The IBM Cloud team is excited to announce the worldwide availability of IBM Cloud Enterprise-managed IAM for all IBM Cloud Enterprise accounts. Enterprise-managed IAM is a set of new features that allows you to centrally manage access and security settings for your organization. With Enterprise-managed IAM, cloud administrators can enforce security settings like MFA level and session expiration duration, and they can configure team access for all of the accounts in the organization.
The following are some of the key features of IBM Cloud Enterprise-managed IAM.
Centralize access management and account settings in your enterprise
You can now centrally manage access and account settings for all of the accounts in your organization from the enterprise root account. Enterprise administrators with the correct permissions can enforce security settings and administer access for accounts that enabled Enterprise-managed IAM.
Enterprise-managed IAM reduces the time and effort needed to manage access in your organization. For example, instead of creating an access group with the same permissions in each account, you can create one access group template at the enterprise level and assign that access group template to child accounts or account groups. The assignment creates the access group, members, dynamic rules and its associated policies in each child account, saving you from manually creating hundreds of policies. Learn about other strategies for reducing the time and effort needed to manage access.
Prevent access drift
Resources created from access and account settings templates when assigned by the enterprise cannot be deleted by the child account administrators. For example, cloud administrators can enforce a specific MFA-level authentication setting by creating an account setting template and assigning it to any account or account group in the enterprise. Once the account setting is assigned, the child account IAM administrator cannot modify the setting; only the enterprise cloud administrator can manage the account setting.
Stay flexible with action controls
Access group templates support the option to delegate member, policy and dynamic rule management to administrators in the child account by enabling action controls. Action controls defined in the templates specify which actions child account administrators can take on the enterprise-managed access groups in their account. Enterprise template administrators can configure action controls like adding or removing members, dynamic rules or access policies.
Keep the enterprise secure by default
Templates that you assign to account groups apply to all accounts within the group, including any nested account groups. When a new account is created, imported or moved to the account group, the assignment automatically applies to the new account. Likewise, if an account is removed or moved out of the account group, the assignment is automatically removed from the account. This way, your enterprise is secure by default. For example, template administrators can enforce a specific MFA login level for all child accounts in the organization and all new accounts.
Get started with IBM Cloud Enterprise-managed IAM
Before using IBM Enterprise-managed IAM, please review the following steps:
- Convert an existing subscription account to an enterprise account on the spot. For more information, see Creating an enterprise.
- Create your account structure by adding accounts to your enterprise. For more information, see Setting up an enterprise.
- Enable Enterprise-managed IAM for new and existing accounts in your enterprise. For more information, see Opting in to enterprise-managed IAM.
Read Best practices for assigning access in an enterprise to learn the basics of Enterprise-managed IAM and check out our step-by-step guidance on the IAM templates that fit your needs: