#Understanding IAM in Vidos

Identity and Access Management (IAM) in Vidos establishes the foundation of security and access control throughout the platform. It defines who can access your resources, what actions they can perform, and under what conditions access is granted.

#What is IAM in Vidos?

IAM in Vidos is a comprehensive security framework that governs how identities interact with services and resources. It brings together several essential concepts:

• Identities and authentication — Who or what is making the request?
• Permissions and authorization — What are they allowed to do?
• Secure access patterns — How do they connect to resources?
• Controlled resource boundaries — What can they access?

Through these integrated components, IAM creates a cohesive security model that spans all Vidos services while enforcing the principle of least privilege.

#Core IAM Components

IAM in Vidos is built on several interconnected components that work together to create a comprehensive security framework:

#IAM Scopes

IAM scopes establish distinct operational contexts that separate administrative operations from service functionality:

• Management scope — Used for creating, configuring, and managing service instances
• Service scope — Used for accessing the core functionality of service instances

This dual-scope architecture creates clear security boundaries and operational clarity while enforcing separation of concerns.

#Policy Documents

IAM policy documents define permissions through structured JSON objects with explicit statements about:

• Who can access specific resources
• What actions they can perform
• Under what conditions access is granted or denied

These documents form the backbone of the permission system in Vidos, creating precise, auditable access rules.

#API Keys

API keys provide secure, credential-based access to Vidos services:

• Each key has a unique identifier and secret
• Keys operate within specific scopes (management or service)
• Permissions are defined through attached policies
• Keys establish identity for authentication and auditing

API keys represent the primary method for programmatic access to Vidos services.

#Service Roles

Service roles enable secure service-to-service communication:

• Define permissions for one service to access another
• Support both account-managed and Vidos-managed roles
• Create clear security boundaries between services
• Enable principle-of-least-privilege for service interactions

Service roles form the foundation of secure service composition in Vidos.

#Service Instance References

Service instance references connect services together:

• Point to specific service instances
• Include service role references for authentication
• Enable flexible service composition
• Support explicit instance selection or managed references

These references enable secure, controlled communication between services.

#How IAM Components Work Together

The IAM components in Vidos create an integrated security model where:

1. Identity establishment:

   • API keys identify and authenticate API calls
   • Service roles establish identity for service-to-service communication

2. Permission definition:

   • Policy documents define explicit permission statements
   • Permissions specify allowed actions on resources
   • Effects (allow/deny) determine access decisions

3. Scope separation:

   • Management scope governs administrative operations
   • Service scope enables functional access
   • Each scope maintains distinct permission contexts

4. Authentication flow:

   • Requests present credentials (API key, service role token)
   • Vidos validates the credential
   • The system establishes the request identity
   • Associated policies determine permissions

5. Authorization evaluation:

   • Policies attached to the identity are retrieved
   • Explicit deny statements are checked first
   • Explicit allow statements are evaluated next
   • Default deny applies if no matching statements exist

6. Service connection:

   • Service instance references establish connections
   • Service roles provide the security context
   • Scope determines available operations
   • Policies control permitted actions

This integrated approach creates security-by-design throughout the Vidos platform.

#IAM Architecture in Vidos

The IAM architecture in Vidos implements several fundamental security principles:

#Defense in Depth

IAM implements multiple layers of security controls:

• Network isolation between services
• Authentication for all requests
• Authorization for all operations
• Scope separation for distinct contexts
• Explicit allow/deny evaluation

#Principle of Least Privilege

IAM enforces minimal necessary access through:

• Explicit permission statements
• Deny-by-default for all resources
• Scope-limited operations
• Fine-grained action control
• Precise resource targeting

#Separation of Duties

IAM enables separation of responsibilities:

• Management/service scope division
• Distinct roles for different operations
• Customizable policy documents
• Purpose-specific API keys
• Role-based access control

#Secure Service Composition

IAM enables secure interactions between services:

• Service roles with precise permissions
• Instance references with explicit targeting
• Clear security boundaries between services
• Controlled authentication context
• Auditable service connections

#IAM Access Patterns

IAM in Vidos supports several essential access patterns:

#Human Access

For human operators managing Vidos:

• Account login with strong authentication
• Console access through web interfaces
• CLI commands with appropriate credentials
• Session-based security and timeouts

#Application Access

For applications using Vidos services:

• API key-based authentication
• Request signing for secure transmission
• Scoped permissions for specific operations
• Rate limiting and quota enforcement

#Service-to-Service Access

For interactions between Vidos services:

• Service role-based permissions
• Instance references with security context
• Managed or account-controlled roles
• Automatic credential management

#Best Practices for IAM in Vidos

To maximize security and manageability with IAM:

#Identity Management

• Create purpose-specific API keys
• Implement regular key rotation
• Document key ownership and purpose
• Secure key distribution and storage
• Revoke unused or compromised credentials

#Permission Design

• Start with minimal permissions
• Group related actions in policy statements
• Use explicit resource identifiers
• Avoid wildcards except when necessary
• Regularly review and update policies

#Scope Utilization

• Keep management and service operations separate
• Use management scope only for administrative actions
• Design applications for service scope operations
• Enforce scope boundaries in architecture
• Document scope expectations clearly

#Security Monitoring

• Audit IAM changes
• Monitor for anomalous access patterns
• Implement alerts for unusual operations
• Review IAM configurations regularly
• Test access controls in non-production environments

#Related Concepts

IAM connects with several other key Vidos concepts:

• Regions — Geographic boundaries that affect resource access and data locality
• Instances — Service instances that IAM controls access to
• Configurations — Service settings that include IAM references

By understanding the interconnected components of IAM in Vidos, you establish the foundation for building secure, well-structured systems that enforce appropriate access controls while enabling the flexibility and composition that modern applications require.