| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-09-27 |
IAM access for code engine, permissions for code engine, identity and access management for code engine, roles for code engine, actions for code engine, assigning access for code engine, user access, access, platform roles, service roles |
codeengine |
{{site.data.keyword.attribute-definition-list}}
{: #iam}
Access to {{site.data.keyword.codeenginefull}} service instances for users in your account is controlled by {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM). Every user that accesses the {{site.data.keyword.codeengineshort}} service in your account must be assigned an access policy with an IAM role defined. The policy determines what actions a user can perform within the context of the service or instance that you select. The allowable actions are customized and defined by the {{site.data.keyword.cloud_notm}} service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles. {: shortdesc}
Policies enable access to be granted at different levels.
Roles define the actions that a user or service ID can run. There are different types of roles in the {{site.data.keyword.cloud_notm}}:
- Platform management roles enable users to perform tasks on {{site.data.keyword.codeengineshort}} resources at the platform level, for example assign user access for {{site.data.keyword.codeengineshort}}, create or delete service IDs, create projects, and assign policies for {{site.data.keyword.codeengineshort}} to other users.
- Service access roles enable users to be assigned varying levels of permission for calling the {{site.data.keyword.codeengineshort}} API.
{{site.data.keyword.codeengineshort}} uses both the Platform and Service management roles. You can set policies about who can create a project at the platform level, and then use the service roles to manage interaction with the project itself.
Want to learn more about IAM key concepts? Check out What is IBM Cloud Identity and Access Management?. {: tip}
{: #iam-accesspolicy}
You can see which access policies are set for you in the {{site.data.keyword.iamlong}} (IAM){: external} console. Be sure to check access policies{: external} that apply for your user, and any access policies that are assigned to any access groups{: external} that include your user.
To view IAM information about your user access,
- Go to Access IAM users{: external}.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
To view IAM information about access groups for your user,
- Go to Access IAM groups{: external}.
- Click the name of an access group to view information about the group.
- Click the Access tab to see your access policies assigned to the group.
{: #groups}
To manage access or assign new access for users by using access groups, you must be the account owner, administrator, or editor on all Identity and Access enabled services in the account, or the assigned Administrator or Editor for the IAM Access Groups Service.
Choose any of the following actions to manage access groups in the {{site.data.keyword.cloud_notm}}:
For more information about IAM commands, see the IAM CLI reference docs.
{: #users}
To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.
Choose any of the following actions to manage IAM policies in the {{site.data.keyword.cloud_notm}}:
- To grant permissions to a user, see Assigning access.
- To revoke permissions, see Removing access.
- To review a user's permissions, see Reviewing your assigned access.
For more information about IAM commands, see the IAM CLI reference docs.
{: #platform}
Platform management roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.
In {{site.data.keyword.codeengineshort}}, projects are service instances.
{: note}
Use the following table to identify the platform role that you can grant a user in the {{site.data.keyword.cloud_notm}} to run any of the following platform actions:
| Platform actions | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|
| Grant other account members access to work with the service. |  |
|||
| Create a project. | |
|
||
| Delete a project. | |
|
||
| Update a project. | |
|
||
| View {{site.data.keyword.codeengineshort}} dashboard. | |
|
|
|
| View details of a project. | |
|
|
|
| {: caption="Table 1. IAM user platform roles and actions" caption-side="bottom"} |
{: #service}
Use the following table to identify the service roles that you can grant a user to run any of the following service actions:
| Actions | Manager | Writer | Reader |
|---|---|---|---|
| Create items within a project. | |
|
|
| Update items within a project. | |
|
|
| Delete items within a project. | |
|
|
| List and view items within a project. | |
|
|
| {: caption="Table 2. IAM service roles and actions" caption-side="bottom"} |
{: #cli-access-req}
To work with a {{site.data.keyword.codeengineshort}} project with the CLI, you must first target a resource group. To target a resource group with the CLI, you need Viewer access to the resource group.
{: #container-registry-access-req}
For more information about {{site.data.keyword.codeengineshort}} requirements for accessing images in a container registry, see Accessing container registries.
{: #service-binding-access-req}
For more information about {{site.data.keyword.codeengineshort}} service binding access requirements, see Configuring access for service bindings.
{: #toolchain-access-req}
For more information about {{site.data.keyword.codeengineshort}} access requirements for building and deploying an app or job with a toolchain, see Configuring access for your toolchain.