top"}

Context-based restrictions

{: #cbr-account-management-api}

You can give users access to view, create, update, and remove network zones. To create a context-based restriction rule for a service, you must be assigned an IAM policy with the Administrator role the service you are creating a rule against. For example, if you want to create a rule to protect a Key Protect instance, you must be assigned the Administrator role on the Key Protect service and the Viewer role or higher on the Context-based restrictions service.

The Viewer role on the Context-based restrictions service allows you to add network zones to your rule. {: note}

Roles Actions role_ID value
Viewer View network zones crn:v1:bluemix:public:iam::::role:Viewer
Editor View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones crn:v1:bluemix:public:iam::::role:Editor
Administrator View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 5. Roles and example actions for the context-based restrictions service" caption-side="top"}

You can give users access to view, create, update, and remove context-based restrictions and network zones.

Enterprise

{: #enterprise-account-management-api}

You can use the Enterprise service to assign users access to manage an enterprise by creating accounts within the enterprise, assigning accounts to account groups, naming account groups, and more. This type of policy works only if it is assigned within the enterprise account.

Roles Actions role_ID value
Viewer View the enterprise, account groups, and accounts crn:v1:bluemix:public:iam::::role:Viewer
Operator Not applicable
Editor View and update the enterprise name and domain, create accounts and account groups, view usage reports, and import accounts. crn:v1:bluemix:public:iam::::role:Editor
Administrator View and update the enterprise name and domain, create accounts and account groups, move accounts between account groups, import existing accounts, and view usage reports crn:v1:bluemix:public:iam::::role:Administrator
Usage report viewer View the enterprise, accounts, and account groups and view usage reports for all accounts in the enterprise. crn:v1:bluemix:public:enterprise::::serviceRole:UsageReportsViewer
{: caption="Table 6. Roles and example actions for the Enterprise service" caption-side="top"}

Global catalog

{: #global-catalog-account-management-api}

You can give users access to view private products in the catalog or change the visibility of private products for other users in the account.

Roles Actions role_ID value
Viewer View private services crn:v1:bluemix:public:iam::::role:Viewer
Operator Not applicable crn:v1:bluemix:public:iam::::role:Operator
Editor Change object metadata but can't change visibility for private services crn:v1:bluemix:public:iam::::role:Editor
Administrator Change object metadata or visibility for private services, and restrict visibility of a public service crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 7. Roles and example actions for the Global Catalog service" caption-side="top"}

IAM Access Groups

{: #access-groups-account-management-api}

You can give users access to view, create, edit, and delete access groups in the account by using the IAM Access Groups service.

Roles Actions role_ID value
Viewer View access groups and members crn:v1:bluemix:public:iam::::role:Viewer
Operator Not applicable
Editor View, create, edit, and delete groups \n \n Add or remove users from groups crn:v1:bluemix:public:iam::::role:Editor
Administrator View, create, edit, and delete groups \n \n Add or remove users \n \n Assign access to a group \n \n Manage access for working with access groups \n \n Enable or disable public access to resources at the account level crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 8. Roles and example actions for the IAM access groups service" caption-side="top"}

IAM Identity service

{: #identity-service-account-management-api}

You can give users access to manage service IDs and identity providers (IdPs) by using the IAM Identity service. These actions apply to service IDs and IdPs within the account that the user didn't create. All users can create service IDs. They are the administrator for those IDs, and they can create the associated API key and access policies, but only users with the operator and administrator role can create IdPs. This account management service applies to the ability to view, update, delete, and assign access to service IDs in the account created by other users.

Roles Actions role_ID value
Viewer View IDs crn:v1:bluemix:public:iam::::role:Viewer
Operator Create and delete IDs and API keys \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Delete trusted profiles crn:v1:bluemix:public:iam::::role:Operator
Editor Create and update IDs and API keys \n \n View and update IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Update trusted profiles crn:v1:bluemix:public:iam::::role:Editor
Administrator Create, update, and delete IDs and API keys \n \n Assign access policies to IDs \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Create trusted profiles crn:v1:bluemix:public:iam::::role:Administrator
User API Key Creator Can create API keys when the account setting to restrict API key creation is enabled. crn:v1:bluemix:public:iam-identity::::serviceRole:UserApiKeyCreator
Service ID Creator Can create service IDs when the account setting to restrict service ID creation is enabled. crn:v1:bluemix:public:iam-identity::::serviceRole:ServiceIdCreator
{: caption="Table 9. Roles and example actions for the IAM Identity service" caption-side="top"}
{: #identity-service-acct-mgmt-api}

{{site.data.keyword.cloud-shell_notm}} settings

{: #shell-service-account-management-api}

You can assign users access to view and update {{site.data.keyword.cloud-shell_notm}} settings for the account. Only the account owner or a user with the {{site.data.keyword.cloud-shell_notm}} administrator role can view and update the settings.

