What are IBM Cloud Context-based restrictions?

As an account owner or administrator, you can define and enforce access restrictions for IBM Cloud® resources based on the network location of access requests by enabling context-based restrictions. For more information, see What are context-based restrictions?.

How do you use Context-based restrictions and IAM policies together?

These restrictions work with traditional IAM policies, which are based on identity, to provide another layer of protection. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials.

Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure.

What's the difference between Context-based restrictions and allowed IP addresses?

Context-based restrictions enforce access restrictions at the individual service level and access is evaluated when a user attempts to access a resource. Allowed IP address restrict access at the account level, which is evaluated at login.

How can I make sure that my rule doesn't break an access flow?

As an administrator, you manage users, applications, and workflows that depend on having the correct access when they need it. To make sure that your context-based restrictions rules don't brake an access flow, set the rule to report-only mode for at least 30 days before you enable the rule. This way, you can monitor the impact of the rule on your access flows, such as when access is denied or allowed and for which identities. For more information, see Monitoring context-based restrictions.