Conceptual Diagram of Identity and Access Management

Organization
- At the top level, an organization can have multiple accounts.
- An organization may also include several sub-organizations.
- An organization must have at least one account.
Account
- An account can contain various identities such as users, devices, and applications.
- Each account is associated with a single organization, but this association is not mandatory.
- Users should be part of at least one account, and each account should include at least one user.
- Applications and devices should each be associated with only one account.
Group
- An account can have multiple groups.
- A group is a collection of one or more identities, which can include users, devices, and applications.
- Identities may belong to zero or more groups.
- Identities can assume multiple roles against an account or a group.
- Roles are essentially a collection of permissions.