Roles Actions role_ID value
Viewer Not applicable
Operator Not applicable
Editor Not applicable
Administrator View and update {{site.data.keyword.cloud-shell_notm}} settings crn:v1:bluemix:public:iam::::role:Administrator
Cloud Operator Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources. crn:v1:bluemix:public:cloudshell::::serviceRole:CloudOperator
Cloud Developer Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources and develop applications for {{site.data.keyword.cloud_notm}} (Web Preview enabled). crn:v1:bluemix:public:cloudshell::::serviceRole:CloudDeveloper
File Manager Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}}resources and manage files in your workspace (File Upload and File Download enabled). crn:v1:bluemix:public:cloudshell::::serviceRole:FileManager
{: caption="Table 10. Roles and example actions for the {{site.data.keyword.cloud-shell_notm}} service" caption-side="top"}

License and entitlement

{: #license-entitlement-management-api}

You can assign users access to manage licenses and entitlements within an account. Any member of an account can view and use an account’s entitlement.

Roles Actions role_ID value
Viewer Not applicable
Operator Not applicable
Editor Editors can create entitlements and view, update, bind, or delete only the entitlements they acquired. crn:v1:bluemix:public:iam::::role:Editor
Administrator Administrators can create entitlements and view, update, bind, or delete any entitlements in the account. crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 11. Roles and example actions for the license and entitlement service" caption-side="top"}

Partner Center

{: #pc-buildgrow-account-management-api}

You can give users access to view and edit partner profile details, offers, fast tracks, and to create and view support cases.

Roles Actions role_ID value
Viewer View details about partner profile, offers, fast tracks, support cases. crn:v1:bluemix:public:iam::::role:Viewer
Editor View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases. crn:v1:bluemix:public:iam::::role:Editor
Operator
Administrator View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases. crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 12. Roles and example actions for the Partner Center service" caption-side="top"}

Partner Center - Sell

{: #prod-lifecycle-account-management-api}

You can give users access to onboard, validate, and publish software.

Roles Actions role_ID value
Administrator Create, edit, validate, and publish products
Editor Validate and edit products crn:v1:bluemix:public:iam::::role:Editor
Approver Approves or rejects a workflow instance's task crn:v1:bluemix:public:product-lifecycle::::serviceRole:LifecycleApprover
{: caption="Table 13. Roles and example actions for the Partner Center - Sell service" caption-side="top"}

Role Management

{: #custom-roles-account-management-api}

You can give users access to create, update, and delete custom roles for services in the account.

Roles Actions role_ID value
Viewer View custom roles crn:v1:bluemix:public:iam::::role:Viewer
Operator Not applicable
Editor Edit and update custom roles in an account crn:v1:bluemix:public:iam::::role:Editor
Administrator Create, edit, update, and delete custom roles in an account crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 14. Roles and example actions for the Access management service" caption-side="top"}

{{site.data.keyword.compliance_short}}

{: #security-compliance-account-management-api}

You can give users access to create, update, and delete resources for the {{site.data.keyword.compliance_short}} service in the account that you are assigned access.

Roles Actions role_ID value
Viewer Access the {{site.data.keyword.compliance_short}} dashboard to view current posture and results \n \n View created resources such as scopes, credentials, or rules \n \n View global settings for the service crn:v1:bluemix:public:iam::::role:Viewer
Operator Create an audit log for monitoring compliance activity crn:v1:bluemix:public:iam::::role:Operator
Editor Create, update, or delete objects such as scopes, credentials, and collectors \n \n Update the parameter settings of a goal \n \n Create, update, or delete rules and templates \n \n Edit global admin settings for the service crn:v1:bluemix:public:iam::::role:Editor
Administrator Perform all platform actions based on the resource that this role is being assigned, including assigning access policies to other users. crn:v1:bluemix:public:iam::::role:Administrator
Manager Permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources. crn:v1:bluemix:public:iam::::serviceRole:Manager
Reader Perform read-only actions within a service such as viewing service-specific resources. crn:v1:bluemix:public:iam::::serviceRole:Reader
Writer Permissions beyond the reader role, including creating and editing service-specific resources. `crn:v1:bluemix:public:iam::::serviceRole:Writer
{: caption="Table 15. Roles and example actions for the {{site.data.keyword.compliance_short}} service" caption-side="top"}

To access all of the {{site.data.keyword.compliance_short}}, you must also assign permissions for the Security Advisor service. For more information, see Assigning access for the Security and Compliance Center. {: note}

Software instance

{: #sw-instance-account-management-api}

You can give users access to create, delete, or update a software instance. And, you can give users access to view the details page and the logs for the software instance.

