Managing access with IAM
IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud. Access to IBM Cloud Activity Tracker service instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by Activity Tracker as operations that are allowed to be performed on the service. An action is mapped to an IAM platform or service role that you can assign to a user.
If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.
For more information about the steps to assign IAM access, see Managing access to resources.
- Use
logdnaat
for Activity Tracker hosted event search offerings. - When you assign policies to users, use
IBM Cloud Activity Tracker
for the service name in the UI for Activity Tracker hosted event search offerings.
To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.
Managing access by using access groups
To manage access or assign new access for users by using access groups, you must be the account owner, administrator, or editor on all Identity and Access enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.
Choose any of the following actions to manage access groups in the IBM Cloud:
Managing access by assigning policies directly to users
To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.
Choose any of the following actions to manage IAM policies in the IBM Cloud:
- To grant permissions to a user, see Assigning access.
- To revoke permissions, see Removing access.
- To review a user's permissions, see Reviewing your assigned access.
Managing access through trusted profiles
Trusted profiles are supported.
IBM Cloud platform roles
The following tables detail actions that are mapped to platform roles.
Platform roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.
Use the following table to identify the platform role for the Activity Tracker hosted event search offerings that you can grant a user in the IBM Cloud to run any of the following platform actions:
Platform actions | Administrator | Editor | Operator | Viewer |
---|---|---|---|---|
Grant other account members access to work with the service |
||||
View the ingestion key in the IBM Cloud console |
||||
Provision a service instance |
||||
Delete a service instance |
||||
Update a service instance |
||||
Create a service ID |
||||
View details of a service instance |
||||
View service instances in the Observability Activity Tracker dashboard |
IBM Cloud service roles
Use the following table to identify the service roles that you can grant a user to run any of the following service actions when you use Activity Tracker hosted event search offerings:
Actions | Manager | Standard-Member | Reader |
---|---|---|---|
Create and delete ingestion keys |
|||
Create and delete service keys |
|||
Configure account settings |
|||
Manage groups |
|||
Configure archiving |
|||
Define exclusion rules |
|||
Create and delete categories |
|||
Manage how views and dashboards are grouped in categories |
|||
Export data |
|||
View ingestion keys |
|||
View service keys |
|||
Configure alerts |
|||
View usage |
|||
Create views |
|||
Create dashboards |
|||
Create screens |
|||
Configure user preferences in the UI |
|||
Filter and search data |
|||
Use views to monitor events |
|||
Use dashboards to monitor events |
|||
Use screens to monitor events |
The manager service role maps directly to the service admin role.
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud UI console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access policies tab to see your access policies.
- Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.