IAM

Identity and Access Management (IAM) is the practice and tooling for defining who can do what on which resources within an organization or platform. It covers user and machine identities, group and role memberships, permission policies, and the audit trail of every authorization decision.

Core concepts

• Identity (principal): a user, group, service account, or workload that can be authorized.
• Resource: the thing being acted on (an S3 bucket, a Kubernetes namespace, a customer record).
• Action: the operation being performed (read, write, delete).
• Policy: a rule that grants or denies (principal, action, resource) combinations, sometimes conditional.
• Role: a bundle of policies that a principal can assume.

Common policy models

• RBAC (Role-Based Access Control): users are assigned roles; roles carry permissions. Simple, widely used.
• ABAC (Attribute-Based Access Control): decisions consider attributes of principal, resource, and context. More expressive, harder to reason about.
• ReBAC (Relationship-Based Access Control): permissions follow relationships (Zanzibar-style). Models complex hierarchies like "owners of an org can read its documents".

Common products

• Cloud: AWS IAM, Google Cloud IAM, Azure RBAC
• SaaS: Auth0 (with FGA), Okta, Stytch, Clerk
• Authorization-as-a-service: SpiceDB, OpenFGA, Oso, Permit.io, Cerbos