Access groups and policies management
14 min
manage access groups and policies to efficiently organize users and service ids, streamline permissions, and enhance access control for kyndryl bridge services access groups access groups allow you to add or remove users or service ids to the access group, as well as assign one or more access policies to it that could continue to be managed in a centralized construct, instead of adding the same access policies individually to all users or service ids; this facilitates the onboarding experience by managing just a few steps in the process users with an administrator role, which is the out of the box role granted when the kyndryl bridge services account is first created, can add the access groups likewise, other users can also manage access groups if the access policies they are part of have the corresponding permissions to understand which roles and permissions are required, see roles and permissions docid\ ics69b2oesewnrtsmbi3w accessing the access groups page the access groups page allows you to create, edit, and view access groups at the same time, you can add and remove users from the access groups and even create an access policy within the access groups in this way, you can control your access management needs quickly and efficiently click the global menu icon click settings and select the page opens select access groups from the left navigation bar of the page once in the access groups page, you can personalize your access management needs, including the following creating, editing, or deleting an access group adding or removing users to an access group adding or removing access policies to an access group viewing access policies adding, viewing, editing, or deleting rules to an access group adding service ids to an access group creating a new access group click add new select add an access group the add access group page opens complete the following information access group name add a name for the new access group description enter an optional description click add to finish the access group list is automatically updated with the new access group being displayed editing an existing access group click the overflow menu next to the access group that you want to edit select view details the details page for the access group selected opens click settings and then edit at the top of the page the settings details page opens modify the necessary details (optional) click add new and select one of the appropriate details add users assign access policies add service ids click update to finish deleting an existing access group click the overflow menu next to the access group that you want to delete select delete , and confirm the deletion by typing the name of the access group adding users to an access group click the overflow menu next to the access group that you want to modify select view details the details page for the access group selected opens click add new select add users then add users to the access group page opens select the user or users from the dropdown menu click add at the bottom of the page the users list from that specific access group is automatically updated, and the new user is displayed removing users from an access group click the overflow menu next to the access group that you want to modify select view details the details page for the access group selected opens check the box next to the users you want to remove select remove confirm the removal by typing the name of the user you can remove several users from an access group in bulk to do so, select the checkbox next to each of the users and click remove at the top of the users list viewing users in an access group click the overflow menu next to the access group that you want to consult select view details the details page for the access group selected opens confirm that the users tab is selected you can use the filter and search capabilities to do more specific searches nested access groups nested access groups allow administrators to assemble access groups together to simplify the permission administration for a large number of users, the administrator organizes the access and creates a collection of different access groups the clusters, which will inherit the access policies from the existing access groups, are known as nested access groups any access group can continue to work as normal or establish itself as the parent access group if no ids or service ids are associated to them access groups with any id affiliation can become nested access groups once they are linked to a parent access group prerequisites parent access groups must be empty and have no ids or affiliations nested access groups are the only ones that have service ids and user ids associated with them hierarchy is limited to 1 level of access groups adding a nested access group from the kyndryl bridge console home page, access the secondary menu from the app manager dropdown, select the page opens select access groups from the left navigation bar of the page click the overflow menu next to the access group to be the parent and select view details click add nested access groups select the parent access group from the list by checking the box next to it click add otherwise, click cancel a message confirming your action will be displayed access policies access policies allow you to grant roles and permissions to a specific group of resources and targets the main benefit of assigning an access policy to an access group is that it makes all members of that group inherit the same permissions basically, an access policy is the way in which an access group gets permission to perform actions for kyndryl bridge common services an access policy includes a subject (user ids, services ids, access groups), a target (associates resources), and a permission (associates roles) imagine the following scenario where you want to create an access policy using kyndryl infrastructure \<font color="#f3f4f6">i want to give a subject \</font> \<font color="#f3f4f6"> access to a target\</font> \<font color="#f3f4f6"> \</font> user service id access group (combination of user and service ids) resources of one or more resource types (policies, access group, and so on) application resources of one or more resource types (orders, catalogs, budgets, drgs, vms, kubernetes cluster, builds, repositories) common services roles administrator editor viewer operator app roles app role 1 app role 2 custom role created based on the existing out of the box roles permissions available adding access policies to an access group you can assign access policies to resources based on your level of access click the overflow menu next to the access group that you want to modify select view details the details page for the access group selected opens from the left navigation bar, select access policies click add new and select assign access policy from the menu a new page is displayed complete the following information select service select the application needed from the dropdown menu select scope based on the service that you selected, click the radio button that applies to your selection all resources the access policy is assigned to all resources within the access group resources based on selected attributes access tags or attributes must be added for a more specific access access tags select and access tag from the dropdown list attributes select an attribute from the dropdown list you can add all the existent attributes by clicking the add attribute + link select the attribute name and attribute value from the dropdown list the attribute operator is set equal by default select role select the platform role or roles that you want to assign to this access policy click add at the bottom of the page the access policies list from that specific access group is automatically updated and the new access policy is displayed removing an access policy from an access group navigate to the access group page and select the access policies tab from the left navigation bar click the overflow menu next to the access policy you want to remove select delete and confirm the deletion to view access policies to view all the access policies associated to an access group, simply access the access group page and navigate to the access policies tab from the left navigation bar this list of access policies displays specific information such as the services, roles, and resources you can use the filter and search capabilities to do more specific searches adding a service id to an access group navigate to the access group of your choice click add new select add service id the add service id(s) to \[name of the access group] page opens select one or more service ids to be added click add