Merge pull request #393 from cloud-docs/view-dynamic-members

view dynamic members
MartinSmolny · Mar 25, 2022 · 112f31e · 112f31e
2 parents d4bba50 + 163d794
commit 112f31e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 20 deletions.
diff --git a/faqs-iam.md b/faqs-iam.md
@@ -5,7 +5,8 @@
 copyright:
 
   years: 2018, 2022
-lastupdated: "2022-03-22"
+lastupdated: "2022-03-25"
+
 
 keywords: frequently asked questions for iam, iam faq, iam questions, identity and access management questions
 
@@ -348,3 +349,10 @@ In Kubernetes, a service account provides an identity for processes that run in
 When you establish trust with the Kubernetes service in a trusted profile, you are required to enter information in the `namespace` and `service account` fields. You can enter `default` for both.
 
 For more information, see [Using Trusted Profiles in your Kubernetes and OpenShift Clusters](https://www.ibm.com/cloud/blog/using-trusted-profiles-in-your-kubernetes-and-openshift-clusters) and [Kubernetes namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/){: external}.
+
+## How can I view dynamic members of access groups?
+{: #dynamic-members}
+{: faq}
+
+To view a list of dynamic members in an access group, go to **Manage** > **Access (IAM)** > **Access groups** in the {{site.data.keyword.cloud_notm}} console. Select an access group and click **Users**. Dynamically added users are indicated by the type `Dynamic`. For more information, see [Viewing dynamic members of access groups](/docs/account?topic=account-rules&interface=ui#view-dynamic-users)
+
diff --git a/iam-accessgroup_rules.md b/iam-accessgroup_rules.md
@@ -3,8 +3,8 @@
 copyright:
 
   years: 2018, 2022
-  
-lastupdated: "2022-03-13"
+
+lastupdated: "2022-03-25"
 
 keywords: dynamic rules,access groups,specific identity attributes,identity provider,federated ID,
 
@@ -34,19 +34,16 @@ Dynamic rules are created by setting conditions that must be matched by the data
 To create a rule, follow these steps:
 
 1. In the {{site.data.keyword.cloud_notm}} console, click **Manage** > **Access (IAM)**, and select **Access Groups**.
-2. Select the name of the access group that you want to create a rule for to open the group details page.
+2. Select the name of the access group that you want to create a rule for. This action opens the group **Details** page.
 3. Select **Dynamic rules**.
 4. Click **Add rule**.
 5. Enter the information from your IdP that is dynamically provided for you on the Add rule page. The following list provides details for each required field.
 
-You can think of an access group rule as a key:value pair. The key is what you add in the **`**Add users when** field, and the value is what you enter in the **Values** field. 
+You can think of an access group rule as a key:value pair. The key is what you add in the `Add users when` field, and the value is what you enter in the `Values` field. 
 {: tip}
 
 For more information about the fields that are used to create dynamic rules, see [IAM condition properties](/docs/account?topic=account-iam-condition-properties).
 
-Users added to access groups by using dynamic rules don't display as group members on the users list for the access group. To check a specific user's membership to an access group, you can select that user's name from the account **Users** page, and then click **Access groups**.
-{: note}
-
 ## Setting up rules by using Terraform
 {: #setup_rules_terraform}
 {: terraform}
@@ -98,17 +95,31 @@ To create a rule by using Terraform, follow these steps:
    ```
    {: pre}
 
-## Example rule
-{: #example}
+For more information about the fields that are used to create dynamic rules, see [IAM condition properties](/docs/account?topic=account-iam-condition-properties).
+
+
+## Viewing dynamic members of access groups
+{: #view-dynamic-users}
+{: ui}
+
+You can view the users that are added to an access group by using dynamic rules. To view dynamic members of access groups, go to **Manage** > **Access (IAM)** > **Access groups** in the {{site.data.keyword.cloud_notm}} console. Select an access group and click **Users**. Dynamically added users are indicated by the type `Dynamic`.
+
+The following users will not appear in the table: 
+- Dynamically added users who are not logged in yet
+- Dynamically added users whose session expired
+
+Dynamic users that are logged out but whose sessions are still valid continue to appear in the table until their sessions expire.
+
+You can't remove a dynamic user manually. To remove a dynamic user, adjust your dynamic rules. 
+{: note}
+
+### Viewing a user's dynamic membership
+{: #view-dynamic-ag}
+
+You can also view a list of access groups that a user is added to based on dynamic rules by completing the following steps:
 
-The following example includes values for each of the fields on the **Add rule** page. In this rule, users who are identified as managers within the federated IdP are mapped to an {{site.data.keyword.Bluemix_notm}} access group that has specific access set for only managers.
+1. Go to **Manage** > **Access (IAM)** > **Users** in the {{site.data.keyword.cloud_notm}} console. 
+1. Click on a user. 
+1. Click **Access groups**. 
+1. The access groups that a user is a dynamic member of is indicated by the type `Dynamic`. 
 
-| Field                           | Value                           |
-|---------------------------------|---------------------------------|
-| Name                            | Manager group rule              |
-| Identity provider               | `https://idp.example.org/SAML2` |
-| Expiration (in hours)           | 12                              |
-| Add users when (attribute name) | isManager                       |
-| Comparator                      | Equals                          |
-| Value                           | true                            |
-{: caption="Table 1. Example dynamic rule for access groups" caption-side="top"}