Getting started with IAM
IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud. Access to IBM Cloud Logs instances for users in your account is controlled by IBM Cloud Identity and Access Management (IAM).
The access policy that you assign users in your account determines what actions a user can perform within the context of the service or specific instance that you select. The allowable actions are customized and defined by IBM Cloud Logs as operations that are allowed to be performed on the service. An action is mapped to an IAM platform or service role that you can assign to a user.
If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.
IBM Cloud platform roles
The following table detail actions that are mapped to platform roles.
Platform roles enable users to perform tasks on service resources at the platform level, for example, assign user access for the service, create or delete instances, and bind instances to applications.
Review the following tables that outline what types of tasks each role allows for when you're configuring IBM Cloud Logs in your account.
Use the following table to identify the Account management IBM Cloud Logs platform roles that you can grant a user in the IBM Cloud to run any of the following platform actions:
| Platform role | Description of actions |
|---|---|
| Viewer | As a viewer, you can view service instances, but you cannot modify them. |
| Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. |
| Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. |
| Administrator | As an administrator, you can perform all platform actions based on the resource where the role is being assigned, including assigning access policies to other users. |
| Service Configuration Reader | As a service configuration reader you can read the service configuration for governance management |
| Key Manager | As a key manager you can manage resource keys, for example creating a new resource key for a resource instance |
IBM Cloud service roles
The following table lists the service roles available in IBM Cloud.
| Service role | Description |
|---|---|
| Manager | As a manager, you have permissions beyond the writer role to complete privileged actions such as managing data usage metrics, data access rules, TCO policies, enrichments, events to metrics, and version benchmark tags. |
| Writer | As a writer, you have permissions beyond the reader role such as the ability to manage actions, alerts and incidents, dashboards and views, enrichments, parsing rules, and webhooks or the ability to view analytics, data access rules, and TCO policies. |
| Reader | As a reader, you can perform read-only actions on the data such as querying logs and viewing dashboards. |
| Sender | As a sender, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs. |
| Data Access Reader | With data access reader permissions, you can access log data that is defined by specific rules. These rules are set using the Data Access Rule attribute. |
IBM Cloud resource attributes with dynamic values
The following table lists the available IBM Cloud resource attributes with dynamic values.
| Resource attribute | Value |
|---|---|
| Data Access Rule | Specify which rule to use to restrict access to logs. This attribute must be associated with the Data Access Reader service role. |
IAM platform actions
You can assign access for the following platform actions.
| Action | Description |
|---|---|
cbr.rule.create |
Create context-based restriction rules. |
cbr.rule.delete |
Delete context-based restriction rules |
cbr.rule.read |
View context-based restriction rules. |
cbr.rule.update |
Update context-based restriction rules. |
global-search-tagging.resource.read |
Find resources using the global search and tagging search API. |
global-search-tagging.tag.attach-user-tag |
Attach a user tag to a resource. |
global-search-tagging.tag.detach-user-tag |
Detach a user tag from a resource. |
global-search-tagging.tag.attach-access-tag |
Attach access management tags to a resource. |
global-search-tagging.tag.detach-access-tag |
Detach access management tags to from a resource. |
iam.delegationPolicy.create |
Create a policy that can be delegated to another service. |
iam.delegationPolicy.update |
Update a policy that can be delegated to another service. |
iam.policy.create |
Create policies. |
iam.policy.delete |
Delete policies. |
iam.policy.read |
View policies. |
iam.policy.update |
Update policies. |
iam.service.read |
View services. |
iam.role.assign |
Assign roles to policies. |
iam.role.read |
View roles. |
IAM service actions
Ror information about IBM Cloud Logs actions by role, see IAM actions by role.
Assigning access to IBM Cloud Logs
For details on assigning access, see Granting access to IBM Cloud Logs.
How do I know which access policies are set for me?
You can see which access policies are set for you in the IBM Cloud UI console.
- Go to Access IAM users.
- Click your name in the user table.
- Click the Access > Access policies tab to see your access policies.
- Click the Access > Access groups tab to see the access groups where you are a member. Check the policies for each group.