Understanding the basics of Access

Owned by Siamak Haschemi (Deactivated)
Last updated: Jan 02, 2021
3 min read

Overview

This page describes the basic concepts of the Ingenious Access Management (IAM).

IAM lets you grant granular access to specific resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.

How IAM works

With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Networks, Entities, Advertisers or Partners are resources.

In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated users. An IAM policy defines and enforces what roles are granted to which users, and this policy is attached to a resource. When an authenticated user attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.

The following diagram illustrates permission management in IAM.

 

This model for access management has three main parts:

  • User. A user can be a Partner Account (for employees of partner companies) or a admin account (for employees of the company owning the platform, or employees of an advertiser) that can access a resource. The identity of a user is an email address associated with a user.

  • Role. A role is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a user, you grant all the permissions that the role contains.

  • Policy. The IAM policy binds one user to a role. When you want to define who (user) has what type of access (role) on a resource, you create a policy and attach it to the resource.

In the preceding diagram, for example, the IAM policy binds users, such as admin1@acme.com, to roles, such as the Finance Admin role. If the policy is attached to an entity, the users gain the specified roles within the entity.

The rest of this page describes these concepts in greater detail.

In IAM, you grant access to users. users can be of the following types:

  • Partner Account

  • Admin Account

Partner Account

A Partner Account represents an employee of a partner company who interacts with the Ingenious Platform. The email address that's associated with a Partner Account is the identity. A Partner Account is created automatically for each new Partner you create.

Admin Account

An Admin Account represents an employee of the company owning the platform, or an employee of an advertiser within the platform. The email address that's associated with a Admin Account is the identity. An Admin Account can be created by other users.

When a user attempts to access a resource, IAM checks the resource's IAM policy to determine whether the action is allowed.

This section describes the entities and concepts involved in the authorization process.

Resource

If a user needs access to a specific Ingenious Platform resource, you can grant the user a role for that resource. Some examples of resources are Networks, Entities, Partner, and Advertisers.

You can grant IAM permissions at the entity level, which then includes all Partners and Advertisers below the Entity. This way you can avoid granting access to each individual Partner or Advertiser.

You can also grant IAM permissions at granularity finer than the entity level. For example, you can grant a user the Admin role only to a particular Advertiser within an Entity.

Permissions

Permissions determine what operations are allowed on a resource. In the IAM world, permissions are represented in the form of service.resource.verb, for example, partnerships.advertiser.view.

You don't grant permissions to users directly. Instead, you identify roles that contain the appropriate permissions, and then grant those roles to the user.

Roles

A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.

There are two kinds of roles in IAM:

  • Predefined roles: These Roles are predefined by Ingenious for common use cases.

  • Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don't meet your needs.

To learn how to grant a role to user, or creating and managing custom roles, see Managing rights and roles.

IAM policy

You can grant roles to users by creating an IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.