Table: ibm_iam_user - Query IBM Cloud IAM Users using SQL
IBM Cloud Identity and Access Management (IAM) is a service that helps secure access to IBM Cloud resources. It enables the management of identities and access, allowing users to control who has access to their IBM Cloud resources and what actions they can perform. With IAM, you can manage access to your resources by creating policies and assigning them to IAM identities (users, groups, and service IDs).
Table Usage Guide
The ibm_iam_user
table provides insights into users within IBM Cloud Identity and Access Management (IAM). As a security officer or administrator, you can explore user-specific details through this table, including user ID, email, account ID, and created at timestamp. Utilize it to uncover information about users, such as their access levels, assigned roles, and other related metadata.
Examples
Basic info
Explore the basic user information from an IBM IAM user list to gain insights into user details and their associated account IDs. This can be useful for user management and account audits.
select first_name, last_name, user_id, email, account_idfrom ibm_iam_user;
select first_name, last_name, user_id, email, account_idfrom ibm_iam_user;
List inactive users
This query helps identify users who are not currently active within the IBM IAM system. It is useful in auditing user activity and assessing the need for potential clean-up of inactive accounts.
select first_name, last_name, user_id, email, statefrom ibm_iam_userwhere state <> 'ACTIVE';
select first_name, last_name, user_id, email, statefrom ibm_iam_userwhere state <> 'ACTIVE';
List users with no primary contact phone number
Discover the users who lack a primary contact phone number, allowing you to identify gaps in your contact information and reach out for updates. This can be particularly useful in maintaining effective communication channels with all users.
select first_name, last_name, user_id, phonenumberfrom ibm_iam_userwhere phonenumber is null;
select first_name, last_name, user_id, phonenumberfrom ibm_iam_userwhere phonenumber is null;
Control examples
- CIS v1.0.0 > 1 IAM > 1.10 Ensure contact email is valid
- CIS v1.0.0 > 1 IAM > 1.11 Ensure contact phone number is valid
- CIS v1.0.0 > 1 IAM > 1.12 Ensure IAM users are members of access groups and IAM policies are assigned only to access groups
- CIS v1.0.0 > 1 IAM > 1.3 Ensure API keys are rotated every 90 days
Schema for ibm_iam_user
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The ID fof the account. |
alt_phonenumber | text | The alternative phone number of the user. | |
text | The email of the user. | ||
first_name | text | The first name of the user. | |
iam_id | text | An alphanumeric value identifying the user's IAM ID. | |
id | text | = | An alphanumeric value identifying the user profile. |
last_name | text | The last name of the user. | |
phonenumber | text | The phone number of the user. | |
photo | text | A link to a photo of the user. | |
realm | text | The realm of the user. The value is either IBMid or SL. | |
settings | jsonb | User settings. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
state | text | The state of the user. Possible values are PROCESSING, PENDING, ACTIVE, DISABLED_CLASSIC_INFRASTRUCTURE, and VPN_ONLY. | |
user_id | text | The user ID used for login. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm
You can pass the configuration to the command with the --config
argument:
steampipe_export_ibm --config '<your_config>' ibm_iam_user