IAM manages access control by defining who (identity) has what access (role) for which resource. For instance, the workspace, the catalogue, and the Analytics Engine APIs are all D4Science resources. Additionally, since each VRE/VLab defines a context where providing access to a (sub)set of services and data, contexts (VREs) are also modelled as resources.
Within D4Science IAM, permissions to access a resource are grouped into roles, and roles are granted to principals.
- A principal can be a D4Science Account (for users) or a service account (for applications ).
- A role is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a principal, you grant all the permissions that the role contains.
An IAM policy defines and enforces what roles are granted to which principals, and this policy is attached to a resource. When an authenticated principal tries to access a resource, IAM checks the policy of the resource to see if the action is allowed. In other words, a policy, attached to a resource, defines who (principal) has what type of access (role) on a resource.