Context-based restrictions (CBRs) in IBM Cloud can be used to enhance security and protect sensitive data.

By leveraging these features, organizations can ensure that their cloud resources are accessed only by authorized users and comply with various security and regulatory requirements.

What are context-based restrictions?

IBM Cloud context-based restrictions (CBRs) help to ensure that only authorized users can access sensitive resources. They grant access based on the user’s role, location or other contextual factors. This helps to protect customer data and minimize the risk of unauthorized access or breaches. See the IBM Cloud documentation to learn more about how context-based restrictions work. 

When to use context-based restrictions

The following are some specific scenarios where IBM Cloud context-based restrictions can be used:

  • Role-based access control (RBAC): With RBAC in IBM Cloud, the organization can grant different levels of access and permissions to users based on their roles and responsibilities. For example, developers may have access to development resources, while operations personnel may have access to production resources. RBAC can help ensure that only authorized personnel have access to the resources they need to do their jobs.
  • IP address allow-listing: An organization wants to restrict access to its cloud resources to specific IP addresses. With IP address allow-listing in IBM Cloud, the organization can specify which IP addresses are allowed to access its resources. For example, the organization may whitelist the IP addresses of its headquarters and branch offices, while blocking access from other locations.
  • Geolocation restrictions: An organization needs to comply with local data privacy regulations that require data to be stored within a specific region. With geolocation restrictions, the organization can restrict access to resources in a specific region to users located within that region. This can help ensure that sensitive data is protected and only accessible to authorized personnel within the specified region.
  • Resource-based access control (ReBAC): An organization wants to restrict access to its most sensitive data and resources. With ReBAC, access can be granted to specific resources based on the user’s role and permissions. For example, the organization may restrict access to its financial data to only authorized personnel with specific roles and permissions. Additionally, IBM Cloud can audit access to these resources to ensure that only authorized users are accessing them.

Context-based restriction use cases

Here are few use cases for context-based restrictions:

  • Regulatory compliance: Many industries—including finance, healthcare and government—have strict regulatory requirements around data protection and access control. IBM Cloud’s context-based restrictions can help organizations comply with these regulations by ensuring that only authorized personnel have access to sensitive data. For example, an organization in the healthcare industry may use geolocation restrictions to ensure that patient data is only accessible to healthcare professionals within a specific region.
  • Application development and testing: In application development and testing environments, context-based restrictions can help ensure that developers and testers have access to the resources they need without exposing sensitive data or resources to unauthorized users.
  • Disaster recovery and business continuity: In disaster recovery and business continuity scenarios, IBM Cloud’s context-based restrictions can help ensure that critical resources and data are protected and available to authorized personnel. IBM Cloud can use geolocation restrictions to ensure that backup and recovery resources are only accessible from authorized locations.

Rule implementations

1. Enforce a rule

Context-based restriction rules can be enforced upon creation and updated at any time. Rule enforcement can be of three types:

  • Enabled: Enforces the rule and restricts the access to services based on the rule definition.
  • Disabled: No restrictions are applied to the resources. 
  • Report-only: Allows you to monitor how the rule affects you without enforcing it. All access attempts are logged in Activity Tracker. It is recommended to enable a rule in Report-only mode for 30 days before enforcing the rule. Some of the services do not support this mode (e.g., IBM Cloud Databases resources).

Rules created in report-only mode can be listed using the CLI with the following command:

ic cbr rules --enforcement-mode report

2. Scope a rule

You can narrow the scope of the rule to specific APIs as part of the restrictions to achieve fine-grained security in your system. Only some services support the ability to scope a rule by API. To know the API scopes for specific service, first get to know the list of services supported by using the CLI:

For example, you can use the CLI to view the possible scopes of the IBM Cloud Kubernetes Service:

To create rules with a restricted scope, use the API-types attribute:

3. Restrict access using tags

You can create rules to restrict access to specific instance(s) based on access tags. IBM Cloud resources can be created and accessed with IAM access tags, and these tags can be used to restrict access using context-based restrictions.  To restrict specific VPCs to access IBM Cloud Object Storage service instances that are assigned with tag “env:test”, you can create the rules rule-create command:

ibmcloud cbr rule-create --context-attributes  "networkZoneId=ca1c2bb48b40ed7c595a6ff3ed49f055" --service-name cloud-object-storage --enforcement-mode report --tags "env=test"

Note: You must create the zone before you can create the rules. To create the zone, refer to Creating network zone from the CLI.

4. Restrict using IP addresses

Restrict IP addresses of authorized personnel to access the IBM Cloud resources using context-based restrictions. Create zones for the IP address and create a rule with that zone:

Additionally, you can allow different IP addresses for public and private endpoints of a service. 

5. Create specific geolocation-based restrictions

Access to a service can be restricted in specific locations to impose data residency requirements: 

6. Monitor the rules

To monitor the rules behavior in enabled or report-only mode, refer to Monitoring context-based restrictions.


IBM Cloud’s context-based restrictions can help organizations ensure that their cloud resources are protected, compliant and accessible only to authorized personnel. By leveraging these features, organizations can mitigate security risks, enhance compliance and improve operational efficiency.



More from Cloud

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…