Cloud
October 24, 2023 By Carlos Gomez
Addison Martin
5 min read

Enterprise-managed identity and access management (IAM) enables cloud administrators to centrally configure access and security settings for the entire organization. To learn about the basics, see “How enterprise-managed IAM works.”

The case study in this blog post shows how to easily and securely implement and manage a site reliability engineering (SRE) team’s access across an enterprise.

Case study

A large banking client has a centralized site reliability engineering (SRE) team that manages operations for all resources in the organization. The client uses federation to authenticate users to IBM Cloud enterprise accounts. All teams use Kubernetes and IBM Cloud Databases resources as part of their deployment. The SRE team needs operational access to these resources for every team in every account under the company’s IBM Cloud enterprise.

As the teams introduce new resources, the SRE team manages those resources, as well. Manually managing this access setup across a growing number of accounts is error-prone, time-consuming and does not meet certain audit controls since the assigned access can be updated by the child account administrators.

By using enterprise-managed IAM templates to define access for their SRE team and assign them to the organization’s accounts, the client’s process changed from an ongoing effort to a one-time setup activity. Now, SRE access is included in both established and newly created accounts. Additionally, this access cannot be updated by the child account administrator.

In this post, we’ll provide step-by-step instructions on how to apply this solution in your organization.

Prerequisites

  1. Be in the root enterprise account.
  2. Make sure that the enterprise user performing this task has Template Administrator and Template Assignment Administrator roles on IAM services and at least the Viewer role on the Enterprise service. For more information, see “Assigning access for enterprise management.
  3. Make sure that child accounts enable the enterprise-managed IAM setting. For more information, see “Opting in to enterprise-managed IAM for new and existing accounts.”

Solution

First, create a trusted profile template for the SRE team members and add access policy templates to manage all IBM Cloud Kubernetes Service clusters and IBM Cloud Databases for MongoDB instances in the child accounts. Next, assign the trusted profile template to the account group containing the account(s) to manage. Finally, we’ll grant additional access policy templates to the SRE team by creating a new trusted profile template version with the additional access required and updating the existing assignment accounts.

To implement this solution, we’ll complete the following steps:

  1. Create a trusted profile template.
  2. Add a trust relationship.
  3. Add access policy templates.
  4. Review and commit the trusted profile template.
  5. Assign the trusted profile template.

Then, we’ll update the assignment with these steps:

  1. Create a new template version.
  2. Add an additional access policy template.
  3. Review and commit the trusted profile template.
  4. Update the existing assignment to version 2.

Steps to create and assign a template

1. Go to Manage > Access (IAM). In the Enterprise section, click Templates > Trusted Profiles > Create. Click Create to create a trusted profile template for the SRE team:

2. Add a trust relationship to dynamically add the SRE team to the trusted profile based on your Identity provider (IdP):

This will be based on the claims available by your IdP:

3. Go to the Access tab to create access policies:

Administrator role for the IBM Cloud Kubernetes Service:

Administrator role for IBM Cloud Databases for MongoDB:

4. Review and commit the trusted profile and policies templates. Committing templates prevents them from being changed:

5. Assign the trusted profile template to the account group. By selecting the entire account group, the system will automatically assign templates to the new accounts when they are added or moved in:

After the assignment is complete, the members of the SRE team can log in to the accounts under the account group and have the required access to perform their duties.

As your teams and cloud workloads grow, you might need to enable the SRE team to manage other resources. In the following example, we are granting the SRE team access to manage IBM Cloudant in addition to their existing access.

Steps to update a template and assignment

1. First, since we need to update an assigned template, we need to create a new version of the SRE team template:

2. Since we want to expand the SRE team access, we’ll create a new policy template with access to Cloudant resources:

3. Commit the trusted profile template and policy template:

4. Now, we need to update the assignment from version 1 to version 2. First, switch to template version 1:

In the Assignments tab, update the assignment:

Once the assignment is complete, the SRE team will now be able to manage IBM Cloudant resources in addition to the existing IBM Cloud Kubernetes Service and IBM Cloud Databases for MongoDB access.

Conclusion

Enterprise-managed identity and access management (IAM) is a powerful solution that simplifies and centralizes access and security configuration. In this article, we explored how this approach can be a game-changer for managing access to resources across a growing number of accounts.

The challenges faced by the banking client in managing access for their SRE team across multiple accounts were complex and time-consuming. However, by leveraging enterprise-managed IAM templates, they transformed an ongoing effort into a one-time setup activity. This streamlined access provisioning and enhanced security by ensuring that access control remained consistent and enforced across accounts.

Other interface samples

Included below are the equivalent steps needed to complete this use case using the command line interface and Terraform:

Ready to simplify access management? Learn more about enterprise-managed IAM

Was this article helpful?
YesNo

Tags

 | 
Carlos Gomez
Software Engineer - Identity Access Management
Addison Martin
Information Developer

More from Cloud
April 26, 2024

Bigger isn’t always better: How hybrid AI pattern enables smaller language models

5 min read - As large language models (LLMs) have entered the common vernacular, people have discovered how to use apps that access them. Modern AI tools can generate, create, summarize, translate, classify and even converse. Tools in the generative AI domain allow us to generate responses to prompts after learning from existing artifacts. One area that has not seen much innovation is at the far edge and on constrained devices. We see some versions of AI apps running locally on mobile devices with…

April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

April 4, 2024

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters