January 20, 2020 By Josh Mintz 3 min read

IBM Cloudant now supports deeper visibility and control for auditing events and access control in the IBM Cloud. 

These features will allow customers to more easily set up fine-grained access policies to their database across their organization. You will also be able to alert or retrospectively review users’ access to their Cloudant instances. These features and capabilities are only available to Cloudant instances using the Resource Group organizational framework. If you are still using Cloud Foundry Organizations and Spaces, follow these directions to upgrade

Advancements in Identity and Access Management roles (IAM)

Cloudant now supports Reader, Writer, Monitor, and Checkpointer roles (alongside Manager). These roles are useful for organizations that need to restrict access to the Cloudant database amongst team members or microservices. The information below describes the various roles and provides an example of how they might be employed. 

Manager

  • Description: Includes the ability to access all endpoints and perform all administrative functions on an instance, such as creating databases, changing capacity, reading and writing data and indexes, and accessing the Dashboard.
  • Example use: A database administrator or full stack engineer may use this role to have full control during normal operations to respond to increased load, manage performance, or tune indexes.

Writer

  • Description: Includes the ability to read and write to all databases and documents, but does not allow the user to create indexes.
  • Example use: A application developer might use this role to work with documents and databases, but they will not be able to create or update indexes.

Reader

  • Description: Includes the ability to read all databases and documents, but does not allow the user to write new documents or create indexes.
  • Example use: A data scientist may use this role to query data but ensure that they can’t write any data to the database.

Monitor

  • Description: Includes the ability to read monitoring endpoints, such as _active_tasks and replication _scheduler endpoints.
  • Example use: A service integration like Datadog or New Relic may be given this role to ensure that it only has access to a relevant subset of the database’s performance/consumption data.

Checkpointer

  • Description: Includes the ability to write replication checkpointer _local documents. Required on source databases during replication.
  • Example use: An automated process or user may be given access to this role alongside Reader on a source database when initiating a replication to another Cloudant database. 

Other benefits of IBM IAM

  • Manage access for many services by using one interface
  • Revoke access to a user globally
  • Account-level API keys via service IDs
  • Easy-to-rotate credentials
  • IBM Cloud Activity Tracker with LogDNA logs capture individual humans and services
  • IAM federates with other identity systems, such as enterprise LDAP repositories

You can check out Cloudant’s handy guide to using the IAM for more information

Advancements in data emitted to Activity Tracker with LogDNA

There are two types of events that Cloudant sends to Activity Tracker: 

  • Management Events are administrative events that impact the state of an IBM Cloudant instance, such as creating or deleting a database, updating security settings, creating a replication job, or creating an index.
  • Data Events are all the other events involved with interacting with IBM Cloudant, such as reading or writing JSON documents, reading a list of databases, viewing monitoring endpoints, or authenticating against the service.

You can see the full list of events here. 

To control the events you receive, you can enter the Cloudant instance controller dashboard: 

Note: With Data Events, you will start to see events labeled with initiator id of “adm-machineX” Those are just Administrator events for billing of your Cloudant instance. 

Don’t forget, LogDNA has a useful feature that lets you automatically archive your logs into IBM Cloud Object Storage. From there, you can use IBM Cloud SQL Query to perform SQL analytics or report on data in Cloud Object Storage. This is particularly useful if you want to retain your deluge of logs, but quickly be able to ask questions of the data for auditing purposes or do some retroactive analytics on your applications. The SQL Query team published a wonderful blog and Watson Studio notebook on how to get that going. 

Learn more about IBM Cloudant.

More from Announcements

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters