Operations

The IBM Object Lock feature operates on a per object version basis, primarily. Object Lock protection is applied to the object when the operation is performed. As such, users interested in monitoring the Object Lock feature on the system can find object lock information for both buckets and objects in the access logs.

When Object Lock configuration is added to a bucket or Object Lock protection is applied to the object during upload or after upload, the access log entry associated with the operation contains specific information that is helpful in confirming:

  • That Object Lock was enabled on a container.
  • That Object Lock default configuration was configured on the bucket.
  • That Object Lock protection is applied to an object (during object write or afterward).
  • That a protected object deletion attempt was denied when the object version has active protection on it .
  • That an object that was formerly protected was successfully deleted.

Audit of transactions and retrieval of access logs

IBM COS provides an access log that can be used for auditing the transactions that take place on the system. This includes changes to container Object Lock Configuration Rule, Retain Until Dates for object versions and application of object Legal Holds.

The management vault and access log updates to the management vault must be enabled to enable Object Lock support on the system.

Access logs are uploaded to management vault periodically. These logs include detailed object protection information that can be used for auditing. The management vault should be deployed to an appropriate access pool to allow a service user to download log files from a management vault.

System administrations should carefully consider the access log rotation and Object Lock storage policies that best meet the need to retain logs for audits of protection activity.

Further Information on configuration and retrieval of access logs can be found in the IBM Manager Administration Guide.