Understanding IAM Scopes in Vidos
IAM scopes in Vidos establish distinct operational contexts that determine how services are accessed and managed. These scopes create a clear separation between management operations and service functionality, enhancing both security and architectural clarity.
What are IAM Scopes?
An IAM scope defines the operational context of a request in Vidos. Each scope provides different capabilities and access patterns:
- Management scope: Used for creating, configuring, and managing service instances
- Service scope: Used for accessing the core functionality of service instances
This separation creates a clear boundary between administrative actions and day-to-day service operations.
Design Rationale
The dual-scope architecture in Vidos addresses several key challenges in modern service management:
Separation of Concerns
Vidos implements distinct management and service scopes to enforce a clear separation of concerns. This design:
- Prevents administrative operations from interfering with service operations
- Reduces the risk of accidental changes to production services
- Allows different permission models for administrative versus functional access
- Enables independent scaling of management and service components
Security by Design
The scope separation follows the principle of least privilege and defense in depth:
- Management functions are isolated from service functions at the architectural level
- Administrative access is explicitly separated from day-to-day service access
- Security boundaries are enforced through both network paths and authentication contexts
- Compromise of service credentials doesn't grant management capabilities
Operational Clarity
Having two distinct scopes creates operational benefits:
- Clear visibility into whether a request targets management or service functionality
- Simplified auditing and access control policies
- Explicit contexts for monitoring and observability
- Reduced cognitive load when configuring permission boundaries
Core IAM Scopes
Management Scope
The management scope provides administrative access to Vidos services. When operating in this scope, you:
- Create and configure service instances
- Monitor service health and performance
- Manage credentials and access policies
- Control the lifecycle of service instances
Management scope is typically used by system administrators, DevOps teams, and automation tools that need to configure the Vidos environment.
Service Scope
The service scope enables access to the functional capabilities of Vidos services. When operating in this scope, you:
- Interact with specific service instances
- Perform operations like authorization, verification, and validation
- Process data according to configured rules
- Access the core capabilities of service instances
Service scope is typically used by applications, services, and users that need to utilize Vidos functionality.
Integration with Other Concepts
IAM scopes work in concert with other key Vidos concepts:
Relation to Instances
- Management scope interacts with the management services that create and configure instances
- Service scope interacts with the specific instances that provide functionality
- Each instance is accessible through its own unique service-scoped endpoint
Relation to Regions
- Scopes operate within regional boundaries
- Regional isolation applies to both management and service scopes
- Cross-region operations respect scope boundaries
Best Practices
When working with IAM scopes in Vidos:
- Use management scope only for administrative operations
- Design applications to primarily interact with service scope
- Keep management credentials separate from service credentials
- Implement different access controls for each scope
- Consider scope boundaries when designing system architecture
By understanding and properly utilizing IAM scopes, you create a more secure, maintainable, and clearly structured Vidos environment.