IBM Cloud Docs
Granting administration permissions to a user or service ID

Granting administration permissions to a user or service ID

IBM Cloud® Identity and Access Management (IAM) enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud. Complete the following steps to grant a user or service ID administration permissions to work with the IBM Log Analysis service:

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

For example, as an administrator of the service, you can provison and remove instances of the service, grant other users permissions to work with the service, archive logs to an IBM Cloud Object Storage (COS) instance, and more. Learn more.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

Prerequisites

Your user ID needs administrator platform permissions to manage the IBM Log Analysis service. Contact the account administrator. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.

Step 1. Create an access group

Complete the following steps to create an access group:

  1. From the menu bar, click Manage > Access (IAM), and select Access Groups.
  2. Click Create.
  3. Enter a name and optional description for your group, and click Create.

You can delete a group by selecting the Remove group option. When you remove a group from the account, you are removing all users and service IDs from the group and all access that is assigned to the group.

To create an access group by using the CLI, you can use the ibmcloud iam access-group-create command.

ibmcloud iam access-group-create GROUP_NAME [-d, --description DESCRIPTION]

Step 2. Add permissions to manage events

After you set up your group, you can assign a common access policy to the group.

Any policy that you set for an access group applies to all entities, users and service IDs, within the group.

You can assign the policy by using the UI or through the command line.

To create an access group policy by using the CLI, you can use the ibmcloud iam access-group-policy-create command.

ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}

When you define the policy, you need to select a platform role and a service role:

  • Platform management roles cover a range of actions, including the ability to create and delete instances, manage aliases, bindings, and credentials, and manage access. The platform roles are administrator, editor, operator, viewer. Platform management roles also apply to account management services that enable users to invite users, manage service IDs, access policies, catalog entries, and track billing and usage depending on their assigned role on an account management service.
  • Service access roles define a user or service’s ability to perform actions on a service instance. The service access roles are manager, writer, and reader.

To manage the IBM Log Analysis service, a user needs the following roles:

  • Platform role: Administrator.
  • Service role: Manager.

Learn more.

Complete the following steps to assign a policy to an access group through the UI:

  1. From the menu bar, click Manage > Access (IAM), and select Access Groups.
  2. Select the name of the group that you want to assign access to.
  3. Click Access policies.
  4. Click Assign access.
  5. Choose to assign access by resources within a resource group, or by individual resources available within the account. For example, you can choose any of the following options to grant a user an administrator role to manage IBM Log Analysis:

Option 1. Grant permissions on the service

Complete the following steps to assign a user administrator role to the IBM Log Analysis service in the account:

  1. Select Assign access to resources.
  2. Select IBM Log Analysis.
  3. Select All current regions.
  4. Select All current service instances.
  5. Select the platform role Administrator.
  6. Select the service role Manager.
  7. Click Assign.

Option 2. Grant permissions within the context of a resource group

Complete the following steps to assign a user administrator role to the IBM Log Analysis service within the context of a resource group:

  1. Select Assign access within a resource group.

  2. Select a resource group.

  3. If the user does not have a role that is already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have access only to the IBM Log Analysis service in the resource group.

  4. Select IBM Log Analysis.

  5. Select the platform role Administrator.

  6. Select the service role Manager.

  7. Click Assign.

Option 3. Grant permissions in a location

You can only provision 1 instance of the IBM Log Analysis service per location. Therefore, when you grant permissions by using this option, you are controlling access per location.

Complete the following steps to assign a user administrator role on one instance of the IBM Log Analysis service:

  1. Select Assign access to resources.
  2. Select IBM Log Analysis.
  3. Select the instance.
  4. Select the platform role Administrator.
  5. Select the service role Manager.
  6. Click Assign.

Step 3. Add a user or service ID to the access group

Continue to set up your group by adding users or service IDs.

Add a user to the access group

Complete the following steps to add a user:

  1. From the menu bar, click Manage > Access (IAM), and select Access Groups.
  2. Select the name of the group that you want to assign access to.
  3. Click Add users on the Users tab.
  4. Select the users that you want to add from the list, and click Add to group.

Add a service ID to the access group

Complete the following steps to add a service ID:

  1. From the menu bar, click Manage > Access (IAM), and select Access Groups.
  2. Select the name of the group that you want to assign access to.
  3. Click the Service IDs tab, and click Add service ID.
  4. Select the IDs that you want to add from the list, and click Add to group.