Introducing IAM trusted profiles.
The IBM Cloud team is excited to announce a new identity type: IAM trusted profiles. You can utilize trusted profiles to manage access and permissions to your accounts from an on-premises IAM solution. As with other IAM identities, you can assign access policies and classic infrastructure permissions to a trusted profile. The policies and permissions you add to the trusted profile determine what this IAM identity is allowed to access and execute in IBM Cloud.
IBM Cloud offers existing user identity types that require you to invite the identity to an account. In addition, you can create service IDs in an account to represent technical identities that are required for authorized access between services. Now, with trusted profiles, you can reduce the time and effort in managing access by automatically granting federated users or compute resources access to your account without sending account invitations or creating service IDs.
Different from other IAM identity types, a trusted profile isn’t uniquely associated with one user, and you can’t authenticate a trusted profile with a password. Instead, a trusted profile must be applied by an IAM identity that needs the policies and permissions of the trusted profile.
Advantages of using a trusted profile
In comparison to the existing methods of dynamically assigning permissions, you get the following benefits by using IAM trusted profiles:
No user invitation necessary
A user doesn’t need to be a member of your account to apply the trusted profile. Are you working with a large user base? By using trusted profiles, you don’t need to individually invite users to your account multiple times. The only requirement is that users are federated with IBM Cloud by using IBMid or AppID.
Clear separation of work
If a user needs to perform different work functions within the same IBM Cloud account — for example, development and operations work — the user typically requires all policies and permissions to be assigned. This means the user always works with full permissions and could unintentionally delete or update resources.
A trusted profile offers the safety net of separating individual work functions. By using trusted profiles, you can establish a flexible, secure way for users to access the IBM Cloud resources they need to do their job while following the principle of least privilege. All users that share certain attributes that are defined in your corporate user directory are mapped to a common trusted profile and can share access to resources. Managing federated users, granting access and revoking access is primarily done in the corporate user directory. The common trusted profile identity makes it possible to give the members of your organization that share access requirements automatic access to resources one time, rather than having to add each user to an account and then grant them access directly or by using access groups. For more information, see Compare access groups and trusted profiles.
Classic infrastructure support
You can set permissions on classic infrastructure resources for both federated users and compute resources with trusted profiles. This offers you more flexibility for many scenarios that involve classic infrastructure resources. You can only assign classic infrastructure access if your account is linked to a SoftLayer account.
Applying a trusted profile
The first release of IAM trusted profiles allows you to build a trust relationship with users that are using SAML federation. Federated users with a trust relationship can apply the trusted profile and take actions granted to it.
When an IAM administrator creates a trusted profile, they need to add conditions based on SAML attributes from their external identity provider (IdP). These conditions are evaluated during login to IBM Cloud and must be satisfied for the user to be given the option to select a trusted profile.
Selecting a trusted profile
After logging in, all available trusted profiles are evaluated and users are presented with a list of trusted profiles that they can apply. IBM Cloud users can select Continue on the profile selection page to continue a traditional login to IBM Cloud accounts:
Ready to get started?
Begin exploring the trusted profiles UI page and the related documentation. You’ll quickly be ready to create a trusted profile and automatically grant users access to your account with conditions based on SAML attributes from your corporate directory.
Check out the following tutorial series to help you set up trusted profiles:
- Managing access for federated users by using trusted profiles.
- Managing access for apps in compute resources.
You can also select from the following options to create trusted profiles:
- In the IBM Cloud console.
- By using REST API calls. For more information, see IAM Identity Services: Create a trusted profile.
- By using the command-line interface (CLI). Version 2.0.3 and later of the IBM Cloud CLI contains a set of new commands for creating and maintaining trusted profiles.