securityibm-cloudibm-cloud-iam

IBM Cloud: Required IAM access policy to see user-specific authorizations (policies)?


In IBM Cloud, I have an IAM Access Group for security admins. What policy do I need to grant to have their members READ access to user-specific authorizations, i.e., access policies granted to a user, not an Access Group?

The account owner can see those authorizations by, e.g., the List Policies API. The security admin, when calling that API, either receives an empty list or only a partial list. The Access Group for security admins already has Administrator privilege for IAM Identity Service and IAM Access Group Service.


Solution

  • To see access policies, the security administrators and hence their related Access Group need *Viewer* privilege on all resources and services that are directly "authorized" to users or service IDs. It is not enough to have Viewer or even Administrator role on IAM Access Groups Service, Viewer on all Account Management as well as on all IAM-enabled services is required.

    The following would give Viewer on Account Management services when using Terraform:

    resource "ibm_iam_access_group_policy" "cloud-security-admins-account_viewer" {
      access_group_id = ibm_iam_access_group.cloud-security-admins.id
      account_management = true
      roles = [ "Viewer" ]
    }
    

    And the next Terraform snippet could be used to give Viewer on all IAM-enabled services:

    resource "ibm_iam_access_group_policy" "cloud-security-admins-viewall-resources" {
      access_group_id = ibm_iam_access_group.cloud-security-admins.id
      roles = [ "Viewer" ]
        resources {
        resource_type = "resource-group"
      }
    }