IBM Cloud Docs
Access control with context-based restrictions

Access control with context-based restrictions

After you set up your IBM® Key Protect service instance, you can manage access by using the Key Protect support for Context-based restrictions (CBR).

Managing CBR settings

CBR allows you to manage user and service access to network resources, including Virtual Private Cloud (VPC) references and Internet Protocol (IP) addresses linking your Key Protect resources.

For more information about the services integrated with CBR, check out Services integrated with context-based restrictions.

Overview

There are two parts in the instructions to restrict access, Creating Zones, and Creating Rules, each with multiple steps. First, create a zone with the appropriate details for network or resource definitions like VPC settings. Then, attach that zone to the resource to restrict access. There are two possible paths for achieving this goal: either using a RESTful API, or with Context-based restrictions.  Note that after creating or updating a zone or a rule it may take a few minutes for the change to take effect.

CBR rules do not apply to provisioning or deprovision processes.

About Network Zones

By creating network zones, you can create a list of allowed locations where an access request originates. A set of one or more network locations can be specified by IP addresses such as individual addresses, ranges or subnets, and VPC IDs. After you create a network zone, you can add it to a rule.

Create Network Zones using the CBR API

The API supports defining network zones by calling on both public (https://cbr.cloud.ibm.com), and private (https://private.cbr.cloud.ibm.com), endpoints.

Using the path: "/v1/zones" with the GET method will list the zones. Using POST, you can create a new zone with the appropriate information using the following request body format example as a guide:

{
  "name": "an example of a zone",
  "description": "this is an example of a zone",
  "account_id": "12ab34cd56ef78ab90cd12ef34ab56cd",
  "addresses": [
    {
      "type": "ipAddress",
      "value": "169.23.56.234"
    },
    {
      "type": "ipRange",
      "value": "169.23.22.0-169.23.22.255"
    },
    {
      "type": "subnet",
      "value": "192.0.2.0/24"
    },
    {
      "type": "vpc",
      "value": "crn:v1:bluemix:public:is:us-south:a/12ab34cd56ef78ab90cd12ef34ab56cd::vpc:r134-d98a1702-b39a-449a-86d4-ef8dbacf281e"
    }
  ],
  "excluded": [
    {
      "type": "ipAddress",
      "value": "169.23.22.127"
    }
  ]
}

You can determine which services are available by checking for reference targets.

After creating zones, you can also update and delete them.

Create Network Zones using the CBR UI

With the prerequisites and requirements in place, you can follow the steps to create zones in the UI.

Instead of creating a zone by using UI inputs, you can use the JSON code form to directly enter JSON to create a zone by clicking Enter as JSON code.

After creating zones, you can also update and delete them.

About Network Rules

After you have created your zones, you can attach the zones to your networked resources by creating rules.

You can choose from the available types of endpoints specific to your network topology when you add resources to a rule.

Create Network Rules using the CBR API

The API supports defining network rules, and you will need the information from creating the network zone for the next steps.

Using the path: "/v1/rules" with the same endpoint as above, the GET method lists current rules. Sending a POST to the same path with the following example format guiding your own payload, you can create new rules:

{
  "description": "this is an example of a rule",
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "12ab34cd56ef78ab90cd12ef34ab56cd"
        },
        {
          "name": "serviceName",
          "value": "kms"
        }
      ]
    }
  ],
  "contexts": [
    {
      "attributes": [
        {
          "name": "networkZoneId",
          "value": "65810ac762004f22ac19f8f8edf70a34"
        }
      ]
    }
  ]
}

After creating rules, you can also update and delete them.

Create Network Rules using the CBR UI

Follow the steps to add resources and contexts to your network rule(s), but keep in mind some limitations.

When you create context-based restriction for the IAM Access Groups service, users who don't satisfy the rule will not be able to view any groups in the account, including the public access group.

Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Also, the rules may not take effect immediately due to synchronization and resource availability. 

After creating rules, you can also update and delete them.

Next steps

Users who attempt to access your resources outside of the defined zones will receive HTTP error 401 when the appropriate rules have been established.

Follow the creation or modification of any zones or rules with adequate testing to ensure access and availability.