Controlling Access
Controlling Access with IBM Cloud IAM, Configuring users, groups and applications permissions for Event Logs
Granting Access
The IBM Cloud Identity and Access Management (IAM) provides the ability to securely provide access control to authenticated users for all IBM Cloud resources. IBM® Cloud Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.
Maintaing an audit trail of event log activity can help with identifying configuration errors, provide analysis of compromises that may have occured. Event logs may disclose sensitive information or be susceptible to tampering if the proper permissions are not applied. Access control of event log data is critical in protecting evidence of breaches or compromises.
- How to create and Access Group
- Creating an Access Group using CLI
- Setting up Access Group Permissions
- Adding users to the access group
- Adding a Service Account to the access group
- Granting permissions for event logs
How to create and Access Group
The first step is to create an access group. Perform the following steps below to complete this task:
- Navigate on the IBM Cloud dashboard to the manage link at the top and choose Access (IAM), and select Access Groups, shown below
- Click Create
- Enter a name and optional description for your group, and click Create.
The new IAM access group has now been created, similar to the view below
Creating an Access Group using CLI
you can use the ibmcloud iam access-group-create command.
ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]
To create an access group policy by using the CLI, you can use the ibmcloud iam access-group-policy-create command.
ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}
Setting up Access Group Permissions
So now that we have setup a new access group, let’s go and add permissions for viewing event logs. You can assign the policy by using the UI or through the command line.
When you define the policy, you need to select a platform role and a service role:
For users to manage Activity Tracker with LogDNA, the following roles must be assigned, Platform role: Viewer and Service role: Reader. For more on managing access for IBM Cloud Activity Tracker with LogDNA, visit Learn More
To assign a policy to an access group through the UI, complete the following:
The Access groups selected shown below
Click the Assign access tab shown in the screenshot below
Assign your Access group additional permissions page, seen in the screenshot below
Grant permissions (We need to provide permissions to our Access group).
Option one, grant permission on the service
- Select Assign access to resources.
- Select IBM Cloud Activity Tracker with LogDNA.
- Select Resource Group
- Select All current regions.
- Select All current service instances.
- Select the platform role Viewer.
- Select the service role Reader.
Screenshot shown below of assigning permissions to the Access group below
Review your Access summary choices, shown to the right in the screenshot below.
Click Assign.
Screenshot below shows the assigned roles granted.
Adding users to the access group
- Perform the following actions:
- From the menu bar, click Manage > Access (IAM), and select Access Groups.
- Choose Access Groups
- Select the name of the group that you want to assign access to.
- Click Add users on the Users tab.
Select the Add users tab shown below
A list of users will show up, select the user(s) that you want to add from the list, and click Add users.
The user was successfully added to the Access group shown below
Adding a Service Account to the access group
Follow the steps below.
- From the menu bar, click Manage > Access (IAM), and select Access Groups.
- Select the name of the group that you want to assign access to.
- Click the Service IDs tab, and click Add service ID.
Service ID tab, shown in the screenshot below
A list of Servie IDs will show, select the IDs you want to add and click Add service ID.
Screenshot below, showing a Service ID successfully added to the Access group
Granting permissions for event logs
Granting permissions to manage logs and configure alerts
As an admin user in LogDNA, you must have permissions to run the following actions:
- Add LogDNA log sources
- View logs
- Search logs
- Filter logs
- Configure alerts
For more information, see Granting permissions to manage logs and configure alerts
From the IBM Cloud menu bar, click Manage > Access (IAM), and then select Users and click on the user account you wish to manage, similar to the screen shown below.
Next, choose the Access polices tab, similar to the screenshot below.
Click on the Assign access button, similar to the page shown below.
You’re then taken to the Assign access page for the user, similar to the screen shown below.
On the drop down menu for: What type of access do you want to assign, choose IBM Log Analysis with LogDNA. Next, chose your resource group or All resoure groups (depending on your requirements). Select the platform role Editor, Select the service role Manager and click Add, similar to the screen shown below.
Notice to the right an Access Summary, when you’re satisfied with the access configured click Assign, similar to the screen shown below.
The user now has been granted the Editor and Manager role for IBM Cloud Log Analysis with LogDNA, similar to the screen shown below.
Repeat the steps above to assign other roles for IBM Cloud Log Analysis with LogDNA to have access to Event logs.