| copyright | lastupdated | ||
|---|---|---|---|
|
2019-01-15 |
{:shortdesc: .shortdesc} {:new_window: target="_blank"} {:codeblock: .codeblock} {:pre: .pre} {:screen: .screen} {:tip: .tip}
{: #permissions}
Before users begin creating and working with an {{site.data.keyword.cfee_full}} (CFEE) service, their permissions must be set correctly by an administrator of the account where the CFEE instance is to be created.
{: #perm-summary}
Following is a summary of the minimum IAM and Cloud Foundry role assignments required for performing various tasks in an CFEE instance. The remaining section describes these permissions in more detail.
| Task | IAM Access Roles | Cloud Foundry Roles |
|---|---|---|
| Create a CFEE |
|
|
| Update CFEE version |
|
|
| Scale CFEE capacity (add/remove cells) |
|
|
| Monitor CFEE |
|
|
| View CFEE resource usage |
|
|
| Enable CFEE auditing |
|
|
| View CFEE auditing events |
|
|
| Enable CFEE log persistance |
|
|
| View CFEE persisted logs |
|
|
| Create CFEE organizations |
|
|
| Create CFEE spaces |
|
|
| Manage shared domains |
|
|
| View shared domains |
|
|
| Manage private domains |
|
|
| View Private domains |
|
|
| Create/Delete an IBM Cloud service instance in a CFEE space |
|
|
| Add/Remove an IBM Cloud service instance to/from a CFEE space (i.e., create/delete an alias to an IBM Cloud service in a CFEE space) |
|
|
| Bind or unbind an IBM Cloud service instace in a CFEE space |
|
|
Issue cf cli commands |
|
|
| {: caption="Table 1. Permissions required to perform tasks in a CFEE" caption-side="top"} |
{: #perm-creating}
In order to create new instances of the CFEE service, users must be granted access policies by an account administrator, not only to the CFEE service itself, but also to the supporting services that are also created automatically when the CFEE is created.
The following Identity & Access Management (IAM) access policies are required for users to be able to create an {{site.data.keyword.cfee_full_notm}} instance:
-
Viewer (or higher) accesss to the Default resource group in the {{site.data.keyword.Bluemix}} account. Resource groups allow organizing resources into customized groupings to facilitate access control to those resources. You are prompted for a resource group when you create a new environment instance. Access to the Default resource group is required because this is always the resource group where the Kubernetes cluster is required. Users can provision the CFEE instance in a diferent resource group, but the Kuberetes cluster will still be provisioned to the Default resource group. If a user provisions the CFEE in different user group, that users will required viewer access in that resource group.
-
Administrator or editor role to {{site.data.keyword.cfee_full_notm}} service resources. In the resource group to which the environment is assigned. Users with either administrator or editor roles in the {{site.data.keyword.cfee_full_notm}} service can create and delete environments. But only users with an administration role can assign users to an {{site.data.keyword.cfee_full_notm}} instance or change the roles that are assigned to users in that instance.
-
Administrator role to the Kubernetes Service resources. Instances of the {{site.data.keyword.cfee_full_notm}} are deployed on container cluster infrastructure, which is provided by the Kubernetes service. When you create an instance of the {{site.data.keyword.cfee_full_notm}} service, the service automatically creates a Kubernetes cluster. Access to the Kubernetes Service is required for creating that cluster infrastructure. You can scope access to the Kubernetes Service policy to the specific region where you intend to provision the CFEE instance, or scope the access to all regions.
-
Administrator or editor platform role, and manager service access role to the IBM Cloud Object Storage service, which is a required dependency of the CFEE service. An instance of IBM Cloud Object Storage service is used to store data generated during the creation of your ICFEE application containers (e.g. uploaded application packages, buildpacks, and compiled executables).
-
An instance of the Compose for PostgreSQL service is a required dependency of the CFEE service. Compose for PostgreSQL is used to store Cloud Foundry data on your CFEE instance (e.g., auditing application deployment, start and stop events; keeping records of CFEE user membership, organizations, spaces, applications and service connections). That instance of the Compose for PostgreSQL service is deployed in a space within a public Cloud Foundry organization (unrelated to CFEE organizations) that you select when creating a {{site.data.keyword.cfee_full_notm}} instance. This means that when you create a {{site.data.keyword.cfee_full_notm}} instance you need to have manager access to at least an organization in the location where you intend to provision the CFEE instance. You also need developer access to at least one space in that organization.
If you are not a member of at least one public organization in the location where you intend to create a CFEE instance, ask an IBM Cloud administrator to invite you to one. If you have administrator role in the account you can add users to public organizations and spaces in the account by performing the following:
- Go to Manage > Account > Cloud Foundry Orgs and either click on Add an organization or select an existing organization.
- Go to the Users tab at the top of the organization's page.
- Find the user who needs to create CFEE instances. If the user you want to be able to create CFEE instances is not in the list, click Add or invite user above the table to add or invite users to the organization.
- Go to the Spaces tab at the top of organization's page.
- Find the space where the instance of Compose for PostgreSQL service would be provisioned and check the Developer role checkbox.
