| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-04-03 |
user permissions, manage access, IAM roles |
key-protect |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"} {:pre: .pre} {:tip: .tip} {:note: .note} {:important: .important}
{: #manage-access}
{{site.data.keyword.keymanagementservicefull}} supports a centralized access control system, governed by {{site.data.keyword.iamlong}}, to help you manage users and access for your encryption keys. {: shortdesc}
A good practice is to grant access permissions as you invite new users to your account or service. For example, consider the following guidelines:
- Enable user access to the resources in your account by assigning Cloud IAM roles. Rather than sharing your admin credentials, create new policies for users who need access to the encryption keys in your account. If you are the admin for your account, you are automatically assigned a Manager policy with access to all resources under the account.
- Grant roles and permissions at the smallest scope needed. For example, if a user needs to access only a high-level view of keys within a specified space, grant the Reader role to the user for that space.
- Regularly audit who can manage access control and delete key resources. Remember that granting a Manager role to a user means that the user can modify service policies for other users, in addition to destroying resources.
{: #roles}
With {{site.data.keyword.iamshort}} (IAM), you can manage and define access for users and resources in your account.
To simplify access, {{site.data.keyword.keymanagementserviceshort}} aligns with Cloud IAM roles so that each user has a different view of the service, according to the role the user is assigned. If you are a security admin for your service, you can assign Cloud IAM roles that correspond to the specific {{site.data.keyword.keymanagementserviceshort}} permissions you want to grant to members of your team.
The following table shows how identity and access roles map to {{site.data.keyword.keymanagementserviceshort}} permissions:
| Service access role | Description | Actions |
|---|---|---|
Reader |
A reader can browse a high-level view of keys and perform wrap and unwrap actions. Readers cannot access or modify key material. |
|
Writer |
A writer can create keys, modify keys, rotate keys, and access key material. |
|
Manager |
A manager can perform all actions that a reader and writer can perform, including the ability to set rotation policies for keys, delete keys, invite new users, and assign access policies for other users. |
|
Cloud IAM user roles provide access at the service or service instance level. Cloud Foundry roles 
{: new_window} are separate and define access at the organization or the space level. To learn more about {{site.data.keyword.iamshort}}, check out User roles and permissions {: new_window}.
{: note}
{: #manage-access-next-steps}
Account owners and admins can invite users and set service policies that correspond to the {{site.data.keyword.keymanagementserviceshort}} actions the users can perform.
- For more information about assigning user roles in the {{site.data.keyword.cloud_notm}} UI, see Managing IAM access {: new_window}.