Roles Actions role_ID value
Viewer View the software instance details page crn:v1:bluemix:public:iam::::role:Viewer
Operator Update a software instance \n \n View the details page for the software instance crn:v1:bluemix:public:iam::::role:Operator
Editor Create, delete, update a software instance \n \n View the details page for the software instance crn:v1:bluemix:public:iam::::role:Editor
Administrator Create, delete, update a software instance \n \n View the details page for the software instance \n \n View the logs for the software instance \n \n Assign IAM permissions crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 16. Roles and example actions for the Software instance service" caption-side="top"}

Support center

{: #support-center-account-management-api}

You can give users access to manage support cases.

Roles Actions role_ID value
Viewer View cases \n \n Search cases crn:v1:bluemix:public:iam::::role:Viewer
Operator Not applicable crn:v1:bluemix:public:iam::::role:Operator
Editor View cases \n \n Search cases \n \n Update cases \n \n Create cases crn:v1:bluemix:public:iam::::role:Editor
Administrator View cases \n \n Search cases \n \n Update cases \n \n Create cases crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 17. Roles and example actions for the Support Center service" caption-side="top"}

Assign users the viewer role on the user management service in addition to a support center access policy so the user can see all cases in the account regardless of user list visibility settings. If the user list visibility is set to be restricted, a user's ability to view, search, and manage support cases in an account that they didn't open themselves can be limited. {: tip}

User management

{: #user-management-account-management-api}

You can give users access to view users in an account, invite and remove users, and view and update user profile settings.

Roles Actions role_ID value
Viewer View users in the account \n \n View user profile settings crn:v1:bluemix:public:iam::::role:Viewer
Operator View users in the account \n \n View user profile settings crn:v1:bluemix:public:iam::::role:Operator
Editor View, invite, remove, and update users from the account \n \n View and update user profile settings crn:v1:bluemix:public:iam::::role:Editor
Administrator View, invite, remove, and update users from the account \n \n View and update user profile settings crn:v1:bluemix:public:iam::::role:Administrator
{: caption="Table 18. Roles and example actions for the User Management service" caption-side="top"}

The viewer role on the user management service is a role that is commonly assigned for users assigned a role to view or manage support cases. If an account owner restricts the visibility of the user list in the IAM settings, users can't see support cases that are opened by other users in the account. However, if they are assigned the viewer role for the user management service, the user list visibility setting doesn't affect the ability to view cases in the account. {: tip}

Account management service names

{: #account-management-servicenames-cli} {: cli}

If you are assigning access by using the CLI or API, the account management services use the following attributes and values:

Account management service Attribute and value
Billing serviceName=billing
Catalog management serviceName=globalcatalog-collection
Context-based restrictions serviceName=context-based-restrictions
Enterprise serviceName=enterprise
Global catalog serviceName=globalcatalog
IAM Access Groups service serviceName=iam-groups
IAM Identity service serviceName=iam-identity
{{site.data.keyword.cloud-shell_notm}} serviceName=cloudshell
License and entitlement serviceName=entitlement
Role management serviceName=iam-access-management
{{site.data.keyword.compliance_short}} serviceName=security-compliance
Support center serviceName=support
User management serviceName=user-management
All Account Management services serviceType=platform_service
All IAM Account Management services service_group_id=IAM
{: caption="Table 1. Account management service names" caption-side="top"}

Assigning access by using the CLI

{: #cli-acct-mgmt} {: cli}

To assign access, run the user-policy-create command. For more information, see ibmcloud iam user-policy-create. The following example command assigns a policy with the User API key creator role for the IAM Identity account management service.

ibmcloud iam user-policy-create [email protected] --roles "User API key creator" --service-name iam-identity

{: pre}

For service names to use in the CLI command for each account management service, see Table 1. However, for a policy on all account management services in the CLI, use --account-management instead of --service-name SERVICE_NAME. For roles that are more than one word, use the display name with quotations. {: tip}

The following example command assigns a policy with the Administrator role for All Account Management services.

ibmcloud iam user-policy-create name.example.com --roles Administrator --attributes serviceType=service

{: pre}

Assigning access to IAM services by using the CLI

{: #cli-iam-services} {: cli}

You can assign access to All IAM Account Management services, which is a subset of account management services that includes IAM Identity, IAM Access Management, User Management, IAM Groups, and future IAM services. To assign access to this group of services, you must be the account owner, or a user assigned the administrator role on All IAM Account Management services or All Account Management services.

Some roles that you might assign on a policy for All IAM Account Management services affect only certain resources. For example, the role Service ID Creator is relevant to only the IAM Identity Service. {: note}

The following example command assigns a policy with the Administrator role on All IAM Account Management services:

ibmcloud iam user-policy-create [email protected] --roles Administrator --attributes service_group_id=IAM

{: pre}

Actions and roles for account management services

{: #account-management-actions-roles-cli} {: cli}

The following tables outline the actions that users can take when they are assigned a specific role for each account management service. Review the information to ensure that you are assigning the correct level of access to your users.

