Skip to content

Latest commit

 

History

History
47 lines (38 loc) · 2.72 KB

IAM-Service-Security-Model.md

File metadata and controls

47 lines (38 loc) · 2.72 KB
Raw

IAM-Service Security Model

By default, in case internal data model of iam-service is not populated, default data model is created automatically on iam-service startup. Default data model always contains one organization iam-admins and one project iam-admins with single admin user as described below. This single identity is the entry point to start using iam-service. Using this global admin identity, you can create your own organization(s) and project(s). Each project should have own local 'admin' user capable of managing just only own project.

1. Global ADMIN - SuperUser(s)

Global admin users are very important, because such users are capable of:

  • Create organizations, projects and project admin users.
  • Delete organizations, projects recursively.

This is how default data model with single global admin user looks like:

  • iam-admins - organization containing admin project
    • iam-admins - project containing admin user(s)
      • admin-client - client for admin user
      • admin - user with global admin permissions

iam-admins

At least one admin user must exist in order to use IAM Admin functions listed above. Each global admin user must have following minimal set of permissions:

  • iam-admin-service.organization.all
  • iam-admin-service.project.all
  • iam-admin-service.users.all
  • iam-admin-service.clients.all

2. Organizations / Project Admin(s)

Each organization and project requires it's own admin user. Organization and project structure below is created like described here using access_token obtained from iam-admin as described here.

project-model

At least one admin user must exist per organization to use Organization/Project Admin functions. Each Organization/Project Admin user must have following minimal set of permissions:

  • <organization-id>-<project-id>.organization.all
  • <organization-id>-<project-id>.iam-admin-service.project.all
  • <organization-id>-<project-id>.iam-admin-service.users.all
  • <organization-id>-<project-id>.iam-admin-service.clients.all

3. Common Users and Clients

Each project hosts several users and clients. Those are common users and clients not suitable for organization and project admin tasks. Such users and client are intended to be used with resource servers. Set of roles and permissions assigned to those users is completely on project and required application.

See also: