Introduction ============== Policy-Based Access Control (PBAC) is a mechanism for managing user access to individual or multiple systems, where the permissions granted are contingent upon the user's business responsibilities aligned with predefined policies or custom policies. In contrast to the conventional method of auditing and modifying roles organization-wide, PBAC provides the agility to swiftly adjust access privileges in response to evolving requirements. This ensures that assets remain safeguarded through the enforcement of established rules and policies. PBAC stands out as a versatile authorization solution, capable of accommodating various access points by automating security controls within applications and data. IAM (Identity and Access Management) `````````````````````````````````````` **IAM Model Overview:** IAM, which stands for Identity and Access Management, encompasses a structured system for managing user identities and their access privileges within an account. The IAM model comprises various user roles and their corresponding permissions. **Key Concepts:** 1. **IAM Entry:** Each IAM entry contains mappings with a primary customer and their associated secondary users. Instead of referencing a contact person table, information regarding secondary users is stored within the IAM table. 2. **IAM User Types:** * **Owner:** Represents the primary account holder. * **Primary:** Users with existing sign-ups on the platform who can access other accounts using the Primary IAM feature, also known as Multi-CRN view. **Multi CRN** A Multi-CRN perspective offers users the ability to toggle between multiple CRNs (Customer Reference Numbers). This occurs when a customer (Customer A) who is already registered grants access to some of their projects to another customer (Customer B) who is also registered. As a result, Customer B can access Customer A's projects by switching between their respective CRNs. .. image:: image/multi_crn.png :class: bordered-image * **Contact:** Users without existing sign-ups on the platform. 3. **IAM User Roles:** * **Admin:** Possesses comprehensive access rights, including resource and project management, billing dashboard access, invoice handling, and the ability to add or remove other IAM users. Admins are akin to co-owners of the account. * **Project Lead:** Responsible for resource allocation, project management, user administration, and policy modifications. Project Leads possess limited access to the billing dashboard and are categorized as technical users. * **Billing User:** Authorized to manage billing functionalities, including viewing and paying outstanding amounts, accessing invoices, and configuring auto-pay settings. Billing Users have access to virtual account information. * **Member:** Users with limited access to the account, with the ability to select services and adhere to established policies that restrict their view within services. Unauthorized attempts to access restricted services or perform restricted actions will redirect them to an unauthorized page. * **Billing+Member:** Users with restricted service access but unrestricted access to the billing dashboard. They can perform any action within the billing dashboard without restrictions. The IAM model provides a structured approach to manage user identities, access privileges, and permissions within an account, ensuring effective security and access control. .. Note:: **To use IAM, you have to follow these steps:** * You have to add a IAM user * You have to create a project * You have to create custom policies or you can use predefined policies. * Assign the project and policies to the user. Add User ^^^^^^^^^ To add users then follow these steps: Navigate to the IAM section on the Dashboard .. image:: image/pbac1.png :class: bordered-image By default, the details of Owner is displayed in the list. To add a new user to the project, simply click on the 'Add User' option. .. image:: image/pbac2.png :class: bordered-image After selecting "Add User," a new page labeled "Add New User" will open. On this page, you need to enter the user's email and choose a role from the dropdown menu. The available roles include Member, Billing, Project Manager, Admin, and Billing+ Member. .. image:: image/pbac3.png :class: bordered-image If you choose the role of Admin, Project Manager, or Billing, predefined policies will be applied to the user based on their role. .. image:: image/Admin.png :class: bordered-image After selecting all the parameters then click on Add User .. image:: image/member1.png :class: bordered-image .. Note:: In the absence of an available policy in the project, you must initially add a custom policy to the project. If you choose the role of "Member," all available projects will be displayed below. After selecting a specific project, you can then assign one or more policies to that user .. image:: image/members2.png :class: bordered-image .. image:: image/pbac6.png :class: bordered-image Upon selecting "Add User," the user will appear in the IAM page under the "All Users" section with the status set as 'Invited.' Subsequently, an invitation link will be sent to the user's email address. Upon clicking the link, a registration form will be presented for completion. .. image:: image/pbac7.png :class: bordered-image .. image:: image/pbac8.png :class: bordered-image Upon completing all the required details in the registration form, the user will be successfully registered. Following registration, the customer