Skip to content

Authorization in IAM

Every API in IAM is controlled by authorization. It serves as a gateway to perform any operation on the datastore. Authorization in IAM always operates within an account context. For example, if a caller (either a user or an application) calls an API to create a user, the authorization layer validates whether the caller has the permission to create a user in the calling account.

Permissions are defined based on IAM business needs. These permissions are grouped into subsets within roles (e.g., owner, secondary owner, admin, end user) based on their access level. Refer this link for standardized roles and permissions.

By default, new users in an account receive the iam-limited role, providing read-only access to account details and associated entities (devices, groups, users) without modification rights.

IAM internally uses Access Management extension layer to evaluate authorization decisions. When an authorization request is made, the authorization layer collects all the roles related to the calling account and evaluates whether the requested permission is applicable to the caller.