IBM Cloud: Required IAM access policy to see user-specific authorizations (policies)?

Question

In IBM Cloud, I have an IAM Access Group for security admins. What policy do I need to grant to have their members READ access to user-specific authorizations, i.e., access policies granted to a user, not an Access Group?

The account owner can see those authorizations by, e.g., the List Policies API. The security admin, when calling that API, either receives an empty list or only a partial list. The Access Group for security admins already has Administrator privilege for IAM Identity Service and IAM Access Group Service.

score 1 · Answer 1 · answered Aug 31 '20 at 17:28

1

If the policies are based on a resource group you might need Viewer access to the resource group. In terraform it would be something like this:

resource "ibm_iam_access_group_policy" "shared_policy" {
  access_group_id = ibm_iam_access_group.shared.id
  roles           = ["Viewer"]
  resources {
    resource_type = "resource-group"
    resource      = ibm_resource_group.shared.id
  }
}

New resource groups could be added in the future...

answered Aug 31 '20 at 17:28

Powell Quiring

2,349
2
11
9

Not necessarily based on a resource group, it could be anything directly assigned to a user (or service ID). – data_henrik Aug 31 '20 at 17:59

score 1 · Accepted Answer · answered Sep 01 '20 at 08:54

To see access policies, the security administrators and hence their related Access Group need *Viewer* privilege on all resources and services that are directly "authorized" to users or service IDs. It is not enough to have Viewer or even Administrator role on IAM Access Groups Service, Viewer on all Account Management as well as on all IAM-enabled services is required.

The following would give Viewer on Account Management services when using Terraform:

resource "ibm_iam_access_group_policy" "cloud-security-admins-account_viewer" {
  access_group_id = ibm_iam_access_group.cloud-security-admins.id
  account_management = true
  roles = [ "Viewer" ]
}

And the next Terraform snippet could be used to give Viewer on all IAM-enabled services:

resource "ibm_iam_access_group_policy" "cloud-security-admins-viewall-resources" {
  access_group_id = ibm_iam_access_group.cloud-security-admins.id
  roles = [ "Viewer" ]
    resources {
    resource_type = "resource-group"
  }
}

IBM Cloud: Required IAM access policy to see user-specific authorizations (policies)?

2 Answers2