IAM Basics for System Design

Identity and Access Management (IAM) is a framework that governs how users and systems interact with digital resources within an organization. It encompasses policies, processes, and technologies that control who can access what data and services, ensuring the right individuals have the right level of access at the right time.

IAM Basics for System Design

At its core, IAM involves the following key components:

  1. Identification: This is the process of uniquely identifying users or systems. Identifiers like usernames, email addresses, or unique IDs are used to distinguish individual entities.
  2. Authentication: Authentication verifies the identity of a user or system attempting to access a resource. It typically involves providing credentials like passwords, biometrics, or security tokens.
  3. Authorization: After a user or system is authenticated, authorization determines what actions they are allowed to perform on specific resources. This involves defining permissions, roles, and policies that govern access rights.
  4. Account Management: IAM systems provide mechanisms for managing user accounts, including creating, modifying, and deleting accounts. They also handle password resets, account recovery, and other account-related tasks.
  5. Access Governance: This encompasses the policies, procedures, and processes that define how access is granted, reviewed, and revoked. It ensures that access rights are aligned with business needs and security requirements.

IAM Models

There are various IAM models, each with its strengths and weaknesses. Some common models include:

  • Role-Based Access Control (RBAC): This is the most widely used model, where permissions are grouped into roles, and users are assigned roles based on their job functions or responsibilities.
  • Attribute-Based Access Control (ABAC): ABAC defines access based on attributes associated with users, resources, or the environment. For example, you might allow access to a resource only during specific hours or from certain IP addresses.
  • Policy-Based Access Control (PBAC): PBAC uses policies to evaluate various factors, such as user attributes, resource attributes, and environmental conditions, to determine access rights.