IAM Overview¶
The EnOS Identity and Access Management (IAM) helps you manage user identities and control access to your resources in EnOS. The IAM allows you to manage user account lifecycles, authenticate user identities, and control the access rights to the resources in EnOS. When multiple users exist in an organization unit, the minimum permission principle can be enforced to reduce risks to your enterprise information security.
EnOS applies the identity and access management (IAM) scheme to achieve multi-tenancy. In EnOS, each tenant is managed as an organizational unit. Data that belongs to different organizations are securely segregated and can only be accessed by users that are registered to the organization.
IAM also ensures that a user can access only the resources that the user is authorized to. This is achieved through the grouping of users and assigning appropriate access permissions.
The built-in IAM schemes of EnOS provide capabilities of identity management, authentication, and authorization.
Identity Management¶
With IAM, a hierarchy structure is introduced to represent the relationship that exists within an organization. Each tenant is identified as an organizational unit (OU).
EnOS offers the following types of identities:
User accounts are usually created for EnOS Management Console users and operation staff.
Service accounts (a.k.a. application tokens) are assigned to applications for accessing the EnOS service APIs.
Device identities are assigned to all devices (including edge devices) that connect to the EnOS Cloud.
All identities are created under organizations. Among the types of user identities, EnOS provides several types of user accounts. For more information, see IAM Concepts.
Authentication¶
IAM provides different authentication methods for different account types.
User accounts are authenticated through valid credentials (username and password). Strong passwords with the required complexity is enforced by the security policy managed by the OU administrators. Multi-factor authentication is available as a configurable security option.
Service accounts use access keys (i.e. digital signatures) for EnOS authentication. For more information, see Application Development Overview.
Devices and edges use X.509 certifications to establish the secure data communication tunnels with EnOS Cloud. For more information, see Best Practice for Securing Communications between Edge Gateways and EnOS IoT Hub with X.509 Certificates.