Add BlueXP IAM members and manage their permissions
BlueXP identity and access management (IAM) enables you to add members to your organization and assign them one or more roles across your resource hierarchy. A role contains a set of permissions that enables a member to perform specific actions at a specific level of the resource hierarchy. You can associate new user accounts and service accounts, manage member roles, and more.
To ensure that you don't lose access to your BlueXP organization, it's a best practice to have two members with the Organization admin role. |
When a Folder or project admin views the Members page, the page displays all members in the organization. However, a member with this role can only view and manage member permissions for the folders and projects for which they have permissions. Learn more about the actions that a Folder or project admin can complete.
Add members to your organization
You can add two types of members to your organization: a user account and a service account. A service account is typically used by an application to complete specified tasks without human intervention.
-
If the user hasn't already done so, ask them to go to the NetApp BlueXP website and sign up.
When the user signs up, they should complete the Sign up page, verify their email address, and then log in. When prompted to create an organization, the user should close out of BlueXP and let you know that they've created their user account. You can then add the user to your existing BlueXP organization.
-
In the upper right of the BlueXP console, select > Identity & Access Management.
-
Select Members.
-
Select Add a member.
-
To add the member, complete the steps in the dialog box:
-
Entity Type: Keep User selected.
-
User's email: Enter the user's email address that is associated with the BlueXP login that they created.
-
Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.
Note the following:
-
You can only select from the folders and projects for which you have admin permissions.
-
If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.
-
-
Select a role: Choose a role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.
-
If you selected the organization, you can choose from any role other than Folder or project admin.
-
If you selected a folder or project, you can choose from any role other than Organization admin.
-
-
Add role: If you want to provide access to additional folders or projects within your organization, select Add role, specify another folder or project, and then choose a role.
-
-
Select Add.
BlueXP adds the user to the organization.
The user should receive an email from NetApp BlueXP. The email includes information that the member can use to access BlueXP.
-
In the upper right of the BlueXP console, select > Identity & Access Management.
-
Select Members.
-
Select Add a member.
-
To add the member, complete the steps in the dialog box:
-
Entity Type: Select Service account.
-
Service account name: Enter a name for the service account.
-
Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.
Note the following:
-
You can only select from the folders and projects for which you have admin permissions.
-
If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.
-
-
Select a role: Choose a role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.
-
If you selected the organization, you can choose from any role other than Folder or project admin.
-
If you selected a folder or project, you can choose from any role other than Organization admin.
-
-
Add role: If you want to provide access to additional folders or projects within your organization, select Add role, specify another folder or project, and then choose a role.
-
-
Select Add.
-
Download or copy the client ID and client secret.
The client secret is visible only once and is not stored anywhere by BlueXP. Copy or download the secret and store it safely. Note that you can recreate the client ID and client secret later on as needed.
-
Select Close.
BlueXP adds the service account to your organization.
View organization members
You can view a list of all members in your BlueXP organization. To understand which resources and permissions are available to a member, you can view the roles assigned to the member at different levels of your organization's resource hierarchy.
The Members page shows details about two types of members: user accounts and service accounts.
-
In the upper right of the BlueXP console, select > Identity & Access Management.
-
Select Members.
The members of your organization appear in the Members table.
-
From the Members page, navigate to a member in the table, select and then select View details.
BlueXP displays details about the member, which includes the folders and projects that the member has permissions for across your organization's resource hierarchy.
Here's an example of a member who is assigned the Folder or project admin role for a folder, which provides permissions to the three projects in the folder.
Here's another example that shows a member who has the Organization admin role, which gives the user access to all resources in the organization.
View all of the members associated with a specific folder or project.
Manage a member's permissions
A role defines the permissions assigned to a member at the organization, folder, or project level. Each organization member can have a role assigned at different levels of the organization hierarchy. It can be the same role or a different role. For example, you can assign a member role A for project 1 and role B for project 2.
A member who is assigned the Organization admin role can't be assigned any additional roles. They already have permissions across the entire organization. |
Add a role to a member
Provide a member with additional permissions in your organization by adding roles that apply to the organization, folder, or project level.
-
From the Members page, navigate to a member in the table, select and then select Add a role.
-
To add a role, complete the steps in the dialog box:
-
Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.
If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.
-
Select a role: Choose a role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.
-
If you selected the organization, you can choose from any role other than Folder or project admin.
-
If you selected a folder or project, you can choose from any role other than Organization admin.
-
-
Add role: If you want to provide access to additional folders or projects within your organization, select Add role, specify another folder or project, and then choose a role.
-
-
Select Add new roles.
BlueXP adds the roles. The member now has permissions for the resources in the organization, folder, or project that you selected.
Change from one role to another
If you need to modify a member's permissions, you can change the role that's associated with that member at the organization, folder, or project level.
If you need to change the roles for multiple members in your organization, you can use a bulk action to complete the changes all at once.
-
From the Members page, navigate to a member in the table, select and then select View details.
-
In the table, navigate to the organization, folder, or project and then select a new role.
BlueXP updates the roles associated with that member at the organization, folder, and project level.
-
From the Organization page, navigate to a project or folder in the table, select and then select Edit organization, Edit folder, or Edit project.
-
On the Edit page, select Access.
-
Select all members or individually select two or more members.
-
Select Define role.
-
Select the role that you'd like to assign to the members and then select Define.
BlueXP updates the roles for all of the members that you selected.
Remove permissions for a folder or project
You can remove a member's permissions to a specific folder or project by removing their role.
If a member has permissions in your organization to only one folder or project, you can't remove that role. You have two choices:
-
If you want the member to have permissions to another part of the resource hierarchy, you need to add that role first and then delete the existing role.
-
If you don't want the member to have permissions to anything, then you can simply remove the member from your organization.
-
From the Members page, navigate to a member in the table, select and then select View details.
-
In the table, navigate to the folder or project level and then select
BlueXP removes permissions for that member at the folder or project level.
Recreate the credentials for a service account
You can recreate the credentials (client ID and client secret) for a service account at any time. You might recreate the credentials if you lost them or if your business requires that you rotate security credentials after a period of time.
Recreating the credentials deletes the existing credentials for the service account and then creates new credentials. You will not be able to use the previous credentials.
-
In the upper right of the BlueXP console, select > Identity & Access Management.
-
Select Members.
-
In the Members table, navigate to a service account, select and then select Recreate secrets.
-
Select Recreate.
-
Download or copy the client ID and client secret.
The client secret is visible only once and is not stored anywhere by BlueXP. Copy or download the secret and store it safely.
-
Select Close.
A new client ID and client secret are now associated with the service account.
Remove a member from your organization
You might need to remove a member from your organization—for example, if they left your company.
This task doesn't delete the member's BlueXP account or NetApp Support Site account. It simply removes the member and their associated permissions from your organization.
-
From the Members page, navigate to a member in the table, select and then select Delete user.
-
Confirm that you want to remove the member from your organization.
BlueXP removes the member. If that member logs in to BlueXP again, they no longer have access to your BlueXP organization.