Skip to main content

Manage Identities

PLATFORMA's identity and access management (IAM) system provides fine-grained control over who can access what resources. This guide covers setting up roles, permissions, and multi-tenant access.

Core Concepts

  • Users — Individual accounts that can log in and access the platform
  • Roles — Collections of permissions (e.g., Admin, Operator, Viewer)
  • Policies — Rules that grant or deny access to specific resources
  • Groups — Collections of users that share the same permissions
1

Create roles

Define custom roles for your organization:

const operatorRole = await client.iam.roles.create({
  name: "Infrastructure Operator",
  slug: "infra-operator",
  permissions: [
    "infrastructure:read",
    "infrastructure:manage",
    "monitoring:read",
    "orders:read",
  ],
});
2

Set up user groups

Organize users into groups for easier management:

const opsGroup = await client.iam.groups.create({
  name: "Operations Team",
  roles: [operatorRole.id],
});
 
// Add users to the group
await client.iam.groups.addMembers(opsGroup.id, {
  user_ids: ["usr_alice", "usr_bob", "usr_charlie"],
});
3

Configure resource policies

Create policies that restrict access to specific resources:

await client.iam.policies.create({
  name: "EU-only infrastructure access",
  effect: "allow",
  principals: [{ group: opsGroup.id }],
  actions: ["infrastructure:*"],
  resources: ["cluster:cls_eu*"], // Only EU clusters
  conditions: {
    ip_range: ["10.0.0.0/8", "192.168.0.0/16"], // Internal network only
  },
});
4

Enable SSO

Configure single sign-on with your identity provider:

await client.iam.sso.configure({
  provider: "saml",
  metadata_url: "https://idp.example.com/metadata.xml",
  attribute_mapping: {
    email: "urn:oid:0.9.2342.19200300.100.1.3",
    name: "urn:oid:2.5.4.3",
    groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1.1",
  },
  default_role: "viewer",
  group_role_mapping: {
    "Platform Admins": "admin",
    "Operations": "infra-operator",
  },
});

Follow the principle of least privilege: start with minimal permissions and add more as needed. Use the audit log to review access patterns and identify over-provisioned accounts.

Previous
Integrate API Gateway
Next
Event-Driven Workflows