| copyright | lastupdated | ||
|---|---|---|---|
|
2017-11-16 |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"}
{: #iamoverview}
{{site.data.keyword.Bluemix_notm}} Identity and Access Management (IAM) enables you to securely authenticate users for both platform and infrastructure services and control access to resources consistently across the {{site.data.keyword.Bluemix_notm}} platform. A set of {{site.data.keyword.Bluemix_notm}} services are enabled to use Cloud IAM for access control and are organized into resource groups within your account to enable giving users quick and easy access to more than one resource at a time. Cloud IAM access policies are used to assign users and service IDs access to the resources within your account.
A policy assigns a user or service ID one or more roles with a combination of attributes that define the scope of access. The policy can provide access to a single service down to the instance level, or the policy can apply to a set of resources organized together in a resource group. Depending on the user roles that you assign, the user or service ID is allowed varying levels of access for completing platform management tasks or accessing a service by using the UI or performing specific types of API calls.
For services that do not support creating Cloud IAM policies for managing access, you can use Cloud Foundry access.
{: #features}
- User management
- Unified user management enables you to add and delete users in an account for both platform and infrastructure services.
- Fine-grained access control
- Access for users and service IDs is defined by a policy. Within the policy, the scope of access can be assigned to a set of resources in a resource group or a single resource. After the scope is set, you can define what actions are allowed by the subject of the policy by selecting access roles. Roles provide a way to tailor the level of access that is granted for the subject of the policy to perform platform management tasks and access a service's UI or perform API calls.
- API keys for user authentication
- Multiple API keys can be created for a user to support key rotation scenarios, and the same key can be used for accessing multiple services. Platform user API keys enable users who use two-factor authentication or a federated ID to automate authentication from the command line.
- Service IDs
- A service ID identifies a service or application similar to how a user ID identifies a user. These are IDs that can be used by applications to authenticate with an {{site.data.keyword.Bluemix_notm}} service. Policies can be assigned to each service ID to control the level of access that is allowed by an application using the service ID, and an API key can be created to enable the authentication.
You can access and use Cloud IAM through the Identity and Access UI or the CLI for {{site.data.keyword.Bluemix_notm}}.
To access Cloud IAM by using the UI, go to Manage > Security > Identity and Access.
To access Cloud IAM by using the CLI, refer to Commands for managing API keys and policies.