Manage access groups and policies to efficiently organize users and service IDs, streamline permissions, and enhance access control for Kyndryl Bridge services.
Access groups
Access groups allows you to add or remove users or service IDs to the access group, as well as assigning it one or more access policies that could continue to be managed in a centralized construct, instead of adding the same access policies individually to all users or service IDs; this facilitates the onboarding experience by managing just a few steps in the process.
Users with an
Administrator
role, which is the out-of-the-box role granted when the Kyndryl Bridge services account is first created, can add the access groups. Likewise, other users can also manage access groups if the access policies they are part of have the correspondent permissions. To understand which roles and permissions are required, see roles and permissions.
Accessing the access group page
The Access Groups page allows you to create, edit, and view access groups. At the same time, you can add and remove users from the access groups, and even create an access policy into the access groups. In this way, you can control your access management needs quickly and efficiently.
Click the Global menu icon.
Click
Settings
and select
Service IAM
. The IAM page opens.
Select
Access Groups
from the left navigation bar of the page. Once in the
Access Groups
page, you can personalize your access management needs, including the following:
Creating, editing or deleting an Access Group
Adding or removing users to an Access Groups
Adding or removing Access Policies to an Access Group
Viewing Access Policies
Adding, viewing, editing, or deleting rules to an Access Group
Adding Service IDs to an Access Group
Creating a new access group
Click
Add New
.
Select
Add an Access Group
. The
Add Access Group
page opens.
Complete the following information:
Access Group Name: Add a name for the new access group.
Description: Enter an optional description.
Click
Add
to finish.
The Access Group list is automatically updated with the new Access Group being displayed.
Editing an existing access group
Click the overflow menu next to the access group that you want to edit.
Select
View Details
. The Details page for the access group selected opens.
Click
Settings
and then
Edit
at the top of the page. The Settings Details page opens.
Modify the necessary details.
(Optional) Click
Add New
and select one of the appropriate details:
Add users.
Assign access policies.
Add service IDs.
Click
Update
to finish.
Deleting an existing access group
Click the overflow menu next to the access group that you want to delete.
Select
Delete
, and confirm the deletion by typing the name of the access group.
Adding users to an access group
Click the overflow menu next to the access group that you want to modify.
Select
View Details
. The details page for the access group selected opens.
Click
Add New
.
Select
Add Users
. The add users to access group page opens.
Select the user(s) from the dropdown menu.
Click
Add
at the bottom of the page.
The users list from that specific
access group
is automatically updated and the new user is displayed.
Removing users from an access group
Click the overflow menu next to the access group that you want to modify.
Select
View Details
. The Details page for the access group selected opens.
Check the box next to the users you want to remove
Select
Remove
. Confirm the removal by typing the name of the user.
You can remove several users from an Access Group in bulk. To do so, select the checkbox next to each of the users and click
Remove
at the top of the users list.
Viewing users in an access group
Click the overflow menu next to the access group that you want to consult.
Select
View Details
. The details page for the access group selected opens.
Confirm that the
Users
tab is selected. You can use the filter and search capabilities to do more specific searches.
Nested access groups
Nested access groups allow administrators to assemble access groups together. To simplify the permission administration for a large number of users, the administrator organizes the access and creates a collection of different access groups. The clusters, which will inherit the access policies from the existing access groups, are known as nested access groups. Any access group can continue to work as normal or establish itself as the parent access group if no IDs or service IDs are associated to them. Access groups with any ID affiliation can become nested access groups once they are linked to a parent access group.
Prerequisites
Parent access groups must be empty and have no IDs affiliations.
Nested access groups are the only ones that have service IDs and user IDs associated with them.
Hierarchy is limited up to 1 level of access groups.
Adding a nested access group
From the
Kyndryl Bridge Console
Home page access the secondary menu.
From the
App Manager
dropdown, select
IAM
. The IAM page opens.
Select
Access Groups
from the left navigation bar of the page.
Click the overflow menu next to the access group to be the parent and select
View Details
.
Click
Add Nested Access Groups
.
Select the parent access group from the list by checking the box next to it.
Click
Add
. Otherwise, click
Cancel
.
A message confirming your action will be displayed.
Access policies
Access policies allow you to grant role(s) and permission(s) to a specific group of resources and targets. The main benefit of assigning an access policy to an access group is that it makes all members of that group inherit the same permissions.
Basically, an access policy is the way in which an access group gets permission to perform actions for Bridge Common Services. An access policy includes a Subject (User IDs, Services IDs, Access Groups), a Target (associates resources), and a Permission (associates roles). To understand which roles and permissions are required, see roles and permissions. Imagine the following scenario where you want to create an access policy using Kyndryl Bridge IAM infrastructure:
I want to give a subject...
... access to a target
.
.. with specific permissions
User
Service ID
Access group (combination of user and service IDs)
IAM resources: of one or more resource types (policies, access group, and so on)
Application resources: of one or more resource types (orders, catalogs, budgets, DRGs, VMs, Kubernetes Cluster, builds, repositories)
Common Services roles:
Administrator
Editor
Viewer
Operator
App Roles:
App Role 1
App Role 2
Custom role: Created based on the existing out-of-the-box roles permissions available.
Adding access policies to an access group
You can assign access policies to resources based on your level of access.
Click the overflow menu next to the access group that you want to modify.
Select
View Details
. The Details page for the access group selected opens.
From the left navigation bar, select
Access Policies
.
Click
Add New
and select
Assign Access Policy
from the menu. A new page is displayed.
Complete the following information:
Select Service: Select the application needed from the dropdown menu.
Select Scope: Based on the service that you selected, click the radio button that applies to your selection:
All resources: The Access Policy is assigned to all resources within the Access Group.
Resources based on selected attributes: Access tags or attributes must be added for a more specific access.
Access Tags: Select and access tag from the dropdown list.
Attributes: Select an attribute from the dropdown list. You can add all the existent attributes by clicking the Add attribute + link. Select the attribute name and attribute value from the dropdown list. The attribute operator is set equal by default.
Select Role: Select the Platform role or roles that you want to assign to this access policy.
Click
Add
at the bottom of the page. The access policies list from that specific access group is automatically updated and the new access policy is displayed.
Removing an access policy from an access group
Navigate to the
Access Group
page and select the
Access Policies
tab from the left navigation bar.
Click the overflow menu next to the access policy you want to remove.
Select
Delete
and confirm the deletion.
To view access policies
To view all the access policies associated to an access group, simply access the
Access Group
page and navigate to the
Access Policies
tab from the left navigation bar. This list of access policies displays specific information such as the services, roles, and resources. You can use the filter and search capabilities to do more specific searches.
Adding a service ID to an access group
Navigate to the access group of your choice.
Click
Add New
.
Select
Add Service ID
. The Add Service ID(s) to [Name of the Access Group] page opens.