IBM Cloud Docs
Managing IAM policies and access groups

Managing IAM policies and access groups

You can use IBM Cloud® Identity and Access Management (IAM) to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

For more information, see Managing IAM policies and access groups.

Granting permissions to a user to become an administrator of the service in the IBM Cloud account

As the account owner or as an IBM Log Analysis service administrator, you must have permissions to run the following actions:

  • Grant other account members access to work with the service
  • Provision a service instance
  • Delete a service instance
  • View details of a service instance
  • Create a service ID

Therefore, to grant a user administrator role to manage the service in the account, the user must have an IAM policy for the IBM Log Analysis service with the platform role Administrator. You must assign this user access to an individual resource in the account.

If you have the IAM permission to create policies and authorizations, you can grant only the level of access that you have as a user of the target service. For example, if you have viewer access for the target service, you can assign only the viewer role for the authorization. If you attempt to assign a higher permission such as administrator, it might appear that permission is granted, however, only the highest level permission you have for the target service, that is viewer, will be assigned.

Complete the following steps to assign a user administrator role to the IBM Log Analysis service in the account:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.
  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.
  3. Select Assign access to resources.
  4. Select IBM Log Analysis.
  5. Select All current regions.
  6. Select All current service instances.
  7. Select the platform role Administrator.
  8. Click Assign.

Granting permissions to a user to become an administrator of the service within a resource group

As an IBM Log Analysis service administrator, you must have permissions to run the following actions:

  • Grant other account members access to work with the service
  • Provision a service instance
  • Delete a service instance
  • View details of a service instance
  • Create a service ID

Therefore, to grant a user administrator role to manage instances within a resource group in the account, the user must have an IAM policy for the IBM Log Analysis service with the platform role Administrator within the context of the resource group.

Complete the following steps to assign a user administrator role to the IBM Log Analysis service within the context of a resource group:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role that is already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have access only to the IBM Log Analysis service in the resource group.

  6. Select IBM Log Analysis.

  7. Select the platform role Administrator.

  8. Click Assign.

Granting permissions to a DevOps user to manage the service in the IBM Cloud account

As a DevOps user, you must have permissions to run the following actions:

  • Provision a service instance
  • Delete a service instance
  • View details of a service instance
  • Create a service ID

Therefore, you need to have an IAM policy for the IBM Log Analysis service with the platform role Editor.

Complete the following steps to assign a user editor role to the IBM Log Analysis service in the account:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.
  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.
  3. Select Assign access to resources.
  4. Select IBM Log Analysis.
  5. Select All service instances.
  6. Select the platform role Editor.
  7. Click Assign.

Granting permissions to a DevOps user to manage an instance in the IBM Cloud account

Complete the following steps to assign a user editor role on one instance of the IBM Log Analysis service in the account:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.
  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.
  3. Select Assign access to resources.
  4. Select IBM Log Analysis.
  5. Select the instance.
  6. Select the platform role Editor.
  7. Click Assign.

Granting permissions to a DevOps user to manage the service within a resource group

As a DevOps user, you must have permissions to run the following actions:

  • Provision a service instance
  • Delete a service instance
  • View details of a service instance
  • Create a service ID

Therefore, you need an IAM policy for the IBM Log Analysis service with the platform role Editor.

Complete the following steps to assign a user editor role to the IBM Log Analysis service within the context of a resource group:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role that is already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have access only to the IBM Log Analysis service in the resource group.

  6. Select IBM Log Analysis.

  7. Select the platform role Editor.

  8. Click Assign.

Granting permissions to manage logs and configure alerts

As an IBM Log Analysis admin user, you must have permissions to run the following actions:

  • Add logging log sources
  • View logs
  • Search logs
  • Filter logs
  • Configure alerts

Therefore, you need the following policies:

  • An IAM policy for the IBM Log Analysis service with the platform role Editor. This policy grants permissions to view the service instance details through the command line and in the IBM Cloud dashboard.
  • An IAM policy for the IBM Log Analysis service with the service role Manager. This policy grants permissions to monitor, filter and search log, and define alerts through the logging web UI.

Note: As an administrator of the service, when you grant a user these policies, consider doing it within the context of a resource group. An IBM Log Analysis instance is provisioned within the context of a resource group. Therefore, grant access permissions within the context of the resource group.

Complete the following steps to assign a user both policies for the IBM Log Analysis service within the context of a resource group:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to have access only to the IBM Log Analysis service in the resource group.

  6. Select IBM Log Analysis.

  7. Select the platform role Editor.

  8. Select the service role Manager.

  9. Click Assign.

Granting permissions to a user to view logs

As a user, auditor, or developer, you might need permissions to run the following actions:

  • View logs
  • Search logs
  • Filter logs

Therefore, you need the following policies:

  • An IAM policy for the IBM Log Analysis service with the platform role Viewer. This policy grants permissions to view the service instance details through the command line and in the IBM Cloud dashboard.
  • An IAM policy for the IBM Log Analysis service with the service role Reader. This policy grants permissions to view, filter and search logs through the logging web UI.

Note: As an administrator of the service, when you grant a user these policies, consider doing it within the context of a resource group. An IBM Log Analysis instance is provisioned within the context of a resource group. Therefore, grant access permissions to users within the context of the resource group.

Complete the following steps to assign a user both policies for the IBM Log Analysis service within the context of a resource group:

  1. From the menu bar, click Manage > Access (IAM), and then select Users.

  2. From the row for the user that you want to assign access, select the Actions menu, and then click Assign access.

  3. Select Assign access within a resource group.

  4. Select a resource group.

  5. If the user does not have a role already granted for the selected resource group, choose a role for the Assign access to a resource group field.

    Depending on the role that you select, the user can view the resource group on their dashboard, edit the resource group name, or manage user access to the group.

    You can select No access, if you want the user to only have access to the IBM Log Analysis service in the resource group.

  6. Select IBM Log Analysis.

  7. Select the platform role Viewer.

  8. Select the service role Reader.

  9. Click Assign.