Kyndryl Bridge

Experience Kyndryl Bridge

Access groups and policies management
Published On Jul 18, 2024 - 12:58 PM

Access groups and policies management

An Access group is a grouping for organizing users, service IDs, or a combination of both into a single entity that facilitates assigning access policies to multiple subjects at a time.

Access groups

Access groups allows you to add or remove users or service IDs to the access group, as well as assigning it one or more access policies that could continue to be managed in a centralized construct, instead of adding the same access policies individually to all users or service IDs; this facilitates the onboarding experience by managing just a few steps in the process.
Users with an
Administrator
 role, which is the out-of-the-box role granted when the Kyndryl Bridge services account is first created, can add the access groups. Likewise, other users can also manage access groups if the access policies they are part of have the correspondent permissions. To understand which roles and permissions are required, see roles and permissions.
Accessing the access group page
The Access Groups page allows you to create, edit, and view access groups. At the same time, you can add and remove users from the access groups, and even create an access policy into the access groups. In this way, you can control your access management needs quickly and efficiently.
  1. From the Kyndryl Bridge
    Console Home
     page, access the secondary menu.
  2. From the App Manager dropdown, select
    IAM
    . The IAM page opens.
  3. Select
    Access Groups
     from the left navigation bar of the page. Once in the
    Access Groups
     page, you can personalize your access management needs, including the following:
    1. Creating, editing or deleting an Access Group
    2. Adding or removing users to an Access Groups
    3. Adding or removing Access Policies to an Access Group
      1. Viewing Access Policies
    4. Adding, viewing, editing, or deleting rules to an Access Group
    5. Adding Service IDs to an Access Group
Creating a new access group
  1. Click
    Add New
    .
  2. Select
    Add an Access Group
    . The
    Add Access Group
     page opens.
  3. Complete the following information:
    1. Access Group Name: Add a name for the new access group.
    2. Description: Enter an optional description.
  4. Click
    Add
     to finish.
The Access Group list is automatically updated with the new Access Group being displayed.
Editing an existing access group
  1. Click the overflow menu next to the access group that you want to edit.
  2. Select
    View Details
    . The Details page for the access group selected opens.
  3. Click
    Settings
     and then
    Edit
     at the top of the page. The Settings Details page opens.
  4. Modify the necessary details.
  5. (Optional) Click
    Add New
     and select one of the appropriate details:
    1. Add users.
    2. Assign access policies.
    3. Add service IDs.
  6. Click
    Update
     to finish.
Deleting an existing access group
  1. Click the overflow menu next to the access group that you want to delete.
  2. Select
    Delete
    , and confirm the deletion by typing the name of the access group.
Adding users to an access group
  1. Click the overflow menu next to the access group that you want to modify.
  2. Select
    View Details
    . The details page for the access group selected opens.
  3. Click
    Add New
    .
  4. Select
    Add Users
    . The add users to access group page opens.
  5. Select the user(s) from the dropdown menu.
  6. Click
    Add
     at the bottom of the page.
The users list from that specific
access group
 is automatically updated and the new user is displayed.
Removing users from an access group
  1. Click the overflow menu next to the access group that you want to modify.
  2. Select
    View Details
    . The Details page for the access group selected opens.
  3. Check the box next to the users you want to remove
  4. Select
    Remove
    . Confirm the removal by typing the name of the user.
You can remove several users from an Access Group in bulk. To do so, select the checkbox next to each of the users and click
Remove
 at the top of the users list.
Viewing users in an access group
  1. Click the overflow menu next to the access group that you want to consult.
  2. Select
    View Details
    . The details page for the access group selected opens.
  3. Confirm that the
    Users
     tab is selected. You can use the filter and search capabilities to do more specific searches.