All account management services

{: #all-account-management-cli}

To quickly give users a wide-ranging set of account management access, you can assign a policy on all account management services. Depending on the role that is selected, all applicable actions per the selected role for each account management service can be completed by the subject of the policy.

Roles Actions
Viewer All viewer role actions for the account management services
Operator All operator role actions for the account management services
Editor All editor role actions for the account management services and the ability to create resource groups
Administrator All administrator role actions for the account management services and the ability to create resource groups
{: caption="Table 2. Roles and example actions for a policy on all account management services" caption-side="top"}

Billing

{: #billing-acct-mgmt-cli}

You can give users access to update account settings, view subscriptions, view offers, apply subscription and feature codes, update spending limits, and track usage by using the Billing service.

Roles Actions
Viewer View account feature settings \n \n View subscriptions in account \n \n View account name \n \n View subscription balances and track usage
Operator View account feature settings \n \n View subscriptions in account \n \n View and change account name
Editor View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage
Administrator View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage \n \n Create an enterprise
{: caption="Table 3. Roles and example actions for the Billing service" caption-side="top"}

It's possible to view subscription balances and usage from the Account settings page, but you can't view the Account settings page with the Viewer or Operator roles. To access the Account settings page and your subscription information from that page, you need the Editor role or higher. {: note}

Catalog management

{: #catalog-management-account-management-cli}

You can give users access to view private catalogs and catalog filters, create private catalogs, add software to private catalogs, and set catalog filters.

Roles Actions
Viewer View account-level filters set for the {{site.data.keyword.cloud_notm}} catalog \n \n View private catalogs
Operator Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Editor Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Administrator Set account-level filters for the {{site.data.keyword.cloud_notm}} catalog \n \n Create, update, and delete private catalogs \n \n Publish {{site.data.keyword.IBM_notm}}-approved products \n \n Assign access policies
Publisher Publish products that are approved by {{site.data.keyword.IBM_notm}} from a private catalog
{: caption="Table 4. Roles and example actions for the catalog management service" caption-side="top"}

Context-based restrictions

{: #cbr-account-management-cli}

You can give users access to view, create, update, and remove network zones. To create a context-based restriction rule for a service, you must be assigned an IAM policy with the Administrator role the service you are creating a rule against. For example, if you want to create a rule to protect a Key Protect instance, you must be assigned the Administrator role on the Key Protect service and the Viewer role or higher on the Context-based restrictions service.

The Viewer role on the Context-based restrictions service allows you to add network zones to your rule. {: note}

Roles Actions
Viewer View network zones
Editor View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
Administrator View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
{: caption="Table 5. Roles and example actions for the context-based restrictions service" caption-side="top"}

Enterprise

{: #enterprise-account-management-cli}

You can use the Enterprise service to assign users access to manage an enterprise by creating accounts within the enterprise, assigning accounts to account groups, naming account groups, and more. This type of policy works only if it is assigned within the enterprise account.

Roles Actions
Viewer View the enterprise, account groups, and accounts
Operator Not applicable
Editor View and update the enterprise name and domain, create accounts and account groups, view usage reports, and import accounts.
Administrator View and update the enterprise name and domain, create accounts and account groups, move accounts between account groups, import existing accounts, and view usage reports
Usage report viewer View the enterprise, accounts, and account groups and view usage reports for all accounts in the enterprise.
{: caption="Table 6. Roles and example actions for the Enterprise service" caption-side="top"}

Global catalog

{: #global-catalog-account-management-cli}

You can give users access to view private products in the catalog or change the visibility of private products for other users in the account.

Roles Actions
Viewer View private services
Operator Not applicable
Editor Change object metadata but can't change visibility for private services
Administrator Change object metadata or visibility for private services, and restrict visibility of a public service
{: caption="Table 7. Roles and example actions for the Global Catalog service" caption-side="top"}

IAM Access Groups

{: #access-groups-account-management-cli}

You can give users access to view, create, edit, and delete access groups in the account by using the IAM Access Groups service.

Roles Actions
Viewer View access groups and members
Operator Not applicable
Editor View, create, edit, and delete groups \n \n Add or remove users from groups
Administrator View, create, edit, and delete groups \n \n Add or remove users \n \n Assign access to a group \n \n Manage access for working with access groups \n \n Enable or disable public access to resources at the account level
{: caption="Table 8. Roles and example actions for the IAM access groups service" caption-side="top"}

IAM Identity service

{: #identity-service-account-management-cli}

You can give users access to manage service IDs and identity providers (IdPs) by using the IAM Identity service. These actions apply to service IDs and IdPs within the account that the user didn't create. All users can create service IDs. They are the administrator for those IDs, and they can create the associated API key and access policies, but only users with the operator and administrator role can create IdPs. This account management service applies to the ability to view, update, delete, and assign access to service IDs in the account created by other users.

