IBM Cloud Docs
Using groups to control data access

Using groups to control data access

You can configure, control, and manage data that is available to users in your IBM Cloud® account by configuring groups in the logging instance.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

A group is comprised of users with authorization to specific data.

Before you begin

Before configuring and using groups, you need to understand the following requirements and limitations.

Users require specific IBM Cloud® Identity and Access Management permissions to work with groups and group members.

Table 1. Roles required for groups
Role Permissions
Account management role Required to invite users, access groups, and define policies
Administrator platform role Required to manage the service
Manager service role Required to manage groups
Platform role viewer, service role reader, or standard member Required to launch the logging instance

User roles defining permissions and access to manage auditing events are defined in IBM Cloud® Identity and Access Management.

You can map Cloud Identity and Access Management access groups to service groups. Consider the following information:

  • You must name your service groups with the same name as your access groups. Users that belong to an access group are granted access to manage data in the service group.
  • You must define a policy per service group, where the group that you specify matches the access group name.
  • You must define the scope of the data that each service group can manage when you define the service group through the web UI.

Configuring default access settings

Complete the following steps to define the default settings for viewing data:

  1. Log in to your IBM Cloud account.

    Click Log in to IBM Cloud to sign in to the IBM Cloud.

    After you log in with your user ID and password, the IBM Cloud console opens.

  2. Select your account.

  3. Click the Menu icon Menu icon > Observability.

  4. Click Logging.

  5. For your instance, click Open dashboard. The UI will be displayed.

  6. Click the Settings icon Settings icon > Organization > Security.

  7. Set Access Control to your desired default setting:

    • ON allows all users to see the auditing data even if they are not part of a group.
    • OFF requires users to be a member of a service group that is associated with the logging instance to see events.

    Setting Access Control to OFF prevents users who are not defined to a service group from seeing auditing events.

Defining service groups

You can define 1 or more groups, also known as teams, limiting the set of data the users in that group can view and analyze. You configure the scope of data visible to users in a service group by using an access scope. Remember, user permissions to manage data are defined in IBM Cloud® Identity and Access Management.

You can edit a group to change the access scope as needed.

  1. Log in to your IBM Cloud account.

    Click Log in to IBM Cloud to sign in to the IBM Cloud.

    After you log in with your user ID and password, the IBM Cloud console opens.

  2. Select your account.

  3. Click the Menu icon Menu icon > Observability.

  4. Select Logging.

  5. For your instance, click Open dashboard. The UI will be displayed.

  6. Click Settings > Organization > Groups.

  7. Click Add Group.

  8. Enter a Group Name for your group.

    Add Group

    Consider a naming convention similar to your Cloud Identity and Access Management access groups for ease of management.

  9. Specify the Access Scope.

    The access scope is defined as a search query. The query uses the following format.

Table 2. Example access scope search queries
Example Query Behavior Example Matches
level:error Case-insensitive prefix match Error, error, errors
level:=error Case-sensitive prefix match error, errors
level:==error Case-insensitive exact term match error, Error
level:===error Case-sensitive exact term match error
level:[warning,error] Case-insensitive list of prefixes warning, Warning, Warnings, error, ERROR, errors
level:===[warning,error] Case-sensitive list of prefixes warning, error
level:* Matches if the field exists All lines containing the field level

For example, if you have two apps (myapp and myapp1), then a service group with an access scope of app:myapp will allow access to data from both apps. If the access scope is app:===myapp, then users in the group will only be able to access data from the myapp app.

If you want to create a group of administrators with access to all data, specify host:* for the Access Scope.

Editing or deleting service groups

Complete the following steps to edit or delete a service group:

  1. Log in to your IBM Cloud account.

    Click Log in to IBM Cloud to sign in to the IBM Cloud.

    After you log in with your user ID and password, the IBM Cloud console opens.

  2. Select your account.

  3. Click the Menu icon Menu icon > Observability.

  4. Click Logging.

  5. For your instance, click Open dashboard. The UI will be displayed.

  6. Click Settings > Organization > Groups.

  7. Click Edit or Delete to change or remove the group.