| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2025-04-03 |
code engine, context-based restrictions, access, protect resources, cbr |
codeengine |
{{site.data.keyword.attribute-definition-list}}
{: #cbr}
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for {{site.data.keyword.cloud}} resources based on the context of access requests. Access to {{site.data.keyword.codeenginefull}} resources can be controlled with context-based restrictions and identity and access management policies. {: shortdesc}
These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Because both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see What are context-based restrictions.
You must have the Administrator role on a service to create, update, or delete rules. Additionally, you must have either the Editor or Administrator role to create, update, or delete network zones.
When you secure {{site.data.keyword.codeengineshort}} resources with context-based restrictions with private endpoints, in addition to restricting who can manage your {{site.data.keyword.codeengineshort}} resource, such as deploying or updating applications and secrets, you can restrict the inbound traffic that connects to your application or functions. {: tip}
Any {{site.data.keyword.cloudaccesstraillong_notm}} or audit log events generated comes from the context-based restrictions service and not {{site.data.keyword.codeengineshort}}. For more information, see Monitoring context-based restrictions.
To get started protecting your {{site.data.keyword.codeengineshort}} resources with context-based restrictions, see Creating context-based restrictions.
Context-based restrictions for {{site.data.keyword.codeengineshort}} can be scoped to a location (region), project, or resource group. You can also limit which of your services can be accessed from {{site.data.keyword.codeengineshort}}.