Nested access groups

Nested access groups allow administrators to assemble access groups together. To simplify the permission administration for a large number of users, the administrator organizes the access and creates a collection of different access groups. The clusters, which will inherit the access policies from the existing access groups, are known as nested access groups. Any access group can continue to work as normal or establish itself as the parent access group if no IDs or service IDs are associated to them. Access groups with any ID affiliation can become nested access groups once they are linked to a parent access group.
Prerequisites
  • Parent access groups must be empty and have no IDs affiliations.
  • Nested access groups are the only ones that have service IDs and user IDs associated with them.
  • Hierarchy is limited up to 1 level of access groups.
Adding a nested access group
  1. From the
    Kyndryl Bridge Console
     Home page access the secondary menu.
  2. From the
    App Manager
     dropdown, select
    IAM
    . The IAM page opens.
  3. Select
    Access Groups
     from the left navigation bar of the page.
  4. Click the overflow menu next to the access group to be the parent and select
    View Details
    .
  5. Click
    Add Nested Access Groups
    .
  6. Select the parent access group from the list by checking the box next to it.
  7. Click
    Add
    . Otherwise, click
    Cancel
    .
  8. A message confirming your action will be displayed.

Access policies

Access policies allow you to grant role(s) and permission(s) to a specific group of resources and targets. The main benefit of assigning an access policy to an access group is that it makes all members of that group inherit the same permissions. 
Basically, an access policy is the way in which an access group gets permission to perform actions for Bridge Common Services. An access policy includes a Subject (User IDs, Services IDs, Access Groups), a Target (associates resources), and a Permission (associates roles). To understand which roles and permissions are required, see roles and permissions. Imagine the following scenario where you want to create an access policy using Kyndryl Bridge IAM infrastructure:
I want to give a subject...
... access to a target
.
.. with specific permissions
  • User
  • Service ID
  • Access group (combination of user and service IDs)
  • IAM resources: of one or more resource types (policies, access group, and so on) 
  • Application resources: of one or more resource types (orders, catalogs, budgets, DRGs, VMs, Kubernetes Cluster, builds, repositories)
  • Common Services roles:
    • Administrator
    • Editor
    • Viewer
    • Operator 
  • App Roles:
    • App Role 1
    • App Role 2 
  • Custom role: Created based on the existing out-of-the-box roles permissions available. 
Adding access policies to an access group
You can assign access policies to resources based on your level of access.
  1. Click the overflow menu next to the access group that you want to modify.
  2. Select
    View Details
    . The Details page for the access group selected opens.
  3. From the left navigation bar, select
    Access Policies
    .
  4. Click
    Add New
     and select
    Assign Access Policy
     from the menu. A new page is displayed.
  5. Complete the following information:
    1. Select Service: Select the application needed from the dropdown menu.
    2. Select Scope: Based on the service that you selected, click the radio button that applies to your selection:
      1. All resources: The Access Policy is assigned to all resources within the Access Group.
      2. Resources based on selected attributes: Access tags or attributes must be added for a more specific access.
        1. Access Tags: Select and access tag from the dropdown list.
        2. Attributes: Select an attribute from the dropdown list. You can add all the existent attributes by clicking the Add attribute + link. Select the attribute name and attribute value from the dropdown list. The attribute operator is set equal by default.
    3. Select Role: Select the Platform role or roles that you want to assign to this access policy.
  6. Click
    Add
     at the bottom of the page. The access policies list from that specific access group is automatically updated and the new access policy is displayed.
Removing an access policy from an access group
  1. Navigate to the
    Access Group
     page and select the
    Access Policies
     tab from the left navigation bar.
  2. Click the overflow menu next to the access policy you want to remove.
  3. Select
    Delete
     and confirm the deletion.
To view access policies
To view all the access policies associated to an access group, simply access the
Access Group
 page and navigate to the
Access Policies
 tab from the left navigation bar. This list of access policies displays specific information such as the services, roles, and resources. You can use the filter and search capabilities to do more specific searches.
Adding a service ID to an access group
  1. Navigate to the access group of your choice.
  2. Click
    Add New
    .
  3. Select
    Add Service ID
    . The Add Service ID(s) to [Name of the Access Group] page opens.
  4. Select one or more Service IDs to be added.
  5. Click
    Add
    .
Do you have two minutes for a quick survey?
Take Survey