Overview

The evroc Identity and Access Management (IAM) service provides a way to organize your cloud resources and to control who can access what within your organization.
It lets you create user accounts, define permissions and enforce security policies, ensuring that only authorized people have the right level of access to your resources.

User identities

IAM allows to create user identities in your organization. Each identity represents a person and acts as a digital account with its own credentials, where a user is uniquely identified by their email address. IAM enforces secure authentication methods such as passwords and multi-factor authentication (MFA).

Organizing your cloud resources

You can organize your cloud resources by creating ResourceGroups within your Organization and provisioning your resources inside them.
It is mandatory to define at least one ResourceGroup to create cloud resources.
ResourceGroups offer a logical way to group and isolate cloud resources based on your Organization’s structure or project needs. They also enable more fine-grained access control, allowing you to define who can access or manage specific sets of resources.

Administrators can create ResourceGroups to organize resources, such as:

Organization
├── ResourceGroup A
├── ResourceGroup B
└── ResourceGroup C

Understanding permission management

The evroc IAM service allows you to control who can access what within your Organization. It enables you to define access rules by assigning permissions to users to access resources within your Organization.
The IAM service currently only supports users to be added as an admin of an Organization or a ResourceGroup. A user can have admin rights to multiple ResourceGroups.
A user must be part of an Organization to be granted access rights.

Access Control Model

Inheritance

As ResourceGroups create a hierarchical structure, permissions are also automatically inherited:

  • OrgPermissionSets apply globally across all ResourceGroups.
  • PermissionSets apply to their specific ResourceGroup and also to all ResourceGroups nested under the ResourceGroup that they were created in.

IMPORTANT: Nested ResourceGroups beyond a single level, along with resources (excluding ResourceGroups and OrgPermissionSets) created directly in the Organization root ResourceGroup, are a legacy feature that will soon be removed and should already be considered unsupported.

Best Practices

  1. Global permissions with OrgPermissionSets: Use OrgPermissionSets for permissions that should apply consistently across the Organization.
  2. ResourceGroup permissions PermissionSets: Use ResourceGroup-specific PermissionSets for specialized access requirements
  3. Regular Reviews: Periodically review and audit permissions to ensure they remain appropriate.

Example Scenarios

Multi-Department Organization

Organization
├── Frontend Engineering
├── Backend Engineering
├── Marketing
└── Finance

Project-Based Structure

Organization
├── Alpha Development
├── Alpha Staging
├── Alpha Production
├── Beta Development
├── Beta Staging
└── Beta Development