How to add access policies

Prev Next

This document provides information on how to add access policies in Cloud IAM. An access policy helps define user permissions and approval workflows.

Add an access policy

To add an access policy in Cloud IAM, see the following steps:

  1. On Segura, in the navigation bar, hover over the Products menu and select Cloud IAM.
  2. In the side menu, select Access control > Access policies.
  3. In the top right corner, click Add.
  4. In the General tab, enter the following information:
    1. In the Access policy name * field, enter a name for the access policy.
    2. In the Status field, enable or disable the access policy.
    3. (Optional): In the Description field, enter a description for the access policy.
  5. (Optional): In the Users tab, click + Add to enter the users of this access policy.
    1. Select the desired users, and click Add.
  6. (Optional): In the Permissions tab, enter information about the access policy permissions:
    1. (Optional): In the Users can create and edit users field, select to allow users to create and edit users. Select the types of users that can be created and/or edited.
    2. (Optional): In the Users can delete users field, select to allow users to delete users. Select the types of users that can be created and/or edited.
    3. (Optional): In the Users can create and edit accounts field, select to allow users to create and edit accounts.
    4. (Optional): In the Users can delete credentials field, select to allow users to delete credentials.
    5. (Optional): In the Users can delete accounts field, select to allow users to delete accounts.
    6. (Optional): In the Users can create credentials field, select to allow users to create credentials.
    7. (Optional): In the Users can start sessions field, select to allow users to start sessions.
    8. (Optional): In the Users can start JIT sessions field, select to allow users to start JIT sessions.
  7. (Optional): In the Criteria tab, enter information about which entities the policy users can interact with:
    1. (Optional): In the Provider section, select the providers for this access policy.
    2. (Optional): In the Accounts view section, enter the following information:
      1. In the Account names (comma-separated) field, names of accounts that policy users can interact with. Enter an * (asterisk) for all names to be displayed. Names must be filled with a tag in the following format: [#USERNAME#].
      2. In the Tags (comma-separated) field, tags of accounts that policy users can interact with. Enter an * (asterisk) for all tags to be displayed.
    3. (Optional): In the Users view section, enter the following information:
      1. In the Names (comma separated) field, names of users that policy users can interact with. Enter an * (asterisk) for all names to be displayed. Names must be filled with a tag in the following format: [#USERNAME#].
      2. In the Tags (comma separated) field, tags of users that policy users can interact with. Enter an * (asterisk) for all tags to be displayed.
  8. (Optional): In the Service accounts view section, enter the following information:
    1. In the Usernames (comma-separated) field, names of service accounts that policy users can interact with. Enter an * (asterisk) for all names to be displayed. Names must be filled with a tag in the following format: [#USERNAME#].
    2. In the Tags (comma-separated) field, tags of service accounts that policy users can interact with. Enter an * (asterisk) for all tags to be displayed.
  9. (Optional): In the Credentials view section, enter the following information:
    1. In the Environment (comma-separated) field, environments of credentials that policy users can interact with. Enter an * (asterisk) for all environments to be displayed.
    2. In the Systems (comma-separated) field, systems of credentials that policy users can interact with. Enter an * (asterisk) for all credentials to be displayed.
    3. In the Tags (comma-separated) field, tags of credentials that policy users can interact with. Enter an * (asterisk) for all tags to be displayed.
  10. In the Settings tab, enter information about the user creation configuration template and approval workflow:
    1. (Optional): In the Template field, select the user creation template. More information in How to add templates.
    2. (Optional): In the Approval workflow section, enter information about the access policy approval workflow:
      1. In the Require reason field, select to request justification when performing an action.
      2. In the Require approval field, select so that approvals are necessary to perform an action.
      3. In the Approvals required field, specify the number of approvals needed for the action to be performed. This field will only be available if the Requires approval field is selected.
      4. In the Disapprovals required to cancel field, specify the number of rejections needed to prevent the action. This field will only be available if the Requires approval field is selected.
      5. In the Approval in levels field, select to enable level approval, meaning after approval from a lower-level member, a higher-level member can approve or deny the request.
    3. In the Advanced options section, enter the information:
      1. In the Governance ID required when justifying * field, select to request the governance code when justifying an action.
      2. In the Always add user manager to approvers? * field, select to always add the user manager to the list of approvers.
  11. In the Approvers tab, click + Add to enter the approving users of this access policy.
    1. Select the desired users, and click Add. Approvers must have the PAM Operator profile to have access to the approval workflow.
    2. In the Governance ID required when justifying * field, select to request the governance code when justifying an action.
    3. In the Always add user manager to approvers? * field, select to always add the user manager to the list of approvers.
  12. (Optional): In the Access limitation tab, enter information about access limitations for the access policy:
    1. In the Access permission days section, select the access days for users who are part of this access policy.
    2. In the Access permission times section, select the access times for users who are part of this access policy.
    3. In the Access permission period section, enter a start and end access period for users who are part of this access policy.
  13. In the Review tab, verify all information edited in the previous tabs, and click Save to confirm the changes.