Roles Actions
Viewer View IDs
Operator Create and delete IDs and API keys \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Delete trusted profiles
Editor Create and update IDs and API keys \n \n View and update IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Update trusted profiles
Administrator Create, update, and delete IDs and API keys \n \n Assign access policies to IDs \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Create trusted profiles
User API Key Creator Can create API keys when the account setting to restrict API key creation is enabled.
Service ID Creator Can create service IDs when the account setting to restrict service ID creation is enabled.
{: caption="Table 9. Roles and example actions for the IAM Identity service" caption-side="top"}
{: #identity-service-acct-mgmt-cli}

{{site.data.keyword.cloud-shell_notm}} settings

{: #shell-service-account-management-cli}

You can assign users access to view and update {{site.data.keyword.cloud-shell_notm}} settings for the account. Only the account owner or a user with the {{site.data.keyword.cloud-shell_notm}} administrator role can view and update the settings.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Not applicable
Administrator View and update {{site.data.keyword.cloud-shell_notm}} settings
Cloud Operator Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources.
Cloud Developer Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources and develop applications for {{site.data.keyword.cloud_notm}} (Web Preview enabled).
File Manager Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}}resources and manage files in your workspace (File Upload and File Download enabled).
{: caption="Table 10. Roles and example actions for the {{site.data.keyword.cloud-shell_notm}} service" caption-side="top"}

License and entitlement

{: #license-entitlement-management-cli}

You can assign users access to manage licenses and entitlements within an account. Any member of an account can view and use an account’s entitlement.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Editors can create entitlements and view, update, bind, or delete only the entitlements they acquired.
Administrator Administrators can create entitlements and view, update, bind, or delete any entitlements in the account.
{: caption="Table 11. Roles and example actions for the license and entitlement service" caption-side="top"}

Partner Center

{: #pc-buildgrow-account-management-cli}

You can give users access to view and edit partner profile details, offers, fast tracks, and to create and view support cases.

Roles Actions
Viewer View details about partner profile, offers, fast tracks, support cases.
Editor View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
Operator
Administrator View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
{: caption="Table 12. Roles and example actions for the Partner Center service" caption-side="top"}

Partner Center - Sell

{: #prod-lifecycle-account-management-cli}

You can give users access to onboard, validate, and publish software.

Roles Actions
Administrator Create, edit, validate, and publish products
Editor Validate and edit products
Approver Approves or rejects a workflow instance's task
{: caption="Table 13. Roles and example actions for the Partner Center - Sell service" caption-side="top"}

Role Management

{: #custom-roles-account-management-cli}

You can give users access to create, update, and delete custom roles for services in the account.

Roles Actions
Viewer View custom roles
Operator Not applicable
Editor Edit and update custom roles in an account
Administrator Create, edit, update, and delete custom roles in an account
{: caption="Table 14. Roles and example actions for the Access management service" caption-side="top"}

{{site.data.keyword.compliance_short}}

{: #security-compliance-account-management-cli}

You can give users access to create, update, and delete resources for the {{site.data.keyword.compliance_short}} service in the account that you are assigned access.

Roles Actions
Viewer Access the {{site.data.keyword.compliance_short}} dashboard to view current posture and results \n \n View created resources such as scopes, credentials, or rules \n \n View global settings for the service
Operator Create an audit log for monitoring compliance activity
Editor Create, update, or delete objects such as scopes, credentials, and collectors \n \n Update the parameter settings of a goal \n \n Create, update, or delete rules and templates \n \n Edit global admin settings for the service
Administrator Perform all platform actions based on the resource that this role is being assigned, including assigning access policies to other users.
Manager Permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader Perform read-only actions within a service such as viewing service-specific resources.
Writer Permissions beyond the reader role, including creating and editing service-specific resources.
{: caption="Table 15. Roles and example actions for the {{site.data.keyword.compliance_short}} service" caption-side="top"}

To access all of the {{site.data.keyword.compliance_short}}, you must also assign permissions for the Security Advisor service. For more information, see Assigning access for the Security and Compliance Center. {: note}

Software instance

{: #sw-instance-account-management-cli}

You can give users access to create, delete, or update a software instance. And, you can give users access to view the details page and the logs for the software instance.

Roles Actions
Viewer View the software instance details page
Operator Update a software instance \n \n View the details page for the software instance
Editor Create, delete, update a software instance \n \n View the details page for the software instance
Administrator Create, delete, update a software instance \n \n View the details page for the software instance \n \n View the logs for the software instance \n \n Assign IAM permissions
{: caption="Table 16. Roles and example actions for the Software instance service" caption-side="top"}

Support center

{: #support-center-account-management-cli}

You can give users access to manage support cases.

