IAM Overview¶
EnOS Identity and Access Management (IAM) helps you manage user identities and control access to your resources in EnOS. IAM allows you to manage user account lifecycles, authenticate user identities, and control the access rights to the resources in EnOS. When multiple users exist in an organization unit (OU), the minimum permission principle can be enforced to reduce risks to your enterprise information security.
EnOS applies the IAM scheme to achieve multi-tenancy. In EnOS, each tenant is managed as an OU. Data that belongs to different organizations are securely segregated and can only be accessed by users that are registered to the organization.
IAM also ensures that a user can access only the resources that the user is authorized to. This is achieved through the grouping of users and assigning appropriate access permissions.
The built-in IAM schemes of EnOS provide capabilities of identity management, authentication, and authorization.
Identity Management¶
With IAM, a hierarchy structure is introduced to represent the relationship that exists within an organization. Each tenant is identified as an OU.
EnOS offers the following types of identities:
User accounts are usually created for EnOS Management Console users and operation staff.
Service accounts (a.k.a. application tokens) are assigned to applications for accessing EnOS service APIs.
Device identities are assigned to all devices (including edge devices) that connect to EnOS.
All identities are created under organizations. Among the types of user identities, EnOS provides several types of user accounts. For more information, see IAM Concepts.
Authentication¶
IAM provides different authentication methods for different account types.
User accounts are authenticated through valid credentials (username and password). Strong passwords with the required complexity is enforced by the security policy managed by the OU administrators. Multi-factor authentication is available as a configurable security option.
Service accounts use access keys (i.e. digital signatures) for EnOS authentication.
Devices and edges use X.509 certifications to establish the secure data communication tunnels with EnOS. For more information, see Best Practice for Securing Communications between Edge Gateways and EnOS with X.509 Certificates.