IAM overview
IAM overview
IAM allows you to manage out-of-the-box role based access controls, custom roles, access groups, access policies, and attribute based access controls.
Identity Access Management (IAM) authorization model improves the user experience by increasingly converging all authorization and access management in one single place to better govern the capabilities of all your tenants. This is a simple and secure way to manage the right permission scopes to the right resources by intuitively assign permissions to the right group of users, and assign the right users to the right groups with the new Access Groups.
IAM authorization model implements an effective and consistent Attribute-Based Access Control (ABAC) strategy for resources in the different cloud providers or any other technologies connected to the platform; you can easily group permissions for the specific needs of the organization by enabling the brand new custom roles, making it easy to group resources in a secure manner.
Access Management concept comparison
The following table shows a comparison of the terminology used by each of the most common cloud providers in the industry. See how Kyndryl has integrated industry standards and adopted access management concepts.
Authorization model | Concept description | IBM Cloud | Amazon Web Services | Azure | Google Cloud Platform |
|---|---|---|---|---|---|
Users, Access Groups, Service IDs | Subjects added to the platform | Identities | Users, groups, and roles | User, group, service principal, managed identity | User accounts and service accounts. Supported identity types: Google Account, Service account, Google group, G Suite domain, Cloud Identity domain |
Service IDs | ID for a service or application | Service IDs | Roles assigned to an app | User-assigned identity | Service accounts |
API key | Credential used for a user or service ID | API key | Access Key | api-key | API key |
Access Groups | Way to organize users and service IDs where all members of the group are assigned the same access | Access groups | Groups, roles | Active Directory groups | Google Groups |
Policy | Access assignment made up of a subject, target, and role | Policy | Policy | Role assignment | Policy |
User ID, Access Group ID, Service ID | A user, service ID, or access group | Policy subject | An IAM user, group, or a role | Security principal | A resource |
Roles | Collection of actions for a specific resource that are used as a building block to make an access policy | Roles | AWS-managed policy | Role definition | Predefined roles |
Custom Roles | Customer-defined and named role, including only the actions chosen by the user | Custom roles | Customer-managed policies | Custom roles | Custom roles |
Permissions | What is allowed to be completed within the context of the platform or service | Actions | Actions | Permissions | Permissions |
Resources | Target of an access policy | Resources | Resources | Resources | Resources |
Resource Groups | Logical organization container for IAM-enabled services | Resource groups | Tags | Resource groups | Projects |
Administration Audit Service | Audit with Activity Tracker | Auditing | Audit with AWS CloudTrail | Azure Logging and Auditing Activity logs | Audit with Audit logging |
Do you have two minutes for a quick survey?
Take Survey
