Managing access for flow logs

Access to IBM Cloud® Flow Logs service instances for users in your account is controlled by IBM Cloud® Identity and Access Management. Every user that accesses the Flow Logs service in your account must be assigned an access policy with an IAM role defined. The policy determines the actions that a user can take within the context of the service or instance that you select. The allowable actions are customized and defined by the IBM Cloud service as operations that are allowed to be run on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels. The following are some of the included options:

• Access across all instances of the service in your account
• Access to an individual service instance in your account

After you define the scope of the access policy, you assign a role, which determines the user's level of access. Review the following tables that outline the actions that each role allows within the Flow Logs service.

The following table details actions that are mapped to platform management roles. Platform management roles enable users to complete tasks on service resources at the platform level, for example, assign user access for the service and create or delete instances.

For more information about IAM roles, see Getting Started with IAM.

For more information about assigning user roles in the console, see Managing access to resources.

Only one operator role is needed, as determined by the scope of your flow log collector.

In addition, you also require the following actions and operations that are not specific to IBM Cloud Flow Logs.

Operator roles in the following table are required only if the target scope is being changed.

Each aggregator creates a separate stream of data to Object Storage. Since you can create a flow log collector that associates data that is captured from multiple interface IDs with a single Object Storage bucket, each bucket needs a folder structure for holding data.