IBM Cloud Docs
Protecting context-based restrictions resources with context-based restrictions

Protecting context-based restrictions resources with context-based restrictions

Context-based restrictions can define and enforce access restrictions for its own IBM Cloud® resources. You can define these restrictions based on contexts, such as network zones and endpoint types. For more information, see What are context-based restrictions.

The context-based restriction service manages rules and network zones, so it is possible to lose all ability to manage these resources if you cannot satisfy a rule on the context-based restriction service. Attempts to create or update such a rule are permitted only if the context of the request satisfies the new or modified rule.

If you can no longer satisfy a rule that targets the Context-based restrictions service, open a support case and provide a context that you can satisfy to restore your access.

Restricting the ability to manage rules and network zones

To configure this rule, target the Context-based restrictions service. For more information about the steps to set up a rule, see Creating rules.

A rule scoped to All resources is applicable to all current and future resources that are managed by the service. If you want to restrict operations for a specific resource, scope the rule to Specific resources > Resource type.

To complete any rule or network zone management operation, a user must be assigned the correct role with an IAM access policy and they must satisfy the context-based restrictions rule.

Restricting the ability to manage rules and network zones by using the API

The following example shows a rule in JSON format that protects rule and network zone management operations:

{
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "my-AccountID"
        },
        {
          "name": "serviceName",
          "value": "context-based-restrictions"
        }
      ]
    }
  ],
  "description": "",
  "contexts": [
    {
      "attributes": [
        {
          "name": "networkZoneId",
          "value": "my-zoneID"
        }
      ]
    }
  ],
  "enforcement_mode": "report"
}

A rule that specifies only the accountId and serviceName resource attributes is applicable to all current and future resources that are managed by the service. If you want to restrict operations for a specific resource, include the corresponding resourceType resource attribute. Valid resourceType values for the Context-based restrictions service are rule and zone.

To complete any rule or network zone management operation, a user must be assigned the correct role with an IAM access policy and they must satisfy the context-based restrictions rule.