Using groups to control data access
You can configure, control, and manage data that is available to users in your IBM Cloud® account by configuring groups in the logging instance.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
A group is comprised of users with authorization to specific data.
Before you begin
Before configuring and using groups, you need to understand the following requirements and limitations.
Users require specific IBM Cloud® Identity and Access Management permissions to work with groups and group members.
Role | Permissions |
---|---|
Account management role | Required to invite users, access groups, and define policies |
Administrator platform role | Required to manage the service |
Manager service role | Required to manage groups |
Platform role viewer, service role reader, or standard member | Required to launch the logging instance |
User roles defining permissions and access to manage auditing events are defined in IBM Cloud® Identity and Access Management.
You can map Cloud Identity and Access Management access groups to service groups. Consider the following information:
- You must name your service groups with the same name as your access groups. Users that belong to an access group are granted access to manage data in the service group.
- You must define a policy per service group, where the group that you specify matches the access group name.
- You must define the scope of the data that each service group can manage when you define the service group through the web UI.
Configuring default access settings
Complete the following steps to define the default settings for viewing data:
-
Log in to your IBM Cloud account.
Click Log in to IBM Cloud to sign in to the IBM Cloud.
After you log in with your user ID and password, the IBM Cloud console opens.
-
Select your account.
-
Click the Menu icon > Observability.
-
Click Logging.
-
For your instance, click Open dashboard. The UI will be displayed.
-
Click the Settings icon > TEAM > Settings.
-
Set Access Control to your desired default setting:
- ON allows all users to see the auditing data even if they are not part of a group.
- OFF requires users to be a member of a service group that is associated with the logging instance to see events.
Setting Access Control to OFF prevents users who are not defined to a service group from seeing auditing events.
Defining service groups
You can define 1 or more groups, also known as teams, limiting the set of data the users in that group can view and analyze. You configure the scope of data visible to users in a service group by using an access scope. Remember, user permissions to manage data are defined in IBM Cloud® Identity and Access Management.
You can edit a group to change the access scope as needed.
-
Log in to your IBM Cloud account.
Click Log in to IBM Cloud to sign in to the IBM Cloud.
After you log in with your user ID and password, the IBM Cloud console opens.
-
Select your account.
-
Click the Menu icon > Observability.
-
Select Logging.
-
For your instance, click Open dashboard. The UI will be displayed.
-
Click > TEAM > Groups.
-
Click Add Group.
-
Enter a Group Name for your group.
Consider a naming convention similar to your Cloud Identity and Access Management access groups for ease of management.
-
Specify the Access Scope.
The access scope is defined as a search query. The query uses the following format.
Example Query | Behavior | Example Matches |
---|---|---|
level:error |
Case-insensitive prefix match | Error, error, errors |
level:=error |
Case-sensitive prefix match | error, errors |
level:==error |
Case-insensitive exact term match | error, Error |
level:===error |
Case-sensitive exact term match | error |
level:[warning,error] |
Case-insensitive list of prefixes | warning, Warning, Warnings, error, ERROR, errors |
level:===[warning,error] |
Case-sensitive list of prefixes | warning, error |
level:* |
Matches if the field exists | All lines containing the field level |
For example, if you have two apps (myapp
and myapp1
), then a service group with an access scope of app:myapp
will allow access to data from both apps. If the access scope is app:===myapp
, then
users in the group will only be able to access data from the myapp
app.
If you want to create a group of administrators with access to all data, specify host:*
for the Access Scope.
Editing or deleting service groups
Complete the following steps to edit or delete a service group:
-
Log in to your IBM Cloud account.
Click Log in to IBM Cloud to sign in to the IBM Cloud.
After you log in with your user ID and password, the IBM Cloud console opens.
-
Select your account.
-
Click the Menu icon > Observability.
-
Click Logging.
-
For your instance, click Open dashboard. The UI will be displayed.
-
Click > TEAM > Groups.
-
Click Edit or Delete to change or remove the group.