March 15, 2023 By Josephine Justin
Norton Samuel Stanley
5 min read

Context-based restrictions (CBRs) in IBM Cloud can be used to enhance security and protect sensitive data.

By leveraging these features, organizations can ensure that their cloud resources are accessed only by authorized users and comply with various security and regulatory requirements.

What are context-based restrictions?

IBM Cloud context-based restrictions (CBRs) help to ensure that only authorized users can access sensitive resources. They grant access based on the user’s role, location or other contextual factors. This helps to protect customer data and minimize the risk of unauthorized access or breaches. See the IBM Cloud documentation to learn more about how context-based restrictions work. 

When to use context-based restrictions

The following are some specific scenarios where IBM Cloud context-based restrictions can be used:

  • Role-based access control (RBAC): With RBAC in IBM Cloud, the organization can grant different levels of access and permissions to users based on their roles and responsibilities. For example, developers may have access to development resources, while operations personnel may have access to production resources. RBAC can help ensure that only authorized personnel have access to the resources they need to do their jobs.
  • IP address allow-listing: An organization wants to restrict access to its cloud resources to specific IP addresses. With IP address allow-listing in IBM Cloud, the organization can specify which IP addresses are allowed to access its resources. For example, the organization may whitelist the IP addresses of its headquarters and branch offices, while blocking access from other locations.
  • Geolocation restrictions: An organization needs to comply with local data privacy regulations that require data to be stored within a specific region. With geolocation restrictions, the organization can restrict access to resources in a specific region to users located within that region. This can help ensure that sensitive data is protected and only accessible to authorized personnel within the specified region.
  • Resource-based access control (ReBAC): An organization wants to restrict access to its most sensitive data and resources. With ReBAC, access can be granted to specific resources based on the user’s role and permissions. For example, the organization may restrict access to its financial data to only authorized personnel with specific roles and permissions. Additionally, IBM Cloud can audit access to these resources to ensure that only authorized users are accessing them.

Context-based restriction use cases

Here are few use cases for context-based restrictions:

  • Regulatory compliance: Many industries—including finance, healthcare and government—have strict regulatory requirements around data protection and access control. IBM Cloud’s context-based restrictions can help organizations comply with these regulations by ensuring that only authorized personnel have access to sensitive data. For example, an organization in the healthcare industry may use geolocation restrictions to ensure that patient data is only accessible to healthcare professionals within a specific region.
  • Application development and testing: In application development and testing environments, context-based restrictions can help ensure that developers and testers have access to the resources they need without exposing sensitive data or resources to unauthorized users.
  • Disaster recovery and business continuity: In disaster recovery and business continuity scenarios, IBM Cloud’s context-based restrictions can help ensure that critical resources and data are protected and available to authorized personnel. IBM Cloud can use geolocation restrictions to ensure that backup and recovery resources are only accessible from authorized locations.

Rule implementations

1. Enforce a rule

Context-based restriction rules can be enforced upon creation and updated at any time. Rule enforcement can be of three types:

  • Enabled: Enforces the rule and restricts the access to services based on the rule definition.
  • Disabled: No restrictions are applied to the resources. 
  • Report-only: Allows you to monitor how the rule affects you without enforcing it. All access attempts are logged in Activity Tracker. It is recommended to enable a rule in Report-only mode for 30 days before enforcing the rule. Some of the services do not support this mode (e.g., IBM Cloud Databases resources).

Rules created in report-only mode can be listed using the CLI with the following command:

ic cbr rules --enforcement-mode report

2. Scope a rule

You can narrow the scope of the rule to specific APIs as part of the restrictions to achieve fine-grained security in your system. Only some services support the ability to scope a rule by API. To know the API scopes for specific service, first get to know the list of services supported by using the CLI:

For example, you can use the CLI to view the possible scopes of the IBM Cloud Kubernetes Service:

To create rules with a restricted scope, use the API-types attribute:

3. Restrict access using tags

You can create rules to restrict access to specific instance(s) based on access tags. IBM Cloud resources can be created and accessed with IAM access tags, and these tags can be used to restrict access using context-based restrictions.  To restrict specific VPCs to access IBM Cloud Object Storage service instances that are assigned with tag “env:test”, you can create the rules rule-create command:

ibmcloud cbr rule-create --context-attributes  "networkZoneId=ca1c2bb48b40ed7c595a6ff3ed49f055" --service-name cloud-object-storage --enforcement-mode report --tags "env=test"

Note: You must create the zone before you can create the rules. To create the zone, refer to Creating network zone from the CLI.

4. Restrict using IP addresses

Restrict IP addresses of authorized personnel to access the IBM Cloud resources using context-based restrictions. Create zones for the IP address and create a rule with that zone:

Additionally, you can allow different IP addresses for public and private endpoints of a service. 

5. Create specific geolocation-based restrictions

Access to a service can be restricted in specific locations to impose data residency requirements: 

6. Monitor the rules

To monitor the rules behavior in enabled or report-only mode, refer to Monitoring context-based restrictions.


IBM Cloud’s context-based restrictions can help organizations ensure that their cloud resources are protected, compliant and accessible only to authorized personnel. By leveraging these features, organizations can mitigate security risks, enhance compliance and improve operational efficiency.


Was this article helpful?

More from Cloud

IBM Cloud Reference Architectures unleashed

2 min read - The ability to onboard workloads to cloud quickly and seamlessly is paramount to accelerate enterprises digital transformation journey. At IBM Cloud, we're thrilled to introduce the IBM Cloud® Reference Architectures designed to empower clients, technical architects, strategists and partners to revolutionize the way businesses harness the power of the cloud. VPC resiliency: Strengthening your foundation Explore the resilience of IBM Cloud Virtual Private Cloud through our comprehensive resources. Dive into our VPC Resiliency white paper, a blueprint for building robust…

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters