Identity and Access Management
Table of Contents
Identity and Access Management (IAM) is the security subsystem
that governs who can do what in ORE Studio. It is realised by the
ores.iam.* components — domain logic in ores.iam.core, wire
protocol in ores.iam.api, service-side enforcement in
ores.iam.service, and the client-side helpers in
ores.iam.client. The companion concept doc is Role-Based Access
Control. Return to Knowledge.
Core Responsibilities
- Identity Lifecycle Management: Manages the digital identity of all entities (users, systems, applications), including their creation, provisioning, maintenance, and decommissioning.
- Authentication: Verifies the identity of an entity attempting to access the system — passwords, certificates, protocols.
- Authorisation: Controls what actions an authenticated identity is permitted to perform on specific resources, based on assigned roles and policies.
- Access Control Enforcement: Technically enforces authorisation decisions across the ecosystem, ensuring access rights are adhered to during operation. See RBAC for how the role and permission model fits together.
Operational Scope
The IAM subsystem operates across two primary phases:
- Configuration Phase: The definition and registration of identities, their roles, and their authorised access rights.
- Operation Phase: The real-time execution of identification, authentication, and access control checks based on the configured policies.
In essence, IAM centralises the policy framework and technical mechanisms that secure the system by guaranteeing the principle of least privilege: the right access for the right entity to the right resource.
See also
- ores.iam.core — domain types and business logic.
- Role-Based Access Control — the role/permission model that backs authorisation.