must log in using their provided credentials. .. Note:: If the customer is an existing user on the E2E platform, they will find the invitation in the Invitation section on the Dashboard. .. image:: image/existing_customer1.png :class: bordered-image Upon selecting the Invitation button, the Invitation page will be displayed. .. image:: image/existing_customer2.png :class: bordered-image On the Manage Invitations page, you can view the invitations received and take actions such as accepting or declining them based on your preference. Upon accepting the invitation, the user will appear in the All User list with their assigned role. Actions ^^^^^^^^ Reset Password: ^^^^^^^^^^^^^^^^ Click on the "Reset Password" action to reset a member's password. .. image:: image/pbac9.png :class: bordered-image Edit Roles and Policies: ^^^^^^^^^^^^^^^^^^^^^^^^^ To modify the roles and policies of a member, click on the Edit action. .. image:: image/pbac10.png :class: bordered-image .. image:: image/pbac11.png :class: bordered-image Once you have made the necessary changes, click on the "Update User" button to save the modifications. .. image:: image/pbac12.png :class: bordered-image .. image:: image/pbac13.png :class: bordered-image Delete User: ^^^^^^^^^^^^ To remove a user, click on the Delete action. .. image:: image/pbac14.png :class: bordered-image Upon selecting the delete action button, a confirmation pop-up will appear on the page. Click on the delete button within the pop-up to confirm the deletion, and the user will be removed from the user list. Manage Project ^^^^^^^^^^^^^^^ Project Management ^^^^^^^^^^^^^^^^^^^ To manage projects, navigate to the IAM page and click on the Manage Project tab. .. image:: image/pbac15.png :class: bordered-image By default, a Default Project will be displayed in the list. To create a new project, provide a name for the project and click on the Create button. Once a project is created, it will be visible in the Recent tab. .. image:: image/pbac16.png :class: bordered-image To switch from one project to another, select the desired project by clicking on the radio button. A pop-up will appear, prompting you to click on "Switch Project." Upon doing so, the switch will be completed, and you'll be in the selected project. .. image:: image/pbac17.png :class: bordered-image To designate a project as a starred project, click on the star button located in the Starred section. .. image:: image/pbac18.png :class: bordered-image To view all projects, click on the "All" section, where you can see a comprehensive list of all projects associated with that user. .. image:: image/pbac19.png :class: bordered-image Member Management ^^^^^^^^^^^^^^^^^^ Add Member: ^^^^^^^^^^^^ To modify a project and add members, click on the edit button associated with that project. .. image:: image/pbac20.png :class: bordered-image Upon clicking the edit button, you will find the option to add members to the project. Click on it to proceed. .. image:: image/pbac21.png :class: bordered-image Following the selection of "Add Member," the Add Member page will open. After entering all the necessary information, such as the new member's details and policies, click on "Save Changes" to confirm. .. image:: image/pbac22.png :class: bordered-image Modify User's Policy: ^^^^^^^^^^^^^^^^^^^^^ .. image:: image/pbac23.png :class: bordered-image To modify a user's policy, click on the edit button and then select the appropriate option on the right button. Remove Member: ^^^^^^^^^^^^^^ .. image:: image/pbac24.png :class: bordered-image To remove a member from the project, click on the delete button. A popup will appear, and upon confirmation by clicking the Delete button within the popup, the member will be successfully deleted from the project. .. image:: image/pbac25.png :class: bordered-image To access established policies, go to the IAM page and select the Policy Set section. If you wish to create a new policy, click on the "Add Policy" button. .. image:: image/pbac26.png :class: bordered-image After clicking on Add Policy then Add New Policy page will be appear on that page you have to give policy set name and description and select the services which are to be giving access to in this policy then click on the Save button. .. image:: image/pbac27.png :class: bordered-image Upon saving the policy, it will be displayed in the Policy Set section on the IAM page. .. image:: image/pbac28.png :class: bordered-image To execute actions on a policy set, click on the three dots, and a menu of actions will appear. To view the policy services, select the "View" action. .. image:: image/pbac29.png :class: bordered-image Upon selecting the "View" action, the Services page will open, allowing you to see all the services associated with that policy. .. image:: image/pbac30.png :class: bordered-image To modify the policy set, click on the "Edit" action. .. image:: image/pbac31.png :class: bordered-image Upon choosing the "Edit" action, the Edit Policy Set Details page will open. On this page, you can add or remove services from the policy set by ticking or unticking the respective options. After making the desired changes, click on the Save button. .. image:: image/pbac32.png :class: bordered-image To remove a policy set, click on the "Delete" action. .. image:: image/pbac33.png :class: bordered-image Upon selecting the "Delete" action, a pop-up will appear. Click on "Delete" within the pop-up, and the policy set will be removed from the policy set list.