IBM Cloud: Required IAM access policy to see user-specific authorizations (policies)?

194 views Asked by At

In IBM Cloud, I have an IAM Access Group for security admins. What policy do I need to grant to have their members READ access to user-specific authorizations, i.e., access policies granted to a user, not an Access Group?

The account owner can see those authorizations by, e.g., the List Policies API. The security admin, when calling that API, either receives an empty list or only a partial list. The Access Group for security admins already has Administrator privilege for IAM Identity Service and IAM Access Group Service.

2

There are 2 answers

0
data_henrik On BEST ANSWER

To see access policies, the security administrators and hence their related Access Group need *Viewer* privilege on all resources and services that are directly "authorized" to users or service IDs. It is not enough to have Viewer or even Administrator role on IAM Access Groups Service, Viewer on all Account Management as well as on all IAM-enabled services is required.

The following would give Viewer on Account Management services when using Terraform:

resource "ibm_iam_access_group_policy" "cloud-security-admins-account_viewer" {
  access_group_id = ibm_iam_access_group.cloud-security-admins.id
  account_management = true
  roles = [ "Viewer" ]
}

And the next Terraform snippet could be used to give Viewer on all IAM-enabled services:

resource "ibm_iam_access_group_policy" "cloud-security-admins-viewall-resources" {
  access_group_id = ibm_iam_access_group.cloud-security-admins.id
  roles = [ "Viewer" ]
    resources {
    resource_type = "resource-group"
  }
}
1
Powell Quiring On

If the policies are based on a resource group you might need Viewer access to the resource group. In terraform it would be something like this:

resource "ibm_iam_access_group_policy" "shared_policy" {
  access_group_id = ibm_iam_access_group.shared.id
  roles           = ["Viewer"]
  resources {
    resource_type = "resource-group"
    resource      = ibm_resource_group.shared.id
  }
}

New resource groups could be added in the future...