In this video, we're going to take a look at Identity and Access Management. We'll take a look at the difference between users and access groups, and services and resources. We'll also learn how to use an access policy to customize access to cloud resources. Let's go ahead and get started. In IBM Cloud, IAM is comprised of four concepts: Users. These are the people that log in and use the account. Access groups. This is a way of grouping users together. Resources. A provision service offering selected from the catalog. And resource groups. A way of grouping resources together. At the very highest level of IAM in IBM Cloud, we have an account. An account is comprised of many users. Each user has an email address that they use to log into IBM Cloud with. In each account there is an account owner. In practice, for most enterprises this is usually a shared enterprise email that multiple people can access should someone leave their job. Before we talk about resources, let's understand what is the difference between a service and a resource. A service is an entry from the IBM Cloud catalog, like a virtual machine or object storage or one of the many other offerings. A resource is an instance of a service. For example, in the IBM Cloud catalog, there's a database service called Cloudant. We can provision two instances of this service and called them DB-Dev and DV-prod. These would be our resources. A user represents an IBM ID enabled account. Users are invited to join accounts which can be done through the console, IBM Cloud CLI or API. Users can create API keys to use with the CLI as an alternative to passwords for authentication. Users are given a role for the platform when invited, and these roles range from read-only viewer role to the administrator role, which can invite other users and view billing information. Next, we'll talk about access groups. Access groups are a collection of users. For instance, you may decide to group your users into access groups such as admins, billing, and basic users. Access groups help enable a cleaner separation of control, and it's worth noting that users can be part of multiple access groups at the same time. As mentioned, a resource is an instance of a service. Resources have an automatically generated service ID, and they can be deployed to specific regions. Resources have roles that can limit user access for that resource. For example, with cloud object storage, a user with the reader role could list and download objects in buckets. A user with a writer role could create and destroy buckets and a user with a manager role could control all aspects of data storage, like adding a retention policy and bucket firewall. Next, we'll talk about resource groups. Resource groups are a collection of IBM Cloud resources. By grouping resources together, you can more easily provide access to multiple resources at once. Resource groups are specified at service creation time. A resource’s resource group cannot be changed. Resource groups have no geographical restrictions. This means you can put resources from Dallas and resources from Sydney in the same group, bringing it all together is the concept of an access policy. An access policy is the combination of a subject, which is a user or an access group. Their role. And a target, a resource or resource group. Next, let's take a hands-on approach and dive deeper into IBM Cloud IAM. Today, I want to show you a little bit of how to create an API key and how to authenticate yourself in a terminal or command line interface with your API key. And then also I want to show you how to create and invite users to your account, and then give them certain permissions over services and other resource groups. So, let's go ahead and get right into it. From the manage tab in the top tab of IBM Cloud, you can click on access or IAM. Here, we're going to go into the left sidebar, and we'll click on API keys. So, I have a lot of different API keys, but right now I'm just going to create a new one and I'll call it test. And, great, we can see that the API key has been successfully created. We can copy it and download it, which is always a good idea. Now that we're in my terminal, we can authenticate into IBM Cloud. So, we can do IBM Cloud login, dash dash API key, and then I'll just do paste, and I'll paste in my API key and in a couple of seconds you should see that you're authenticated and you can check all the resource groups or the resource service instances like we did in the previous lesson. Great, so again you can see that we've authenticated, and we've seen all my instances in my account. Alright, so now we've seen a little bit about API keys and now let's go ahead and talk a little bit about users and access groups. So, let's go ahead and click on users from the left-hand side bar. So, here we have all the account users that we have on this particular account, and I will be able to go ahead and click on invite users. So, here, we can already see that we can add users to access groups, So, these are things that have already been set up so we can actually create access groups to group all of these new users that come into this account into specific buckets. So, one of the buckets that we can group them into is the admin bucket. So, you can see that they have this number 129 is the actual actions for this role. So, they have a lot of user management actions so they can add other users. They can do a lot of the administrative features within this account. Then there's also billing, so billing is able is actually working with finance to pay the bills. So, pretty much everybody goes under this basic user role. So, let's talk a little bit about assigning users. So, here, depending on your level of access, you can assign that same level of access or less to a new user. So, let's go ahead and click on the classic infrastructure and go to the devices. So, this is where you can see all the different specifications and permissions and actions for a specific device. So, this could be a VM somewhere. So, again, with no access you can't do anything. But with view you can view the hardware details, the bandwidth statistics, and as a basic user you can manage device monitoring. You can view the details; you can manage the firewalls. But you cannot upgrade the server. And then with the Super user, of course, you could upgrade the server and view the software passwords, etc. Now let's go ahead and talk about the IAM services. So, this is really nice because if you want to only give, for example, if you have a new person that's onboarding your team, you can give them specific access to only one service. So, if you want to get them familiar with the database, you can give them really only customized access to one specific instance of your database. So, if you have account with a bunch of databases and you only want them to work on one, you can just give them access to that one. So, let's go ahead and see that in action. So, for example, we can click all IAM services or we can go ahead and click on a specific service. So, we have cloud object storage, and we'll go cloudant in our account and we can give them access to only one region again so we can do Dallas or Frankfurt. We can click on Dallas. And then all we do is we actually specify the service instance here and then we can give them editor access and then writer access. So, and then let's do a test at Gmail. And then all you do is add this and then you can see for this Cloud IAM services we've given them editor and writer access. So, that's a little bit about IAM and that's how you would assign users additional access. In summary, IAM in IBM Cloud is broken up into users and access groups, which are collection of users; resources and resource groups, which are a collection of resources; and roles, which are assigned on a user or access group and a resource or resource group coming together to become an access policy.
