Managing access with IAM

IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

Every user that accesses the IBM Log Analysis service in your account must be assigned an access policy with an IAM user role defined. The policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels. Some of the options include the following:

Access to all IAM-enabled services in your account
Access across all instances of the service in a single region in your account
Access to an individual service instance in your account
Access to all instances of the service within the context of a resource group
Access to all instances of the service in a single region within the context of a resource group
Access to all IAM-enabled services within the context of a resource group

Roles define the actions that a user or serviceID can run. There are different types of roles in the IBM Cloud:

Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, assign policies for your service to other users, and bind instances to applications.
Service access roles enable users to be assigned varying levels of permission for calling the service's API.

To organize a set of users and service IDs into a single entity that makes it easy for you to manage IAM permissions, use access groups. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID.

Managing access by using access groups

To manage access or assign new access for users by using access groups, you must be the account owner, administrator or editor on all Identity and Access enabled services in the account, or the assigned administrator or editor for the IAM Access Groups Service.

Choose any of the following actions to manage access groups in the IBM Cloud:

Managing access by assigning policies directly to users

To manage access or assign new access for users by using IAM policies, you must be the account owner, administrator on all services in the account, or an administrator for the particular service or service instance.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

Choose any of the following actions to manage IAM policies in the IBM Cloud:

To grant permissions to a user, see Assign access.
To revoke permissions, see Removing access.
To review a user's permissions, see Reviewing your assigned access.

Managing access through trusted profiles

Trusted profiles are supported.

IBM Cloud platform roles

Use the following table to identify the platform role that you can grant a user in the IBM Cloud to run any of the following platform actions:

IAM user platform roles and actions
Platform actions	Administrator	Editor	Operator	Viewer
`Grant other account members access to work with the service`
`View the ingestion key in the IBM Cloud console`
`Provision a service instance`
`Delete a service instance`
`Update a service instance`
`Create a service ID`
`View details of a service instance`
`View service instances in the Observability Logging dashboard`

IBM Cloud service roles

Use the following table to identify the service roles that you can grant a user to run any of the following service actions:

IAM service roles and actions
Actions	Manager	Standard-Member	Reader
`Configure global settings`
`Manage groups`
`Create and delete ingestion keys`
`Create and delete service keys`
`Add logging log sources`
`Configure archiving`
`Manage parsing`
`Define exclusion rules`
`Create and delete categories`
`Manage how views and dashboards are grouped in categories`
`Export the configuration of views, alerts, dashboards, and templates`
`Export log data`
`View ingestion keys`
`View service keys`
`Configure alerts`
`View usage`
`Create views`
`Create dashboards`
`Create screens`
`Configure user preferences in the logging web UI`
`Filter and search data`
`Use views to monitor logs`
`Use dashboards to monitor logs`
`Use screens to monitor logs`

The manager service role maps directly to the logging admin role.

IAM actions

The following table identifies the IAM actions that are assigned to the platform and service roles for the IBM Log Analysis service:

IAM actions assigned to platform and service roles
Role type	Role	IAM actions
Platform	`administrator`	`logdna.dashboard.view` `logdna.dashboard.manage`
Service	`manager`	`logdna.dashboard.view` `logdna.dashboard.manage`
Service	`writer`	`logdna.dashboard.view` `logdna.dashboard.member`
Service	`reader`	`logdna.dashboard.view` `logdna.dashboard.read`

How do I know which access policies are set for me?

You can see which access policies are set for you in the IBM Cloud UI console.

Go to Access IAM users.
Click your name in the user table.
Click the Access policies tab to see your access policies.
Click the Access groups tab to see the access groups where you are a member. Check the policies for each group.