Announcements
Cloud
Security
March 18, 2022 By Jeff Rosas
Addison Martin
3 min read

Introducing IAM trusted profiles. 

The IBM Cloud team is excited to announce a new identity type: IAM trusted profiles. You can utilize trusted profiles to manage access and permissions to your accounts from an on-premises IAM solution. As with other IAM identities, you can assign access policies and classic infrastructure permissions to a trusted profile. The policies and permissions you add to the trusted profile determine what this IAM identity is allowed to access and execute in IBM Cloud.

IBM Cloud offers existing user identity types that require you to invite the identity to an account. In addition, you can create service IDs in an account to represent technical identities that are required for authorized access between services. Now, with trusted profiles, you can reduce the time and effort in managing access by automatically granting federated users or compute resources access to your account without sending account invitations or creating service IDs.

Different from other IAM identity types, a trusted profile isn’t uniquely associated with one user, and you can’t authenticate a trusted profile with a password. Instead, a trusted profile must be applied by an IAM identity that needs the policies and permissions of the trusted profile.

Advantages of using a trusted profile

In comparison to the existing methods of dynamically assigning permissions, you get the following benefits by using IAM trusted profiles: 

No user invitation necessary

A user doesn’t need to be a member of your account to apply the trusted profile. Are you working with a large user base? By using trusted profiles, you don’t need to individually invite users to your account multiple times. The only requirement is that users are federated with IBM Cloud by using IBMid or AppID.

Clear separation of work

If a user needs to perform different work functions within the same IBM Cloud account — for example, development and operations work — the user typically requires all policies and permissions to be assigned. This means the user always works with full permissions and could unintentionally delete or update resources. 

A trusted profile offers the safety net of separating individual work functions. By using trusted profiles, you can establish a flexible, secure way for users to access the IBM Cloud resources they need to do their job while following the principle of least privilege. All users that share certain attributes that are defined in your corporate user directory are mapped to a common trusted profile and can share access to resources. Managing federated users, granting access and revoking access is primarily done in the corporate user directory. The common trusted profile identity makes it possible to give the members of your organization that share access requirements automatic access to resources one time, rather than having to add each user to an account and then grant them access directly or by using access groups. For more information, see Compare access groups and trusted profiles.

Classic infrastructure support

You can set permissions on classic infrastructure resources for both federated users and compute resources with trusted profiles. This offers you more flexibility for many scenarios that involve classic infrastructure resources. You can only assign classic infrastructure access if your account is linked to a SoftLayer account.

Applying a trusted profile 

The first release of IAM trusted profiles allows you to build a trust relationship with users that are using SAML federation. Federated users with a trust relationship can apply the trusted profile and take actions granted to it.

When an IAM administrator creates a trusted profile, they need to add conditions based on SAML attributes from their external identity provider (IdP). These conditions are evaluated during login to IBM Cloud and must be satisfied for the user to be given the option to select a trusted profile. 

Selecting a trusted profile

After logging in, all available trusted profiles are evaluated and users are presented with a list of trusted profiles that they can apply. IBM Cloud users can select Continue on the profile selection page to continue a traditional login to IBM Cloud accounts:

Ready to get started? 

Begin exploring the trusted profiles UI page and the related documentation. You’ll quickly be ready to create a trusted profile and automatically grant users access to your account with conditions based on SAML attributes from your corporate directory. 

Check out the following tutorial series to help you set up trusted profiles:  

You can also select from the following options to create trusted profiles: 

Jeff Rosas
IBM Cloud Developer
Addison Martin
Information Developer

More from Announcements
July 2, 2024

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 21, 2024

Unify and share data across Netezza and watsonx.data for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM watsonx.data, an open…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters