Understanding IAM Scopes in Vidos

IAM scopes in Vidos establish distinct operational contexts that determine how services are accessed and managed. These scopes create a clear separation between management operations and service functionality, enhancing both security and architectural clarity.

What are IAM Scopes?

An IAM scope defines the operational context of a request in Vidos. Each scope provides different capabilities and access patterns:

  • Management scope: Used for creating, configuring, and managing service instances
  • Service scope: Used for accessing the core functionality of service instances

This separation creates a clear boundary between administrative actions and day-to-day service operations.

Design Rationale

The dual-scope architecture in Vidos addresses several key challenges in modern service management:

Separation of Concerns

Vidos implements distinct management and service scopes to enforce a clear separation of concerns. This design:

  • Prevents administrative operations from interfering with service operations
  • Reduces the risk of accidental changes to production services
  • Allows different permission models for administrative versus functional access
  • Enables independent scaling of management and service components

Security by Design

The scope separation follows the principle of least privilege and defense in depth:

  • Management functions are isolated from service functions at the architectural level
  • Administrative access is explicitly separated from day-to-day service access
  • Security boundaries are enforced through both network paths and authentication contexts
  • Compromise of service credentials doesn't grant management capabilities

Operational Clarity

Having two distinct scopes creates operational benefits:

  • Clear visibility into whether a request targets management or service functionality
  • Simplified auditing and access control policies
  • Explicit contexts for monitoring and observability
  • Reduced cognitive load when configuring permission boundaries

Core IAM Scopes

Management Scope

The management scope provides administrative access to Vidos services. When operating in this scope, you:

  • Create and configure service instances
  • Monitor service health and performance
  • Manage credentials and access policies
  • Control the lifecycle of service instances

Management scope is typically used by system administrators, DevOps teams, and automation tools that need to configure the Vidos environment.

Service Scope

The service scope enables access to the functional capabilities of Vidos services. When operating in this scope, you:

  • Interact with specific service instances
  • Perform operations like authorization, verification, and validation
  • Process data according to configured rules
  • Access the core capabilities of service instances

Service scope is typically used by applications, services, and users that need to utilize Vidos functionality.

Integration with Other Concepts

IAM scopes work in concert with other key Vidos concepts:

Relation to Instances

  • Management scope interacts with the management services that create and configure instances
  • Service scope interacts with the specific instances that provide functionality
  • Each instance is accessible through its own unique service-scoped endpoint

Relation to Regions

  • Scopes operate within regional boundaries
  • Regional isolation applies to both management and service scopes
  • Cross-region operations respect scope boundaries

Best Practices

When working with IAM scopes in Vidos:

  • Use management scope only for administrative operations
  • Design applications to primarily interact with service scope
  • Keep management credentials separate from service credentials
  • Implement different access controls for each scope
  • Consider scope boundaries when designing system architecture

By understanding and properly utilizing IAM scopes, you create a more secure, maintainable, and clearly structured Vidos environment.