Skip to main content
BlueXP setup and administration

Add BlueXP IAM members and manage their permissions

Contributors netapp-bcammett netapp-tonias
PDFs

BlueXP identity and access management (IAM) enables you to add members to your organization and assign them one or more roles across your resource hierarchy. A role contains a set of permissions that enables a member to perform specific actions at a specific level of the resource hierarchy. You can associate new user accounts and service accounts, manage member roles, and more.

Tip To ensure that you don't lose access to your BlueXP organization, it's a best practice to have two members with the Organization admin role.

To manage users and their permissions, you must be assigned one of the following roles:

  • Organization admin

    Users with this role can manage all members

  • Folder or project admin

    Users with this role can manage members only of designated folder or project

When a Folder or project admin views the Members page, the page displays all members in the organization. However, a member with this role can only view and manage member permissions for the folders and projects for which they have permissions. Learn more about the actions that a Folder or project admin can complete.

Add members to your organization

You can add two types of members to your organization: a user account and a service account. A service account is typically used by an application to complete specified tasks without human intervention.

You can add a service account directly from BlueXP. However, users must first sign up for BlueXP account before you can be add them to an organization or assign a role.

To manage users and their permissions, you must have the Organization admin role or the Folder or project admin role. Remember that users with the Folder or project admin role can only manage members for the folder or projects of which they have admin permissions.

User account
Steps

  1. If the user hasn't already done so, ask them to go to the NetApp BlueXP website and sign up.

    When the user signs up, they should complete the Sign up page, verify their email address, and then log in. When prompted to create an organization, the user should close out of BlueXP and let you know that they've created their user account. You can then add the user to your existing BlueXP organization.

    Learn how to sign up to BlueXP.

  2. In the upper right of the BlueXP console, select The settings icon which displays in the top right of the BlueXP web console. > Identity & Access Management.

  3. Select Members.

  4. Select Add a member.

  5. To add the member, complete the steps in the dialog box:

    • Entity Type: Keep User selected.

    • User's email: Enter the user's email address that is associated with the BlueXP login that they created.

    • Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.

      Note the following:

      • You can only select from the folders and projects for which you have admin permissions.

      • If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.

    • Select a category and then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

    • Add role: If you want to provide access to additional folders or projects within your organization or grant the user further permissions in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.

  6. Select Add.

    The user should receive an email from NetApp BlueXP. The email includes information that the member can use to access BlueXP.

Service account
Steps

  1. In the upper right of the BlueXP console, select The settings icon which displays in the top right of the BlueXP web console. > Identity & Access Management.

  2. Select Members.

  3. Select Add a member.

  4. To add the member, complete the steps in the dialog box:

    • Entity Type: Select Service account.

    • Service account name: Enter a name for the service account.

    • Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.

      Note the following:

      • You can only select from the folders and projects for which you have admin permissions.

      • If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.

    • Select a category and then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

    • Add role: If you want to provide access to additional folders or projects within your organization or grant the user further permissions in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.

  5. Download or copy the client ID and client secret.

    The client secret is visible only once and is not stored anywhere by BlueXP. Copy or download the secret and store it safely. Note that you can recreate the client ID and client secret later on as needed.

  6. Select Close.

View organization members

You can view a list of all members in your BlueXP organization. To understand which resources and permissions are available to a member, you can view the roles assigned to the member at different levels of your organization's resource hierarchy.

Here's an example of a member who is assigned the Folder or project admin role for a folder, which provides permissions to the three projects in the folder.

A screenshot of the details page for a member who has permissions to a project and a folder.

Here's another example that shows a member who has the Organization admin role, which gives the user access to all resources in the organization.

A screenshot of the details page for a member who has Organization admin permissions.

About this task

The Members page shows details about two types of members: user accounts and service accounts.

Steps

  1. In the upper right of the BlueXP console, select The settings icon which displays in the top right of the BlueXP web console. > Identity & Access Management.

  2. Select Members.

    The members of your organization appear in the Members table.

  3. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

Remove a member from your organization

You might need to remove a member from your organization—​for example, if they left your company.

Removing a member from your organization doesn't delete the member's BlueXP account or NetApp Support Site account. It simply removes the member and their associated permissions from your organization.

Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select Delete user.

  2. Confirm that you want to remove the member from your organization.

Recreate the credentials for a service account

You can recreate the credentials (client ID and client secret) for a service account at any time. You might recreate the credentials if you lost them or if your business requires that you rotate security credentials after a period of time.

About this task

Recreating the credentials deletes the existing credentials for the service account and then creates new credentials. You will not be able to use the previous credentials.

Steps

  1. In the upper right of the BlueXP console, select The settings icon which displays in the top right of the BlueXP web console. > Identity & Access Management.

  2. Select Members.

  3. In the Members table, navigate to a service account, select An icon that is three side-by-side dots and then select Recreate secrets.

  4. Select Recreate.

  5. Download or copy the client ID and client secret.

    The client secret is visible only once and is not stored anywhere by BlueXP. Copy or download the secret and store it safely.

Related information

View all of the members associated with a specific folder or project.

Manage member roles

Organization members can be assigned roles at each level and more than one level of your resource hierarchy.You can assign members roles relevant to their responsibilities in your BlueXP organization.

You can unassign a role from a member, add a new role or both. A role defines the permissions assigned to a member at the organization, folder, or project level. You can assign members roles relevant to their responsibilities in your BlueXP organization.

Each organization member can have a role assigned at different levels of the organization hierarchy. It can be the same role or a different role. For example, you can assign a member role A for project 1 and role B for project 2.

Tip A member who is assigned the Organization admin role can't be assigned any additional roles. They already have permissions across the entire organization.

View roles(s) assigned to a member

You can view a member to verify which roles they are currently assigned.

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

  2. In the table, expand the respective row for organization, folder, or project where you want to view the member's assigned role and select View in the Role column..

Assign a role

Provide a member with additional permissions in your organization by adding roles that apply to the organization, folder, or project level.

Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select Add a role.

  2. To add a role, complete the steps in the dialog box:

    • Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.

      If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.

    • Select a category: BlueXP separate roles into two categories: platform and data service. Learn about IAM roles.

    • Select a Role: Choose a role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

      • If you selected the organization, you can choose from any role other than Folder or project admin.

      • If you selected a folder or project, you can choose from any role other than Organization admin.

        Learn about predefined IAM roles.

    • Add role: If you want to provide access to additional folders or projects within your organization, select Add role, specify another folder or project or role category, and then select a role category and a corresponding role.

  3. Select Add new roles.

Change a member's assigned role

You can change the assigned role for a at the organization, folder, or project level. Members can have different roles at different levels of your organization.

Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

  2. In the table, expand the respective row for organization, folder, or project where you want to change the member's assigned role and select View in the Role column to view the roles assigned to this member.

  3. To change a member's role, elect Change next to the role you want to change. You can only change this role to a role within the same role category. For example, you can change from one data service role to another. You'll be asked to confirm the change.

    1. To unassign a member's role, select An icon that resembles a trash can next to the role to unassign the member the respective role. You'll be asked to confirm the removal.

Unassign a role from a member

You can remove a member's permissions to a specific folder or project by removing their role.

If a member has permissions in your organization to only one folder or project, you can't remove that role. You have two choices:

  • If you want the member to have permissions to another part of the resource hierarchy, you need to add that role first and then delete the existing role.

  • If you don't want the member to have permissions to anything, then you should remove the member from your organization.

Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

  2. In the table, navigate to the folder or project level and then select An icon of a garbage can. You'll be asked to confirm the removal.