| copyright |
|
||
|---|---|---|---|
| lastupdated | 2018-02-12 |
{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:download: .download}
{: #users}
You can grant access to a cluster for other users in your organization to ensure that only authorized users can work with the cluster and deploy apps to the cluster. {:shortdesc}
{: #managing}
Every user that works with {{site.data.keyword.containershort_notm}} must be assigned a combination of service-specific user roles that determine which actions the user can perform. {:shortdesc}
- {{site.data.keyword.containershort_notm}} access policies
- In Identity and Access Management, {{site.data.keyword.containershort_notm}} access policies determine the cluster management actions that you can perform on a cluster, such as creating or removing clusters, and adding or removing extra worker nodes. These policies must be set in conjunction with infrastructure policies.
- Infrastructure access policies
- In Identity and Access Management, infrastructure access policies allow the actions that are requested from the {{site.data.keyword.containershort_notm}} user interface or the CLI to be completed in IBM Cloud infrastructure (SoftLayer). These policies must be set in conjunction with {{site.data.keyword.containershort_notm}} access policies. [Learn more about the available infrastructure roles](/docs/iam/infrastructureaccess.html#infrapermission).
- Resource groups
- A resource group is a way to organize {{site.data.keyword.Bluemix_notm}} services into groupings so that you can quickly assign users access to more than one resource at a time. [Learn how to manage users by using resource groups](/docs/account/resourcegroups.html#rgs).
- Cloud Foundry roles
- In Identity and Access Management, every user must be assigned a Cloud Foundry user role. This role determines the actions that the user can perform on the {{site.data.keyword.Bluemix_notm}} account, such as inviting other users, or viewing the quota usage. [Learn more about the available Cloud Foundry roles](/docs/iam/cfaccess.html#cfaccess).
- Kubernetes RBAC roles
- Every user who is assigned an {{site.data.keyword.containershort_notm}} access policy is automatically assigned a Kubernetes RBAC role. In Kubernetes, RBAC roles determine the actions that you can perform on Kubernetes resources inside the cluster. RBAC roles are set up for the default namespace only. The cluster administrator can add RBAC roles for other namespaces in the cluster. See [Using RBAC Authorization ](https://kubernetes.io/docs/admin/authorization/rbac/#api-overview) in the Kubernetes documentation for more information.
{: #access_policies}
Review the access policies and permissions that you can grant to users in your {{site.data.keyword.Bluemix_notm}} account. The operator and editor roles have separate permissions. If you want a user to, for example, add worker nodes and bind services, then you must assign the user both the operator and editor roles. For more details on corresponding infrastructure access policies, see Customizing infrastructure permissions for a user.
If you change a user's access policy, {{site.data.keyword.containershort_notm}} cleans up the RBAC policies associated with the change in your cluster for you.
Note: When you downgrade permissions, for example you want to assign viewer access to a former cluster admin, you must wait 15 minutes for the downgrade to complete.
| {{site.data.keyword.containershort_notm}} access policy | Cluster management permissions | Kubernetes resource permissions |
|---|---|---|
| Administrator | This role inherits permissions from the Editor, Operator, and Viewer roles for all clusters in this account. When set for all current service instances:
When set for a specific cluster ID:
Note: To create resources such as machines, VLANs, and subnets, users need the Super user infrastructure role. |
|
| Operator |
Corresponding infrastructure access policy: Custom |
|
| Editor Tip: Use this role for app developers. |
Corresponding infrastructure access policy: Custom |
|
| Viewer |
Corresponding infrastructure access policy: View only |
|
| Cloud Foundry access policy | Account management permissions |
|---|---|
| Organization role: Manager |
|
| Space role: Developer |
|
{: #add_users}
You can add additional users to an {{site.data.keyword.Bluemix_notm}} account to grant access to your clusters.
Before you begin, verify that you have been assigned the Manager Cloud Foundry role for an {{site.data.keyword.Bluemix_notm}} account.
- Add the user to the account.
- In the Access section, expand Services.
- Assign an {{site.data.keyword.containershort_notm}} access role. From the Assign access to drop-down list, decide whether you want to grant access only to your {{site.data.keyword.containershort_notm}} account (Resource), or to a collection of various resources within your account (Resource group).
- For Resource:
- From the Services drop-down list, select {{site.data.keyword.containershort_notm}}.
- From the Region drop-down list, select the region to invite the user to.
- From the Service instance drop-down list, select the cluster to invite the user to. To find the ID of a specific cluster, run
bx cs clusters. - In the Select roles section, choose a role. To find a list of supported actions per role, see Access policies and permissions.
- For Resource group:
- From the Resource group drop-down list, select the resource group that includes permissions for your account's {{site.data.keyword.containershort_notm}} resource.
- From the Assign access to a resource group drop-down list, select a role. To find a list of supported actions per role, see Access policies and permissions.
- Optional: Assign an infrastructure role.
- Optional: Assign a Cloud Foundry role.
- Click Invite users.
{: #infra_access}
When you set infrastructure policies in Identity and Access Management, a user is given permissions associated with a role. To customize those permissions, you must log in to IBM Cloud infrastructure (SoftLayer) and adjust the permissions there. {: #view_access}
For example, Basic Users can reboot a worker node, but they cannot reload a worker node. Without giving that person Super User permissions, you can adjust the IBM Cloud infrastructure (SoftLayer) permissions and add the permission to run a reload command.
- Log in to your IBM Cloud infrastructure (SoftLayer) account.
- Select a user profile to update.
- In the Portal Permissions, customize the user's access. For example, to add reload permission, in the Devices tab, select Issue OS Reloads and Initiate Rescue Kernel.
- Save your changes.