Functional Definition

The evroc IAM service allow a customer to organize resources, manage identities and define authorization policies to secure access to resources.

The service features are described below.

Organizations

An Organization is the top-level entity in your cloud account that represents your company or team. It provides a unified way to manage access, billing, policies and compliance across your entire environment.

ResourceGroups

ResourceGroups are isolated groups of resources that allow you to logically organize your cloud resources. Key features include:

Flexible Organization: Organize resources by project, department, environment, or any other organizational model.
Granular Access Control: Apply specific permissions at each ResourceGroup level.

IMPORTANT: ResourceGroups cannot be nested.

Permission Management

There are currently two objects to manage permissions within your environment, each one with a distinct scope:

OrgPermissionSets

OrgPermissionSets define organization-wide access permissions.
OrgPermissionSets MUST be created at the top level of the Organization (outside of any specific ResourceGroup).

Scope: Applied across the entire organization.
Use Case: Grant users consistent access across all ResourceGroups.
Management: Created and managed by Organization administrators.

PermissionSets

PermissionSets define Resource Group-scoped access permissions. PermissionSets MUST be created in a Resource Group.

Scope: Limited to the ResourceGroup where they are created.
Use Case: Grant users access to a specific ResourceGroup.
Management: Created and managed by ResourceGroup administrators or Organization administrators.

Limitations

Currently access control service only supports users to be added as an admin.

OrgPermissionSets: Grant your user Organization-wide admin permissions.
PermissionSets: Grant your user admin permissions in a specific ResourceGroup.

evroc User Documentation