Protecting Qiskit Runtime Service resources with context-based restrictions

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to Qiskit Runtime Service resources can be controlled with context-based restrictions and identity and access management (IAM) policies.

These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Since both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. For more information, see the What are context-based restrictions topic.

A user must have the Administrator role on the Qiskit Runtime Service service to create, update, or delete rules. A user must also have either the Editor or Administrator role on the Context-based restrictions service to create, update, or delete network zones. A user with the Viewer role on the Context-based restrictions service can only add network zones to a rule.

Any Activity Tracker or audit log events generated come from the context-based restrictions service, not Qiskit Runtime Service. For more information, see the Monitoring context-based restrictions page.

To get started protecting your Qiskit Runtime Service resources with context-based restrictions, see the Leveraging context-based restrictions to secure your resources tutorial.