Managing access with context-based restrictions
After you set up your Event Notifications service instance, you can manage access by using context-based restrictions (CBR).
Managing CBR settings
With context-based restrictions, you can define and enforce user and service access restrictions to Event Notifications resources based on specified criteria. These resources include Internet Protocol (IP) addresses that are linked to your Event Notifications instance.
To restrict access, you must be the account owner or have an access policy with the administrator role on all account management services.
Overview
To restrict access, you must create zones and rules.
First, create a zone with the appropriate details for network or resource definitions. Then, attach that zone to the specified resource to restrict access. You can create zones and rules by using a ReSTful API or with context-based restrictions. After you create or update a zone or a rule, it might take a few minutes for the change to take effect.
CBR rules do not apply to provisioning or deprovision processes.
Understanding network zones
By creating network zones, you can define an allowlist of network locations where access requests originate, to determine when a rule can be applied. The list of network locations can be specified by using IP addresses, such as individual addresses, ranges or subnets, and Virtual Private Cloud (VPC) IDs.
After you create a network zone, you can add it to a rule.
Creating network zones by using the CBR API
The API supports defining network zones by connecting to public (for example, cbr.cloud.ibm.com) and private endpoints (for example, private.cbr.cloud.ibm.com).
Use GET /v1/zones to list the zones. By using POST /v1/zones, you can create a new zone with the appropriate information. For more information, including a request body example, see Creating network zones by using the API.
You can determine which services are available by checking for reference targets.
Creating network zones by using the CBR UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
Instead of creating a zone by using UI inputs, you can use the JSON code form to create a zone by clicking Enter as JSON code.
After you create zones, you can also update and delete them.
Understanding network rules
After you create your zones, you can attach the zones to your network resources by creating rules. When you add resources to a rule, you can choose from the available types of endpoints that are specific to your network topology.
Create network rules by using the CBR API
You can define network rules with the API by using the information that you collected from creating network zones.
By using GET /v1/rules with the endpoints that you chose, you can view a list of current rules. Use POST /v1/rules to create new rules. For more information, including a request body example, see Creating rules by using the API.
Creating network rules by using the CBR UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
You can use the CBR UI to add resources and contexts to your network rules. Keep in mind the limitations.
For example, when you create context-based restrictions for the IAM Access Groups service, users who don't satisfy the rule can't view any groups in the account, including the public access group.
Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Also, the rules might not take effect immediately due to synchronization and resource availability.
Next steps
You must follow the creation or modification of zones or rules with adequate testing to ensure access and availability.
Users who attempt to access your resources outside of the defined zones receive HTTP error 403 when the appropriate rules are not established.