IBM Cloudant now supports deeper visibility and control for auditing events and access control in the IBM Cloud.
These features will allow customers to more easily set up fine-grained access policies to their database across their organization. You will also be able to alert or retrospectively review users' access to their Cloudant instances. These features and capabilities are only available to Cloudant instances using the Resource Group organizational framework. If you are still using Cloud Foundry Organizations and Spaces, follow these directions to upgrade.
Advancements in Identity and Access Management roles (IAM)
Cloudant now supports Reader, Writer, Monitor, and Checkpointer roles (alongside Manager). These roles are useful for organizations that need to restrict access to the Cloudant database amongst team members or microservices. The information below describes the various roles and provides an example of how they might be employed.
- Description: Includes the ability to access all endpoints and perform all administrative functions on an instance, such as creating databases, changing capacity, reading and writing data and indexes, and accessing the Dashboard.
- Example use: A database administrator or full stack engineer may use this role to have full control during normal operations to respond to increased load, manage performance, or tune indexes.
- Description: Includes the ability to read and write to all databases and documents, but does not allow the user to create indexes.
- Example use: A application developer might use this role to work with documents and databases, but they will not be able to create or update indexes.
- Description: Includes the ability to read all databases and documents, but does not allow the user to write new documents or create indexes.
- Example use: A data scientist may use this role to query data but ensure that they can't write any data to the database.
- Description: Includes the ability to read monitoring endpoints, such as _active_tasks and replication _scheduler endpoints.
- Example use: A service integration like Datadog or New Relic may be given this role to ensure that it only has access to a relevant subset of the database's performance/consumption data.
- Description: Includes the ability to write replication checkpointer _local documents. Required on source databases during replication.
- Example use: An automated process or user may be given access to this role alongside Reader on a source database when initiating a replication to another Cloudant database.
Other benefits of IBM IAM
- Manage access for many services by using one interface
- Revoke access to a user globally
- Account-level API keys via service IDs
- Easy-to-rotate credentials
- IBM Cloud Activity Tracker with LogDNA logs capture individual humans and services
- IAM federates with other identity systems, such as enterprise LDAP repositories
You can check out Cloudant's handy guide to using the IAM for more information.
Advancements in data emitted to Activity Tracker with LogDNA
There are two types of events that Cloudant sends to Activity Tracker:
- Management Events are administrative events that impact the state of an IBM Cloudant instance, such as creating or deleting a database, updating security settings, creating a replication job, or creating an index.
- Data Events are all the other events involved with interacting with IBM Cloudant, such as reading or writing JSON documents, reading a list of databases, viewing monitoring endpoints, or authenticating against the service.
To control the events you receive, you can enter the Cloudant instance controller dashboard:
Note: With Data Events, you will start to see events labeled with initiator id of "adm-machineX" Those are just Administrator events for billing of your Cloudant instance.
Don't forget, LogDNA has a useful feature that lets you automatically archive your logs into IBM Cloud Object Storage. From there, you can use IBM Cloud SQL Query to perform SQL analytics or report on data in Cloud Object Storage. This is particularly useful if you want to retain your deluge of logs, but quickly be able to ask questions of the data for auditing purposes or do some retroactive analytics on your applications. The SQL Query team published a wonderful blog and Watson Studio notebook on how to get that going.