...
With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Networks, Entities, Advertisers or Partners are resources.
In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated users. An IAM policy defines and enforces what roles are granted to which users, and this policy is attached to a resource. When an authenticated user attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.
...