IBM Cloud Docs
Managing access with IAM

Managing access with IAM

IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

Every user that accesses the IBM Log Analysis service in your account must be assigned an access policy with an IAM user role defined. The policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels. Some of the options include the following:

  • Access to all IAM-enabled services in your account
  • Access across all instances of the service in a single region in your account
  • Access to an individual service instance in your account
  • Access to all instances of the service within the context of a resource group
  • Access to all instances of the service in a single region within the context of a resource group
  • Access to all IAM-enabled services within the context of a resource group

Roles define the actions that a user or serviceID can run. There are different types of roles in the IBM Cloud:

  • Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, assign policies for your service to other users, and bind instances to applications.
  • Service access roles enable users to be assigned varying levels of permission for calling the service's API.

To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.

Managing access by using access groups

To manage access or assign new access for users by using access groups, you must be the account owner, administrator or editor on all Identity and Access enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.

Choose any of the following actions to manage access groups in the IBM Cloud:

Managing access by assigning policies directly to users

To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.

Choose any of the following actions to manage IAM policies in the IBM Cloud:

Managing access through trusted profiles

Trusted profiles are supported.

IBM Cloud platform roles

Use the following table to identify the platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:

Table 1. IAM user platform roles and actions
Platform actions Administrator Editor Operator Viewer
Grant other account members access to work with the service Check mark icon
View the ingestion key in the IBM Cloud console Check mark icon Check mark icon
Provision a service instance Check mark icon Check mark icon
Delete a service instance Check mark icon Check mark icon
Update a service instance Check mark icon Check mark icon
Create a service ID Check mark icon Check mark icon
View details of a service instance Check mark icon Check mark icon Check mark icon Check mark icon
View service instances in the Observability Logging dashboard Check mark icon Check mark icon Check mark icon Check mark icon

IBM Cloud service roles

Use the following table to identify the service roles that you can grant a user to run any of the following service actions:

Table 2. IAM service roles and actions
Actions Manager Standard-Member Reader
Configure global settings Check mark icon
Manage groups Check mark icon
Create and delete ingestion keys Check mark icon
Create and delete service keys Check mark icon
Add logging log sources Check mark icon
Configure archiving Check mark icon
Manage parsing Check mark icon
Define exclusion rules Check mark icon
Create and delete categories Check mark icon
Manage how views and dashboards are grouped in categories Check mark icon
Export the configuration of views, alerts, dashboards, and templates Check mark icon
Export log data Check mark icon Check mark icon
View ingestion keys Check mark icon
View service keys Check mark icon Check mark icon
Configure alerts Check mark icon Check mark icon
View usage Check mark icon Check mark icon
Create views Check mark icon Check mark icon
Create dashboards Check mark icon Check mark icon
Create screens Check mark icon Check mark icon
Configure user preferences in the logging web UI Check mark icon Check mark icon Check mark icon
Filter and search data Check mark icon Check mark icon Check mark icon
Use views to monitor logs Check mark icon Check mark icon Check mark icon
Use dashboards to monitor logs Check mark icon Check mark icon Check mark icon
Use screens to monitor logs Check mark icon Check mark icon Check mark icon

The manager service role maps directly to the logging admin role.

IAM actions

The following table identifies the IAM actions that are assigned to the platform and service roles for the IBM Log Analysis service:

Table 3. IAM actions assigned to platform and service roles
Role type Role IAM actions
Platform administrator logdna.dashboard.view
logdna.dashboard.manage
Service manager logdna.dashboard.view
logdna.dashboard.manage
Service writer logdna.dashboard.view
logdna.dashboard.member
Service reader logdna.dashboard.view
logdna.dashboard.read

How do I know which access policies are set for me?

You can see which access policies are set for you in the IBM Cloud UI console.

  1. Go to Access IAM users.
  2. Click your name in the user table.
  3. Click the Access policies tab to see your access policies.
  4. Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.