IAM Overview


EnOS Identity and Access Management (IAM) helps you manage user identities and control access to your resources in EnOS. IAM allows you to manage user account lifecycles, authenticate user identities, and control the access rights to the resources in EnOS. When multiple users exist in an organization unit (OU), the minimum permission principle can be enforced to reduce risks to your enterprise information security.


EnOS applies the IAM scheme to achieve multi-tenancy. In EnOS, each tenant is managed as an OU. Data that belongs to different organizations are securely segregated and can only be accessed by users that are registered to the organization.


IAM also ensures that a user can access only the resources that the user is authorized to. This is achieved through the grouping of users and assigning appropriate access permissions.


The built-in IAM schemes of EnOS provide capabilities of identity management, authentication, and authorization.

Identity Management


With IAM, a hierarchy structure is introduced to represent the relationship that exists within an organization. Each tenant is identified as an OU.


EnOS offers the following types of identities:

  • User accounts are usually created for EnOS Management Console users and operation staff.

  • Service accounts (a.k.a. application tokens) are assigned to applications for accessing EnOS service APIs.

  • Device identities are assigned to all devices (including edge devices) that connect to EnOS.


All identities are created under organizations. Among the types of user identities, EnOS provides several types of user accounts. For more information, see IAM Concepts.

Authentication


IAM provides different authentication methods for different account types.

  • User accounts are authenticated through valid credentials (username and password). Strong passwords with the required complexity is enforced by the security policy managed by the OU administrators. Multi-factor authentication is available as a configurable security option.

  • Service accounts use access keys (i.e. digital signatures) for EnOS authentication.

  • Devices and edges use X.509 certifications to establish the secure data communication tunnels with EnOS. For more information, see Best Practice for Securing Communications between Edge Gateways and EnOS with X.509 Certificates.

Authorization


EnOS adopts Role-Based-Access-Control (RBAC), which is a policy neutral access control mechanism defined around roles and privileges. The access control rule is defined as a 3-tuples in the form of role-permission-resource. The resource includes the following:

  • Applications: applications that a role has access to

  • User Interface: menu items or buttons that a role can see

  • API: APIs that a role can invoke

  • Data: data that a role can read or write

  • Reports: reports that a role can read

  • Events: events from an application that a role can view or handle


IAM allows the OU administrator to define access control rules to grant privileges/permissions of resources to other accounts through EnOS Management Console GUI or through the APIs.


Accounts with the appropriate privileges granted may access the corresponding resources via EnOS service APIs or EnOS Management Console. Access control validation is performed by IAM service for each access attempt.