The following screen illustrates access policies as they would appear in the Identity & Access page of the {{site.data.keyword.Bluemix_notm}} that allow a user to create an {{site.data.keyword.cfee_full_notm}} instance.
You can grant user permissions using the {{site.data.keyword.Bluemix}} command line. You can also define an access policy for a user by specifying the parameters of the policy (i.e., services, roles, regions, etc) in a JSON formatted file that is invoked by the command that creates the policy. See Assigning an IAM policy by using the command line for more information, or issue ibmcloud iam -help in the command line. Note that this requires installing the IBM Cloud CLI.
{:tip}
To confirm that you have the required access policies to create an {{site.data.keyword.cfee_full_notm}} instance:
- Go to the Manage > Access(IAM) > Users menu in the {{site.data.keyword.Bluemix_notm}} header to open the Identity & Access page.
- In the Access policies tab, click the user who is creating the environment to assign and view the access policies for that user.
For more information about managing users and access in the {{site.data.keyword.Bluemix}}, including how to organize a set of users and service IDs to facilitate access assignment to multiple users at a time, see Managing users and access.
{: #permcli-creating}
You can expedite the setting of permissions for creating CFEE instances through the ibmcloud cfee create-permission-set. The command allows a CFEE administrator to setup in a single command the required access policies for creating a CFEE instance and all its ancillary services.
The command sets the permissions to an IAM Access Group and adds a user to that Access Group. The administrator issuing the command can include in the command an existing Access Group. If no Access Group is provided, a default cfee-provision-access-group is created automatically.
ibmcloud cfee create-permission-set USER_NAME [-ag, --access-group GROUP_NAME] [--output TYPE]
{: pre}
The command sets the following access policies for the target user:
- Editor roles to the Cloud Object Storage and CFEE services in the current IBM Cloud account.
- Administrator role to the Kubernetes Service in the current IBM Cloud account.
- Developer role to the current space in the current org for provisioning of the Compose for PostgreSQL.
For more details on the command issue the following:
cfee create-permission-set -help
{: pre}
You can use the ibmcloud cfee create-permission-get to find out or validate the access policies in place for a user:
ibmcloud cfee provision-permission-get USER_NAME [-ag, --access-group GROUP_NAME] [--output TYPE]
{: pre}
{: #perm-working}
To work with a instance of the {{site.data.keyword.cfee_full_notm}}, users must be:
-
Members of the {{site.data.keyword.Bluemix_notm}} account where the {{site.data.keyword.cfee_full_notm}} instance was created.
-
Granted the following IAM Access Policies by the account administrator (see the Identity & Access page under the Manage > Access(IAM) > Users menu in the {{site.data.keyword.Bluemix_notm}} header to check your current account access policies):
Any user working in a CFEE instance needs a viewer platform role (or higher) to:
- The resource group under which the CFEE instance was created.
- The CFEE instance itself.
The level of access and control that users have in a CFEE instance depends on the role that is granted in their access policies:
-
Users with viewer role to a CFEE instance can see it listed in the main {{site.data.keyword.Bluemix_notm}} dashboard and open its user interface. Users access to specific organizations and spaces within the environment is governed by the specific organization and spaces roles that are assigned by the managers of those organizations and spaces. For more information, see Adding users to organizations.
-
Users assigned administrator or editor roles to a CFEE instance can create organizations, assign managers to organizations and spaces, have full permissions to all organizations and spaces within the environment, and perform operational actions through the Cloud Controller API. These users are automatically granted cloud_controller.admin scope in the Cloud Foundry User Account and Authentication scope.
-
Users need editor platform role or higher to a CFEE instance and operator role or higher to the Kubernetes cluster into which the CFEE is provisioned to be able to update the CFEE to a new version.
-
Users need administrator platform role to a CFEE instance and operator role or higher to the Kubernetes cluster into which the CFEE is provisioned to be able to change the capacity of a cfee (adding or removing cells).
-
Users need operator platform role (or higher) to an IBM Cloud service instance to be able to add that service instance to a CFEE space (i.e., to alias a service instance into a CFEE space).
-
Users need operator platform role (or higher) and writer service role (or higher) to an IBM Cloud service instance to be able to bind that service instance to an application deployed in a CFEE space.
{: #access-groups}
Consider using access groups to manage and simplify access control for your CFEE. Access groups allow you to define arbitrary groups to which you can assign access policies. Any user added to an access group is automatically assigned the group's access policy.
You can create and manage access groups from either the IBM Cloud user interface or through the ibmcloud cli.
From the user interface, go the menu bar, click Manage > Access (IAM), and select Access Groups.
Alternatively, you can use the ibmcloud cli:
- Create an access group:
ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]
{: pre}
- Create an access policy for that access group:
ibmcloud iam access-group-policy-create GROUP_NAME
{: pre}
- Add users to the access group:
ibmcloud iam access-group-user-add <user-name> [<user-name2...]
{: pre}
For more information, see [Setting up access groups](https://cloud.ibm.com/docs/iam/groups.html#groups).