Roles Actions
Viewer View cases \n \n Search cases
Operator Not applicable
Editor View cases \n \n Search cases \n \n Update cases \n \n Create cases
Administrator View cases \n \n Search cases \n \n Update cases \n \n Create cases
{: caption="Table 17. Roles and example actions for the Support Center service" caption-side="top"}

Assign users the viewer role on the user management service in addition to a support center access policy so the user can see all cases in the account regardless of user list visibility settings. If the user list visibility is set to be restricted, this can limit a user's ability to view, search, and manage support cases in an account that they didn't open themselves. {: tip}

User management

{: #user-management-account-management-cli}

You can give users access to view users in an account, invite and remove users, and view and update user profile settings.

Roles Actions
Viewer View users in the account \n \n View user profile settings
Operator View users in the account \n \n View user profile settings
Editor View, invite, remove, and update users from the account \n \n View and update user profile settings
Administrator View, invite, remove, and update users from the account \n \n View and update user profile settings
{: caption="Table 18. Roles and example actions for the User Management service" caption-side="top"}

The viewer role on the user management service is a role that is commonly assigned for users assigned a role to view or manage support cases. If an account owner restricts the visibility of the user list in the IAM settings, users can't see support cases that are opened by other users in the account. However, if they are assigned the viewer role for the user management service, the user list visibility setting doesn't affect the ability to view cases in the account. {: tip}

Assigning access by using Terraform

{: #terraform-acct-mgmt} {: terraform}

Before you can assign access by using Terraform, make sure that you have completed the following:

  • Install the Terraform CLI and configure the {{site.data.keyword.cloud_notm}} Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on {{site.data.keyword.cloud}}. The plug-in abstracts the {{site.data.keyword.cloud_notm}} APIs that are used to complete this task.
  • Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation{: external}.

Use the following steps to assign access by using Terraform:

  1. Create an argument in your main.tf file. The following example assigns a policy with the Viewer role on the IAM Access groups account management service.

    resource "ibm_iam_access_group" "accgrp" {
     name = "test"
    }
    
    resource "ibm_iam_access_group_policy" "policy" {
     access_group_id = ibm_iam_access_group.accgrp.id
     roles           = ["Viewer"]
    }

    {: codeblock}

    You can specify the ID of the access group on the access_group_id option. For more information, see the argument reference details on the Terraform Identity and Access Management (IAM){: external} page.

  2. After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories{: external}.

    terraform init

    {: pre}

  3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform{: external}.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan

      {: pre}

    2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply

      {: pre}

Actions and roles for account management services

{: #account-management-actions-roles-terra} {: terraform}

The following tables outline the actions that users can take when they are assigned a specific role for each account management service. Review the information to ensure that you are assigning the correct level of access to your users.

All account management services

{: #all-account-management-terra}

To quickly give users a wide-ranging set of account management access, you can assign a policy on all account management services. Depending on the role that is selected, all applicable actions per the selected role for each account management service can be completed by the subject of the policy.

Roles Actions
Viewer All viewer role actions for the account management services
Operator All operator role actions for the account management services
Editor All editor role actions for the account management services and the ability to create resource groups
Administrator All administrator role actions for the account management services and the ability to create resource groups
{: caption="Table 1. Roles and example actions for a policy on account management services" caption-side="top"}

Billing

{: #billing-acct-mgmt-terra}

You can give users access to update account settings, view subscriptions, view offers, apply subscription and feature codes, update spending limits, and track usage by using the Billing service.

Roles Actions
Viewer View account feature settings \n \n View subscriptions in account \n \n View account name \n \n View subscription balances and track usage
Operator View account feature settings \n \n View subscriptions in account \n \n View and change account name
Editor View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage
Administrator View and update account feature settings \n \n View subscriptions in account \n \n View offers in account \n \n View and apply subscription and feature codes \n \n View and change account name \n \n View and update spending limits \n \n Set spending notifications \n \n View subscription balances and track usage \n \n Create an enterprise
{: caption="Table 2. Roles and example actions for the Billing service" caption-side="top"}

It's possible to view subscription balances and usage from the Account settings page, but you can't view the Account settings page with the Viewer or Operator roles. To access the Account settings page and your subscription information from that page, you need the Editor role or higher. {: note}

Catalog management

{: #catalog-management-account-management-terra}

You can give users access to view private catalogs and catalog filters, create private catalogs, add software to private catalogs, and set catalog filters.

