Enterprise-managed IAM: An SRE team case study

Enterprise-managed identity and access management (IAM) allows cloud directors to centrally configure entry and safety settings for your entire group. To be taught in regards to the fundamentals, see “How enterprise-managed IAM works.”

The case examine on this weblog publish reveals easy methods to simply and securely implement and handle a site reliability engineering (SRE) workforce’s entry throughout an enterprise.

Case examine

A big banking consumer has a centralized web site reliability engineering (SRE) workforce that manages operations for all sources within the group. The consumer makes use of federation to authenticate customers to IBM Cloud enterprise accounts. All groups use Kubernetes and IBM Cloud Databases sources as a part of their deployment. The SRE workforce wants operational entry to those sources for each workforce in each account underneath the corporate’s IBM Cloud enterprise.

Because the groups introduce new sources, the SRE workforce manages these sources, as properly. Manually managing this entry setup throughout a rising variety of accounts is error-prone, time-consuming and doesn’t meet sure audit controls for the reason that assigned entry may be up to date by the kid account directors.

By utilizing enterprise-managed IAM templates to outline entry for his or her SRE workforce and assign them to the group’s accounts, the consumer’s course of modified from an ongoing effort to a one-time setup exercise. Now, SRE entry is included in each established and newly created accounts. Moreover, this entry can’t be up to date by the kid account administrator.

On this publish, we’ll present step-by-step directions on easy methods to apply this resolution in your group.

Conditions

Be within the root enterprise account.
Ensure that the enterprise person performing this activity has Template Administrator and Template Task Administrator roles on IAM providers and at the least the Viewer function on the Enterprise service. For extra info, see “Assigning access for enterprise management.”
Ensure that baby accounts allow the enterprise-managed IAM setting. For extra info, see “Opting in to enterprise-managed IAM for new and existing accounts.”

Answer

First, create a trusted profile template for the SRE workforce members and add entry coverage templates to handle all IBM Cloud Kubernetes Service clusters and IBM Cloud Databases for MongoDB situations within the baby accounts. Subsequent, assign the trusted profile template to the account group containing the account(s) to handle. Lastly, we’ll grant extra entry coverage templates to the SRE workforce by creating a brand new trusted profile template model with the extra entry required and updating the present task accounts.

To implement this resolution, we’ll full the next steps:

Create a trusted profile template.
Add a belief relationship.
Add entry coverage templates.
Evaluation and commit the trusted profile template.
Assign the trusted profile template.

Then, we’ll replace the task with these steps:

Create a brand new template model.
Add a further entry coverage template.
Evaluation and commit the trusted profile template.
Replace the present task to model 2.

Steps to create and assign a template

1. Go to Handle > Entry (IAM). Within the Enterprise part, click on Templates > Trusted Profiles > Create. Click on Create to create a trusted profile template for the SRE workforce:

2. Add a belief relationship to dynamically add the SRE workforce to the trusted profile based mostly in your Identification supplier (IdP):

This will probably be based mostly on the claims out there by your IdP:

3. Go to the Entry tab to create entry insurance policies:

Administrator function for the IBM Cloud Kubernetes Service:

Administrator function for IBM Cloud Databases for MongoDB:

4. Evaluation and commit the trusted profile and insurance policies templates. Committing templates prevents them from being modified:

5. Assign the trusted profile template to the account group. By deciding on your entire account group, the system will mechanically assign templates to the brand new accounts when they’re added or moved in:

After the task is full, the members of the SRE workforce can log in to the accounts underneath the account group and have the required entry to carry out their duties.

As your groups and cloud workloads develop, you would possibly must allow the SRE workforce to handle different sources. Within the following instance, we’re granting the SRE workforce entry to handle IBM Cloudant along with their current entry.

Steps to replace a template and task

1. First, since we have to replace an assigned template, we have to create a brand new model of the SRE workforce template:

2. Since we wish to broaden the SRE workforce entry, we’ll create a brand new coverage template with entry to Cloudant sources:

3. Commit the trusted profile template and coverage template:

4. Now, we have to replace the task from model 1 to model 2. First, change to template model 1:

Within the Assignments tab, replace the task:

As soon as the task is full, the SRE workforce will now have the ability to handle IBM Cloudant sources along with the present IBM Cloud Kubernetes Service and IBM Cloud Databases for MongoDB entry.

Conclusion

Enterprise-managed identification and entry administration (IAM) is a robust resolution that simplifies and centralizes entry and safety configuration. On this article, we explored how this method is usually a game-changer for managing entry to sources throughout a rising variety of accounts.

The challenges confronted by the banking consumer in managing entry for his or her SRE workforce throughout a number of accounts had been complicated and time-consuming. Nonetheless, by leveraging enterprise-managed IAM templates, they remodeled an ongoing effort right into a one-time setup exercise. This streamlined entry provisioning and enhanced safety by making certain that entry management remained constant and enforced throughout accounts.