IAM

Identity and Access Management (IAM) is used to manage users and systems that are allowed to access your ContentGrid applications.

Realms

An IAM realm is an isolated authentication environment. Every organization has access to their own IAM realms, which can be configured from IAM management page in the ContentGrid Console.

An IAM realm for your organization will automatically be created when the first application is created.

Multiple applications within the same organization can be connected to the same IAM realm, even across different projects.

The IAM realm authentication is fully separated from the ContentGrid Console authentication mechanisms. To access an application, you will need to create a User in the IAM realm. You can not use your ContentGrid Console user to access any application.

Attributes

ContentGrid Permission policies make use of attributes to define access rules.

The IAM Attributes for a realm can be configured in the “Attributes” tab. Once an attribute is added, it becomes available for usage in permission policies and can be defined on groups.

To promote reuse and transparency of permissions, attributes are configured on groups, and not directly on users.

An attribute has a name, a data type and can be single- or multi-valued.

Admin permission

If you want to write a permission that allows access to admins, you could define an single-valued attribute named admin of type boolean. You can then create a group which sets this attribute to true, and add all your admin users in this group

Department access

If you want to write a permission that only allows people to see documents belonging to their departments, you can define a multi-valued attribute named departments of type string. You can then create separate groups for every department and set the departments attribute for each group. Afterwards, add users to their correct department group(s).

Users

Users are the people that are allowed to log in and interact with Applications.

A user is identified by their email address (which is also used as the username).

When creating a user, an email address, a first and last name must be provided. Unless disabled, an automatic email is sent to the user to set up their password.

To maintain traceability of all actions that are performed on ContentGrid applications, it is not possible to delete a user account. Instead, a user account can be deactivated so they can no longer log in.

After creation, a user can be made member of one or more groups, so they can inherit the attributes from the groups.

Groups

Groups allow you to organize Users and Service accounts based on shared characteristics.

Groups themselves do not participate directly in permissions. The attributes defined on a group are inherited by all users and service accounts that are a group member.

Service accounts

A service account is a non-human principal that is used to allow programmatic integrations with the Application REST API.

A service account is a type of OAuth2 Client, they can be configured in the “Clients” tab.

Note that the secret for a client is only shown once during creation, or when rotating a secret.

Instead of using a username and password, a service account uses OAuth2 Client Credentials to obtain an access token for the application API.