Authors: Yanni Zhang, Jose Ortiz Reviewers: Derek Rutledge, Lesia CoxIAM (Identity and Access Management) service is part of the IBM Cloud Pak foundational services. It provides key identity and access management capabilities to all IBM Cloud Paks. The journey to align with a common UI framework across Automation, Data, and Security Cloud Paks was a strategic goal in the first quarter of 2021. IAM service made several significant enhancements to provide a common experience for users across Cloud Pak products. This post talks about the key IAM features and user experience enhancements.
With the 2021 first quarter release, you can log on once and have access to multiple IBM Cloud Paks that are running on the same cluster. This feature provides customers with seamless access to multiple capabilities from different IBM Cloud Paks by using a single set of credentials. Single sign-on is more than a user experience, it is a strategy to improve work productivity and overall security. IAM single sign-on capability is based on open standard technologies such as OAuth 2.0, OpenID Connect and SAML.
The logon page in this release has a few updates. The dark theme is now the theme of the logon page. The "Default authentication" type for logging in to the console is renamed to "IBM Provided credentials (admin only)". After you log on, the home page includes an icon with nine dots in the upper right where you can select another IBM Cloud Pak from the drop-down list and navigate to it.
User onboarding is one of the critical capabilities on IBM Cloud Paks, where users are added to the IBM Cloud Pak and granted certain access. In this release, we provide an enhanced user onboarding experience.
On the initial deployment, the IBM Cloud Pak is bootstrapped with Red Hat OpenShift Container Platform as the initial identity provider. The default administrator is also an OpenShift user, which by default is "kubeadmin" user. You can then log on to the IBM Cloud Pak by using the OpenShift user credentials. This integration is an excellent way to drive Proof of Concept (POC) activities and demos without dependency on an LDAP configuration. After you log on, navigate to the "User management" page. Click "Configure identity provider" to configure the LDAP connection. When that is done, you can come back to "User management" page and start onboarding users.
A significant improvement in this release is that you can view and manage all IBM Cloud Pak users and roles in a single place. The "Users" panel on "User management" page allows you to add users directly and manage the users and their roles. Use the "User groups" panel to create user groups, query users and LDAP groups, and add them to the user groups.
You can search users by single or multiple attributes like user ID, name, and email. You can also search for LDAP groups. You can add them and assign them roles to access the IBM Cloud Pak.
The bridge between the user management interface and the backend user repositories is a new set of APIs that are introduced in first quarter release. The APIs are implemented based on the SCIM protocol, which is a modern standard to manage users across clouds. The new APIs are SCIM 2.0 compliant.
New automation foundation roles
On the "User management" page, the "Roles" panel includes the following automation foundation roles:
- Automation Administrator
- Automation Analyst
- Automation Developer
- Automation Operator
These roles provide you with access to the Kubernetes namespace associated with an IBM Cloud Pak.
You can still use "Teams" page from older releases to give users additional access. With enhanced IAM roles and access modules to integrate with new roles, existing IBM Cloud Pak customers have the same user access experience when they upgrade to the new release of an IBM Cloud Pak.
For more information about the IAM service in this release, see the IBM Knowledge Center HERE . You can contact firstname.lastname@example.org or email@example.com for further questions.