Enterprise-managed IAM: An SRE team case study

Enterprise-managed identity and access management (IAM) enables cloud administrators to centrally configure access and security settings for the entire organization. To learn about the basics, see “How enterprise-managed IAM works.”

The case study in this blog post shows how to easily and securely implement and manage a site reliability engineering (SRE) team’s access across an enterprise.

Case study

A large banking client has a centralized site reliability engineering (SRE) team that manages operations for all resources in the organization. The client uses federation to authenticate users to IBM Cloud enterprise accounts. All teams use Kubernetes and IBM Cloud Databases resources as part of their deployment. The SRE team needs operational access to these resources for every team in every account under the company’s IBM Cloud enterprise.

As the teams introduce new resources, the SRE team manages those resources, as well. Manually managing this access setup across a growing number of accounts is error-prone, time-consuming and does not meet certain audit controls since the assigned access can be updated by the child account administrators.

By using enterprise-managed IAM templates to define access for their SRE team and assign them to the organization’s accounts, the client’s process changed from an ongoing effort to a one-time setup activity. Now, SRE access is included in both established and newly created accounts. Additionally, this access cannot be updated by the child account administrator.

In this post, we’ll provide step-by-step instructions on how to apply this solution in your organization.


  1. Be in the root enterprise account.
  2. Make sure that the enterprise user performing this task has Template Administrator and Template Assignment Administrator roles on IAM services and at least the Viewer role on the Enterprise service. For more information, see “Assigning access for enterprise management.
  3. Make sure that child accounts enable the enterprise-managed IAM setting. For more information, see “Opting in to enterprise-managed IAM for new and existing accounts.”


First, create a trusted profile template for the SRE team members and add access policy templates to manage all IBM Cloud Kubernetes Service clusters and IBM Cloud Databases for MongoDB instances in the child accounts. Next, assign the trusted profile template to the account group containing the account(s) to manage. Finally, we’ll grant additional access policy templates to the SRE team by creating a new trusted profile template version with the additional access required and updating the existing assignment accounts.

To implement this solution, we’ll complete the following steps:

  1. Create a trusted profile template.
  2. Add a trust relationship.
  3. Add access policy templates.
  4. Review and commit the trusted profile template.
  5. Assign the trusted profile template.

Then, we’ll update the assignment with these steps:

  1. Create a new template version.
  2. Add an additional access policy template.
  3. Review and commit the trusted profile template.
  4. Update the existing assignment to version 2.

Steps to create and assign a template

1. Go to Manage > Access (IAM). In the Enterprise section, click Templates > Trusted Profiles > Create. Click Create to create a trusted profile template for the SRE team:

2. Add a trust relationship to dynamically add the SRE team to the trusted profile based on your Identity provider (IdP):

This will be based on the claims available by your IdP:

3. Go to the Access tab to create access policies:

Administrator role for the IBM Cloud Kubernetes Service:

Administrator role for IBM Cloud Databases for MongoDB:

4. Review and commit the trusted profile and policies templates. Committing templates prevents them from being changed:

5. Assign the trusted profile template to the account group. By selecting the entire account group, the system will automatically assign templates to the new accounts when they are added or moved in:

After the assignment is complete, the members of the SRE team can log in to the accounts under the account group and have the required access to perform their duties.

As your teams and cloud workloads grow, you might need to enable the SRE team to manage other resources. In the following example, we are granting the SRE team access to manage IBM Cloudant in addition to their existing access.

Steps to update a template and assignment

1. First, since we need to update an assigned template, we need to create a new version of the SRE team template:

2. Since we want to expand the SRE team access, we’ll create a new policy template with access to Cloudant resources:

3. Commit the trusted profile template and policy template:

4. Now, we need to update the assignment from version 1 to version 2. First, switch to template version 1:

In the Assignments tab, update the assignment:

Once the assignment is complete, the SRE team will now be able to manage IBM Cloudant resources in addition to the existing IBM Cloud Kubernetes Service and IBM Cloud Databases for MongoDB access.


Enterprise-managed identity and access management (IAM) is a powerful solution that simplifies and centralizes access and security configuration. In this article, we explored how this approach can be a game-changer for managing access to resources across a growing number of accounts.

The challenges faced by the banking client in managing access for their SRE team across multiple accounts were complex and time-consuming. However, by leveraging enterprise-managed IAM templates, they transformed an ongoing effort into a one-time setup activity. This streamlined access provisioning and enhanced security by ensuring that access control remained consistent and enforced across accounts.

Other interface samples

Included below are the equivalent steps needed to complete this use case using the command line interface and Terraform:

Ready to simplify access management? Learn more about enterprise-managed IAM

The post Enterprise-managed IAM: An SRE team case study appeared first on IBM Blog.