Enterprise-managed identity and access management (IAM) systems provide cloud administrators with the ability to centrally configure access and security settings for an entire organization. In this case study, we explore how a site reliability engineering (SRE) team successfully implemented and managed their access across an enterprise.

Case Study

A large banking client has a centralized SRE team responsible for managing operations for all resources in the organization. To authenticate users to IBM Cloud enterprise accounts, the client uses federation. Additionally, all teams in the organization use Kubernetes and IBM Cloud Databases resources. The SRE team needs operational access to these resources across all teams and accounts.

Initially, manually managing access for the SRE team across a growing number of accounts was time-consuming and prone to errors. The access setup also did not meet certain audit controls, as child account administrators could update assigned access. To address these challenges, the client adopted enterprise-managed IAM templates.

By defining access for the SRE team using IAM templates and assigning them to the organization’s accounts, the client transformed the access management process from an ongoing effort to a one-time setup activity. This ensured that SRE access was automatically included in both existing and newly created accounts, and it could no longer be modified by child account administrators.

In this article, we will provide step-by-step instructions on how to implement a similar solution in your organization.

Prerequisites

1. Be in the root enterprise account.
2. The enterprise user performing this task should have the Template Administrator and Template Assignment Administrator roles on IAM services, as well as at least the Viewer role on the Enterprise service.
3. Ensure that child accounts have enabled the enterprise-managed IAM setting.

Solution

To implement the enterprise-managed IAM solution for the SRE team, follow these steps:

1. Create a trusted profile template.
2. Add a trust relationship.
3. Add access policy templates.
4. Review and commit the trusted profile template.
5. Assign the trusted profile template.

To update the template and assignment, follow these steps:

1. Create a new template version.
2. Add an additional access policy template.
3. Review and commit the trusted profile template.
4. Update the existing assignment to the new version.

Steps to create and assign a template

Follow the steps below to create and assign a trusted profile template for the SRE team:

1. Go to Manage > Access (IAM). In the Enterprise section, click Templates > Trusted Profiles > Create. Create a trusted profile template for the SRE team.
2. Add a trust relationship to dynamically add the SRE team to the trusted profile based on your Identity provider (IdP).
3. Go to the Access tab to create access policies for the IBM Cloud Kubernetes Service and IBM Cloud Databases for MongoDB.
4. Review and commit the trusted profile and policy templates to prevent changes.
5. Assign the trusted profile template to the account group.

After completing the assignment, the SRE team members will have the necessary access to perform their duties in the accounts under the assigned group.

Conclusion

Implementing enterprise-managed IAM can significantly simplify access management for organizations. By using IAM templates and assigning them to accounts, the SRE team at the banking client was able to streamline access provisioning and ensure consistent access control across multiple accounts. This one-time setup activity saved time, reduced errors, and enhanced security.

FAQs

1. What is enterprise-managed IAM?

Enterprise-managed IAM enables cloud administrators to centrally configure access and security settings for their organization. It provides a streamlined approach to access management and ensures consistent control and security across accounts.

2. How does enterprise-managed IAM benefit SRE teams?

Enterprise-managed IAM simplifies access management for SRE teams by allowing them to define access through templates and assign them to relevant accounts. This eliminates the need for manual access setup and ensures that access control remains consistent and enforced.

3. Can the assigned access be updated by child account administrators?

No, with enterprise-managed IAM, the assigned access cannot be updated by child account administrators, ensuring that access control remains consistent and secure.