𝑰𝒏𝒕𝒓𝒐𝒅𝒖𝒄𝒕𝒊𝒐𝒏 𝒕𝒐 𝑰𝑨𝑴 (𝑰𝒅𝒆𝒏𝒕𝒊𝒕𝒚 𝒂𝒏𝒅 𝑨𝒄𝒄𝒆𝒔𝒔 𝑴𝒂𝒏𝒂𝒈𝒆𝒎𝒆𝒏𝒕)

Introduction to IAM (Identity and Access Management)

Identity and Access Management (IAM) is a security framework that controls who or what has access to specific resources within an organization's IT environment. It ensures that only authorized users, devices, and applications can access sensitive data and systems, minimizing the risk of data breaches and unauthorized activity. IAM encompasses authentication (verifying identity) and authorization (granting appropriate access levels).

What does IAM do?

IAM systems typically provide the following core functionality:

Identity management - The process of creating, storing, and managing identity information. Identity providers (IdP) are software solutions that are used to track and manage user identities, as well as the permissions and access levels associated with those identities.

Identity federation - You can allow users who already have passwords elsewhere (for example, in your enterprise network or with an internet or social identity provider) to get access to your system.

Provisioning and deprovisioning of users - The process of creating and managing user accounts, which includes specifying which users have access to which resources, and assigning permissions and access levels.

Authentication of users - Authenticate a user, machine, or software component by confirming that they're who or what they say they are. You can add multifactor authentication (MFA) for individual users for extra security or single sign-on (SSO) to allow users to authenticate their identity with one portal instead of many different resources.

Authorization of users - Authorization ensures a user is granted the exact level and type of access to a tool that they're entitled to. Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges.

Access control - The process of determining who or what has access to which resources. This includes defining user roles and permissions, as well as setting up authentication and authorization mechanisms. Access controls regulate access to systems and data.

Reports and monitoring - Generate reports after actions taken on the platform (like sign-in time, systems accessed, and type of authentication) to ensure compliance and assess security risks. Gain insights into the security and usage patterns of your environment.

How IAM works

Authenticating, authorizing, and accessing resources

Let's say you have an application that signs in a user and then accesses a protected resource.

The user (resource owner) initiates an authentication request with the identity provider/authorization server from the client application.

If the credentials are valid, the identity provider/authorization server first sends an ID token containing information about the user back to the client application.

The identity provider/authorization server also obtains end-user consent and grants the client application authorization to access the protected resource. Authorization is provided in an access token, which is also sent back to the client application.

The access token is attached to subsequent requests made to the protected resource server from the client application.

The identity provider/authorization server validates the access token. If successful the request for protected resources is granted, and a response is sent back to the client application.