Increased IAM Control of Log Analysis and Activity Tracker Services in IBM Cloud

2 min read

Effectively immediately, our IBM Log Analysis and IBM Cloud Activity Tracker services are enabled to perform IAM-based access control of the services.

This feature makes it easier for teams to more effectively manage who has access to data offered through the services. The new IAM-level control offers you the ability to configure role-based access control to individual operators with granularity at the log-line level.

This new feature helps solve several common scenarios:

  1. Business desire to access sections of log and event data for specific insights by larger audiences and audiences outside your normal team.
  2. Security and privacy desire to isolate data access to individuals with a need to know.
  3. Solutions architecture desire to set up application logs and cloud activity tracking events to meet DevOps organizational needs.

A greater ability to control who has access to specific log and event data allows you to more accurately define who has access to specific insights and extend the value of your log and cloud activity event data.

Details on this new feature are documented and available in the services’ respective doc area:

Defining access – an example

In this scenario, the admin has an IBM Log Analysis account named "LA 2" with logs from many applications. Each application may contain sensitive data and there is business desire to keep user access isolated for need to know. Developer A is assigned to an application called tiny-app. The logs of tiny-app are also mingled with all the other logs, which Developer A should not see. 

The logs of tiny-app are also mingled with all the other logs, which Developer A should not see. 

The Admin wants to restrict Developer A to the tiny-app logs only. The is exemplified in the yellow box above.

The Admin first clicks the gear on the left, then Team > Groups, and creates a new group called "tiny-app." Users in the group are only able to see logs that match the query "app:tiny-app" (under Access Scope). 

The Admin first clicks the gear on the left, then Team > Groups, and creates a new group called "tiny-app." Users in the group are only able to see logs that match the query "app:tiny-app" (under Access Scope). 

Next, the Admin creates an IAM access group to define which users are in this group. The Admin clicks Manage > Access (IAM) > Access Groups > Create, and creates an access group with two policies:

  1. The first one gives access to the service instance: Viewer for "LA 2."
  2. The second one selects the Log Group: Viewer and Reader for "LA 2" / "tiny-app."
In the Users tab, the Admin chooses "Developer A."

In the Users tab, the Admin chooses "Developer A."

Now, when Developer A opens the "LA 2" instance, only the tiny-app lines are visible.

Now, when Developer A opens the "LA 2" instance, only the tiny-app lines are visible.

This scenario can be further extended to security teams and other teams with need for access to specific logs and events. Both IBM Log Analysis and IBM Cloud Activity Tracker support this new feature. You could even use the same IAM groups for access rights across multiple IBM Log Analysis and IBM Cloud Activity Tracker instances.

Get started today

Both the Log Analysis and Activity Tracker services are found in the IBM Cloud catalog. Alternatively, you may access both services within Observability. Learn more about each service:

Be the first to hear about news, product updates, and innovation from IBM Cloud