Roles Actions
Viewer View account-level filters set for the {{site.data.keyword.cloud_notm}} catalog \n \n View private catalogs
Operator Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Editor Create private catalogs \n \n Set filters for private catalogs \n \n Add and update software \n \n View account-level filters
Administrator Set account-level filters for the {{site.data.keyword.cloud_notm}} catalog \n \n Create, update, and delete private catalogs \n \n Publish {{site.data.keyword.IBM_notm}}-approved products \n \n Assign access policies
Publisher Publish products that are approved by {{site.data.keyword.IBM_notm}} from a private catalog
{: caption="Table 3. Roles and example actions for the catalog management service" caption-side="top"}

Context-based restrictions

{: #cbr-account-management-terra}

You can give users access to view, create, update, and remove network zones. To create a context-based restriction rule for a service, you must be assigned an IAM policy with the Administrator role the service you are creating a rule against. For example, if you want to create a rule to protect a Key Protect instance, you must be assigned the Administrator role on the Key Protect service and the Viewer role or higher on the Context-based restrictions service.

The Viewer role on the Context-based restrictions service allows you to add network zones to your rule. {: note}

Roles Actions
Viewer View network zones
Editor View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
Administrator View network zones \n \n Create network zones \n \n Update network zones \n \n Remove network zones
{: caption="Table 4. Roles and example actions for the context-based restrictions service" caption-side="top"}

Enterprise

{: #enterprise-account-management-terra}

You can use the Enterprise service to assign users access to manage an enterprise by creating accounts within the enterprise, assigning accounts to account groups, naming account groups, and more. This type of policy works only if it is assigned within the enterprise account.

Roles Actions
Viewer View the enterprise, account groups, and accounts
Operator Not applicable
Editor View and update the enterprise name and domain, create accounts and account groups, view usage reports, and import accounts.
Administrator View and update the enterprise name and domain, create accounts and account groups, move accounts between account groups, import existing accounts, and view usage reports
Usage report viewer View the enterprise, accounts, and account groups and view usage reports for all accounts in the enterprise.
{: caption="Table 5. Roles and example actions for the Enterprise service" caption-side="top"}

Global catalog

{: #global-catalog-account-management-terra}

You can give users access to view private products in the catalog or change the visibility of private products for other users in the account.

Roles Actions
Viewer View private services
Operator Not applicable
Editor Change object metadata but can't change visibility for private services
Administrator Change object metadata or visibility for private services, and restrict visibility of a public service
{: caption="Table 6. Roles and example actions for the Global Catalog service" caption-side="top"}

IAM Access Groups

{: #access-groups-account-management-terra}

You can give users access to view, create, edit, and delete access groups in the account by using the IAM Access Groups service.

Roles Actions
Viewer View access groups and members
Operator Not applicable
Editor View, create, edit, and delete groups \n \n Add or remove users from groups
Administrator View, create, edit, and delete groups \n \n Add or remove users \n \n Assign access to a group \n \n Manage access for working with access groups \n \n Enable or disable public access to resources at the account level
{: caption="Table 7. Roles and example actions for the IAM access groups service" caption-side="top"}

IAM Identity service

{: #identity-service-account-management-terra}

You can give users access to manage service IDs and identity providers (IdPs) by using the IAM Identity service. These actions apply to service IDs and IdPs within the account that the user didn't create. All users can create service IDs. They are the administrator for those IDs, and they can create the associated API key and access policies, but only users with the operator and administrator role can create IdPs. This account management service applies to the ability to view, update, delete, and assign access to service IDs in the account created by other users.

Roles Actions
Viewer View IDs
Operator Create and delete IDs and API keys \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Delete trusted profiles
Editor Create and update IDs and API keys \n \n View and update IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Update trusted profiles
Administrator Create, update, and delete IDs and API keys \n \n Assign access policies to IDs \n \n View, create, update, and delete IdPs \n \n Update IAM account setting for service IDs and user API key creation \n \n Create trusted profiles
User API Key Creator Can create API keys when the account setting to restrict API key creation is enabled.
Service ID Creator Can create service IDs when the account setting to restrict service ID creation is enabled.
{: caption="Table 8. Roles and example actions for the IAM Identity service" caption-side="top"}
{: #identity-service-acct-mgmt-terra}

{{site.data.keyword.cloud-shell_notm}} settings

{: #shell-service-account-management-terra}

You can assign users access to view and update {{site.data.keyword.cloud-shell_notm}} settings for the account. Only the account owner or a user with the {{site.data.keyword.cloud-shell_notm}} administrator role can view and update the settings.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Not applicable
Administrator View and update {{site.data.keyword.cloud-shell_notm}} settings
Cloud Operator Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources.
Cloud Developer Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}} resources and develop applications for {{site.data.keyword.cloud_notm}} (Web Preview enabled).
File Manager Create {{site.data.keyword.cloud-shell_short}} environments to manage {{site.data.keyword.cloud_notm}}resources and manage files in your workspace (File Upload and File Download enabled).
{: caption="Table 9. Roles and example actions for the {{site.data.keyword.cloud-shell_notm}} service" caption-side="top"}

License and entitlement

{: #license-entitlement-management-terra}

You can assign users access to manage licenses and entitlements within an account. Any member of an account can view and use an account’s entitlement.

