Mapping AD Groups to IBM Cloud Access Groups

I wrote a while ago about Identity Federation and the IBM Cloud, which is basically the ability to use your enterprise credentials to log into your IBM Cloud account. This works by IBM Cloud asking the enterprises Identity Provider (e.g. Active Directory / ADFS) and the Identity Provider passing back a SAML token which ‘vouches’ for the identity of the user.

At the time of writing that article, that’s pretty much as far as Identity Federation went but I have just discovered that it now goes further, in the form of Dynamic Rules for Access Groups.

Now, if you’re wondering what an Access Group is, well under IBM Cloud’s Identity Access Management (IAM), rather than grant user’s rights to resources on a user by user basis, you can instead create an Access Group, grant the resource rights to the Access Group and then make users members of the Access Group. It’s quite easy to do and reduces admin headaches as you don’t end up in a situation where working out what access a user has in a large account is like figuring out a mass of tangled wires.

Since the end of Summer ’18, if you use Identity Federation, you can dynamically assign users to these groups via the SAML token that is sent from the Identity Provider. Basically, you simply add an assertion to the token and the rule looks at the value of the assertion and grants access if it meets the criteria of the rule. So, if the user is in the ‘Developer’ AD, this can be transmitted to IBM Cloud through an assertion in the SAML token, at which point the Dynamic Rule on the Access Group will place the user into the Developer’s access group (which you will have pre-created) when they log in. This is really nice, as it means that another step of user admin can be kept with the identity provider, rather than having to be repeated in the cloud console.

For further information, check out the documentation. I’ve already started to talk about this with a number of customers and I think it’s a great feature that eases user administration.

Cheers,

James

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.