Cloud Services

ModernOps

Access tags
Published On May 16, 2024 - 2:08 PM

Access tags

Discover the details on Access Tags, which are tools used to logically group resources for access management purposes.
A tag is a
key:value
pair that is attached to an organization, folder, or project. Hence, you can conditionally grant IAM roles or conditionally deny IAM permissions based on whether a resource has a specific tag. Other resources inherit tag values from their parent organization, folders, and project. As a result, you can use tags to manage access to any cloud resource.
The benefit of Access tags is that it facilitates a flexible way to manage resource groupings, and by doing so your projects can only be accessed by selected members.
The following permissions are needed to be able to manage Access Tags. The
Platform Administrator
role, which is the out-of-the-box role granted to you when the account is first created, is the only role that includes all these permissions. Alternatively, as a
Platform Administrator
, you can create Custom Roles and assign them the Access Tags permissions.
Permission
Description
iam.accesstags.view
Allow to view Access Tags
iam.accesstags.create
Allow to create Access Tags
iam.accesstags.delete
Allow to delete Access Tags
iam.resourceattributes.view
Allow to view resources
iam.resourceattributesvalues.view
Allow to view resources attribute values
iam.resourcegroups.view
Allow to view resource groups

About Tag-based Access Control

Using conditions and a set of tag variables, you can add a policy to scope access based on the tags that have been applied to a resource. Access can be controlled based on a tag that exists on the resource. Tag-based access control provides additional flexibility to your policies by allowing you to define Access Policies with tags.
There are some rules to keep in mind when creating Access Tags:
  • Access Tags are visible account-wide in all Kyndryl Modern Operations Applications; avoid using personal information.
  • Access Tags must always be in the
    key:value
    format. Think of it as a string to isolate two logical parts (e.g.
    project:projectname
    ). The Kyndryl Modern Operations Applications user interface (UI) makes this distinction very clear.
  • Access Tags (both key and value) are case sensitive.

What is a Resource?

A Resource is any item that is created or owned by an application, such as
Virtual Machines (VM)
,
Orders
, and
Provider Connections
. In other words, a Resource is the service offerings that have been provisioned from your catalog.

What is a Resource Group?

A Resource Group helps you organize your resources in a way that best fits within your business. With Resource Groups, you can quickly grant users access to one or more resources at the same time. So, a Resource Group is a group that contains one or more Resource Attributes that maps to a collection of similar resources.

What is an Attribute?

An Attribute is an element or metadata of the Resource that helps identifying the Resources, such as
AssetID
,
OrderID
,
Virtual Machine in a specific region
,
Virtual Machine of a given provider
.

Accessing the Tags page

The Access Tags page allows you to create, view, and delete Access Tags, and also associate them to Access Policies and connections. In this way, you can control your access management needs quickly and efficiently.
To access the Access Tags page, follow these steps:
  1. Access the IAM page.
  2. Select
    Access Tags
    from the left navigation bar of the page. The
    Access Tags
    page opens.
Once in the Access Tags page, you can perform a series of actions to personalize your access management needs, including the following:
  • Creating a new Access Tag
  • Deleting an Access Tag
  • Adding an Access Tag to an existing policy in access groups.
  • Adding an Access Tag while creating a connection.

Creating a new Access Tag

  1. Click
    Add New
    .
  2. Select
    Add Access Tag
    . The Add Access Tag page opens.
  3. Add the
    key
    and the
    value
    for your tag.
    1. You can add more tags by clicking
      Add Tag +
      .
  4. Click
    Add
      to finish

Deleting an Access Tag

  1. Click the
    overflow menu
    next to the tag that you want to delete.
  2. Select
    Delete
    .
  3. Confirm the deletion.
You can delete several Access Tags in bulk. To do so, select the checkbox next to each of the Access Tags and click
Delete
at the top of the Access Tags list.

Adding an Access Tag to an existing policy in access groups

Often, you may need to add an Access Tag to an existing policy inside an access group to restrict some resources, based on tags as selected attributes. Go to Adding Access Policies to an Access Group and follow the steps.

Adding an Access Tag while creating a connection

When you are creating or editing your connections to onboard cloud, tool, or content providers, it is important to add your Access Tag in the process. In the dedicated Tags field, you can apply existing tags or create new ones on the spot to associate them to your connection. For more information, see Cloud connections.

Access Tags in Service Provider connections

A valuable practice involves adding Access Tags or associate existing tags when creating and editing a customer connection in the Kyndryl Modern Operations Applications for Service Provider. For more information, see Customer tenant connection management.
Do you have two minutes for a quick survey?
Take Survey