Roles Actions
Viewer Not applicable
Operator Not applicable
Editor Editors can create entitlements and view, update, bind, or delete only the entitlements they acquired.
Administrator Administrators can create entitlements and view, update, bind, or delete any entitlements in the account.
{: caption="Table 10. Roles and example actions for the license and entitlement service" caption-side="top"}

Partner Center

{: #pc-buildgrow-account-management-terra}

You can give users access to view and edit partner profile details, offers, fast tracks, and to create and view support cases.

Roles Actions
Viewer View details about partner profile, offers, fast tracks, support cases.
Editor View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
Operator
Administrator View and edit partner profile, offers, and fast tracks. Create, edit, and view support cases.
{: caption="Table 11. Roles and example actions for the Partner Center service" caption-side="top"}

Partner Center - Sell

{: #prod-lifecycle-account-management-terra}

You can give users access to onboard, validate, and publish software.

Roles Actions
Administrator Create, edit, validate, and publish products
Editor Validate and edit products
Approver Approves or rejects a workflow instance's task
{: caption="Table 12. Roles and example actions for the Partner Center - Sell service" caption-side="top"}

Role Management

{: #custom-roles-account-management-terra}

You can give users access to create, update, and delete custom roles for services in the account.

Roles Actions
Viewer View custom roles
Operator Not applicable
Editor Edit and update custom roles in an account
Administrator Create, edit, update, and delete custom roles in an account
{: caption="Table 13. Roles and example actions for the Access management service" caption-side="top"}

{{site.data.keyword.compliance_short}}

{: #security-compliance-account-management-terra}

You can give users access to create, update, and delete resources for the {{site.data.keyword.compliance_short}} service in the account that you are assigned access.

Roles Actions
Viewer Access the {{site.data.keyword.compliance_short}} dashboard to view current posture and results \n \n View created resources such as scopes, credentials, or rules \n \n View global settings for the service
Operator Create an audit log for monitoring compliance activity
Editor Create, update, or delete objects such as scopes, credentials, and collectors \n \n Update the parameter settings of a goal \n \n Create, update, or delete rules and templates \n \n Edit global admin settings for the service
Administrator Perform all platform actions based on the resource that this role is being assigned, including assigning access policies to other users.
Manager Permissions beyond the writer role to complete privileged actions as defined by the service. In addition, you can create and edit service-specific resources.
Reader Perform read-only actions within a service such as viewing service-specific resources.
Writer Permissions beyond the reader role, including creating and editing service-specific resources.
{: caption="Table 14. Roles and example actions for the {{site.data.keyword.compliance_short}} service" caption-side="top"}

To access all of the {{site.data.keyword.compliance_short}}, you must also assign permissions for the Security Advisor service. For more information, see Assigning access for the Security and Compliance Center. {: note}

Software instance

{: #sw-instance-account-management-terra}

You can give users access to create, delete, or update a software instance. And, you can give users access to view the details page and the logs for the software instance.

Roles Actions
Viewer View the software instance details page
Operator Update a software instance \n \n View the details page for the software instance
Editor Create, delete, update a software instance \n \n View the details page for the software instance
Administrator Create, delete, update a software instance \n \n View the details page for the software instance \n \n View the logs for the software instance \n \n Assign IAM permissions
{: caption="Table 15. Roles and example actions for the Software instance service" caption-side="top"}

Support center

{: #support-center-account-management-terra}

You can give users access to manage support cases.

Roles Actions
Viewer View cases \n \n Search cases
Operator Not applicable
Editor View cases \n \n Search cases \n \n Update cases \n \n Create cases
Administrator View cases \n \n Search cases \n \n Update cases \n \n Create cases
{: caption="Table 16. Roles and example actions for the Support Center service" caption-side="top"}

Assign users the viewer role on the user management service in addition to a support center access policy so the user can see all cases in the account regardless of user list visibility settings. If the user list visibility is set to be restricted, this can limit a user's ability to view, search, and manage support cases in an account that they didn't open themselves. {: tip}

User management

{: #user-management-account-management-terra}

You can give users access to view users in an account, invite and remove users, and view and update user profile settings.

Roles Actions
Viewer View users in the account \n \n View user profile settings
Operator View users in the account \n \n View user profile settings
Editor View, invite, remove, and update users from the account \n \n View and update user profile settings
Administrator View, invite, remove, and update users from the account \n \n View and update user profile settings
{: caption="Table 17. Roles and example actions for the User Management service" caption-side="top"}

The viewer role on the user management service is a role that is commonly assigned for users assigned a role to view or manage support cases. If an account owner restricts the visibility of the user list in the IAM settings, users can't see support cases that are opened by other users in the account. However, if they are assigned the viewer role for the user management service, the user list visibility setting doesn't affect the ability to view cases in the account. {: tip}