copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2022-03-25 |
dynamic rules,access groups,specific identity attributes,identity provider,federated ID, |
account |
{{site.data.keyword.attribute-definition-list}}
{: #rules}
You can create dynamic rules to automatically add federated users to access groups based on specific identity attributes. When your users log in with a federated ID, the data from the identity provider (IdP) dynamically maps your users to an access group based on the rules that you set. {: shortdesc}
Users already have specific identity information within your company's domain, and when they log in with a federated ID, this data can be passed through by using SAML assertions. The SAML assertions or attribute statements that are configured within the IdP provide the data that is used to create each rule. For example, you might have a true or false attribute statement that defines users as a manager. This information can be used to add all users who are managers to a specific access group for managers that you created in your {{site.data.keyword.Bluemix}} account. For more information, see the tutorial about how to Control access to cloud resources{: external} and an Example rule.
Only users who are already invited to the account can be mapped to access groups by using dynamic rules. {: note}
{: #setup_rules} {: ui}
Dynamic rules are created by setting conditions that must be matched by the data that is configured within the IdP and passed in with a user's federated ID during login. You can add more than one condition for a rule. All conditions set in the rule must be met for a user to be added to an access group.
To create a rule, follow these steps:
- In the {{site.data.keyword.cloud_notm}} console, click Manage > Access (IAM), and select Access Groups.
- Select the name of the access group that you want to create a rule for. This action opens the group Details page.
- Select Dynamic rules.
- Click Add rule.
- Enter the information from your IdP that is dynamically provided for you on the Add rule page. The following list provides details for each required field.
You can think of an access group rule as a key:value pair. The key is what you add in the Add users when
field, and the value is what you enter in the Values
field.
{: tip}
For more information about the fields that are used to create dynamic rules, see IAM condition properties.
{: #setup_rules_terraform} {: terraform}
Dynamic rules are created by setting conditions that must be matched by the data that is configured within the IdP and passed in with a user's federated ID during login. You can add more than one condition for a rule. All conditions set in the rule must be met for a user to be added to an access group.
To create a rule by using Terraform, follow these steps:
-
To install the Terraform CLI and configure the {{site.data.keyword.cloud_notm}} Provider plug-in for Terraform, follow the tutorial for Getting started with Terraform on {{site.data.keyword.cloud}}. The plug-in abstracts the {{site.data.keyword.cloud_notm}} APIs that are used to complete this task.
-
Create a Terraform configuration file that is named
main.tf
. In this file, you add the configuration to create dynamic rules for access groups by using HashiCorp Configuration Language. For more information, see the Terraform documentation{: external}.The following example creates a new dynamic rule for an access group by using the
ibm_iam_access_group_dynamic_rule
resource, wherename
is a unique name to identify the dynamic rule.resource "ibm_iam_access_group_dynamic_rule" "rule1" { name = "newrule" access_group_id = "AccessGroupId-dsnd4bvsaf" expiration = 4 identity_provider = "test-idp.com" conditions { claim = "blueGroups" operator = "CONTAINS" value = "\"test-bluegroup-saml\"" } }
{: codeblock}
For more information, see the argument reference details in the Terraform documentation page.
-
Initialize the Terraform CLI.
terraform init
{: pre}
-
Create a Terraform execution plan. The Terraform execution plan summarizes all the actions that need to be run to create the dynamic rule.
terraform plan
{: pre}
-
Create the dynamic rule.
terraform apply
{: pre}
For more information about the fields that are used to create dynamic rules, see IAM condition properties.
{: #view-dynamic-users} {: ui}
You can view the users that are added to an access group by using dynamic rules. To view dynamic members of access groups, go to Manage > Access (IAM) > Access groups in the {{site.data.keyword.cloud_notm}} console. Select an access group and click Users. Dynamically added users are indicated by the type Dynamic
.
The following users will not appear in the table:
- Dynamically added users who are not logged in yet
- Dynamically added users whose session expired
Dynamic users that are logged out but whose sessions are still valid continue to appear in the table until their sessions expire.
You can't remove a dynamic user manually. To remove a dynamic user, adjust your dynamic rules. {: note}
{: #view-dynamic-ag}
You can also view a list of access groups that a user is added to based on dynamic rules by completing the following steps:
- Go to Manage > Access (IAM) > Users in the {{site.data.keyword.cloud_notm}} console.
- Click on a user.
- Click Access groups.
- The access groups that a user is a dynamic member of is indicated by the type
Dynamic
.