Identity & Access Management (IAM) of Users

Identity and Access Management (IAM)

The Identity and Access Management (IAM) service provides granular access control for Open Telekom Cloud services. It is an essential service for cloud environments to identify and authorize cloud users.

IAM helps you securely control access to resources by centrally managing user data and authorizations, making it one of the cornerstones for secure working in the cloud.

With IAM, you can define which users are allowed to access which services and resources under which conditions to ensure the least privilege principle.

One hand types on a laptop with a security lock hovering above it, the other hand holds a smartphone

Reasons for IAM in the Open Telekom Cloud

Light green icon with a security lock behind it a gray cloud with server icon

Security & Compliance

IAM helps you restrict cloud resource access to authorized users and services only. It enables control and monitoring of user access and supports adherence to security policies and compliance regulations.

A gray bordered icon with several users in blue in the center and a gray key behind it

Scalability

Cloud environments are dynamic and scalable, which means that the number of users and resources can change quickly. IAM makes it possible to quickly add new users or change access rights to support the scalability and agility of the cloud infrastructure.

Turquoise icon of an open application, behind it a gray euro symbol on a sheet of paper

Cost optimization

IAM is integrated into the Open Telekom Cloud and is free of charge. The management of user and resource access rights prevents costs, e.g., due to excessive authorizations or underutilization of resources. In addition, companies achieve their compliance and security goals, avoiding high costs for security breaches or non-compliance.

Key features of IAM

Access control

Create IAM users and groups and use policies to grant or deny access to specific services and resources. IAM also provides an additional isolation layer: projects. This layer controls user access to different projects and grants permissions within the same project.

Light blue icon with a user symbol and a check mark above it

Integration

Establish a position of trust between your existing identity system by creating a SAML-based or OpenID Connect-based identity provider. This way, users in your organization can log in to the Open Telekom Cloud via Single Sign-On (SSO).

Green icon with shield symbol and a check mark

Delegation

Delegate a trusted Open Telekom Cloud account or cloud service to access your resources based on assigned permissions.

Light green icon with shield symbol, inside a gear wheel

Account Security

With IAM, you can configure security settings, including logon authentication policies, password policies, and access control lists.

Structure and function

IAM manages users and permissions for cloud resources in the Open Telekom Cloud. Cloud resources are services or objects, such as the Key Management Service (KMS) or Object Storage Service (OBS) and associated actions on objects, such as creating a key in KMS or deleting a bucket in OBS.

For the management of authorizations, IAM supports three user types:

Agency users are users from other Open Telekom Cloud clients who have been granted access to this client.
IAM users are users created and managed in the client's IAM system by the administrators. This is the default user type.
Federate users are from third-party IAM systems that can log on to the Open Telekom Cloud via a federation, for example from a federated Active Directory or LDAP.

Symbolic representation of access rights management with IAM

With the IAM service, you can define who is allowed to access what. For each access request, the set permissions are evaluated and denied by default. Only an explicit "allow" grants access.

Users are assigned to groups which are in turn assigned permissions. Based on the sum of all assigned permission sets / policies, access is evaluated and granted or denied to the users of that user group.

IAM policies include actions, resources, and conditions. You can either use the system default policies or create new custom policies using JSON or the graphical editor.

Access can be set up through the Management Console or the API.

Symbolic representation user group authorization

IAM in der Open Telekom Cloud fügt eine zusätzliche Isolationsebene namens Projekte hinzu. Projekte können auf Regionsebene aufgespannt werden (Region-based Authorization) und dienen als Isolation zu verschiedenen Umgebungen im gleichen Tenant.

Die Kosten der einzelnen Projekte werden auf dem Tenant aufsummiert, so dass sich hieraus auch optimierte Preise ergeben können (z.B. durch gemeinsames Erreichen höherer Skalen für Objektspeicher).

IAM in the Open Telekom Cloud adds an additional isolation layer called projects. Projects can be spanned at the region level (region-based authorization) and serve as isolation to different environments in the same tenant.

The costs of the individual projects are added up on the tenant, so that this can also result in optimized prices (e.g., by jointly achieving higher scales for object storage).

Symbolische Darstellung von Projektbereich- und Benutzergruppenzugriff

Symbolic representation of project area and user group access

Frequently asked questions about IAM

Does IAM manage all access in the Open Telekom cloud landscape?

IAM is an integral part of the cloud landscape and is used to control access to services. However, it is used to control the management of products via the management console or API. For example, IAM does not manage access to the operating system of an ECS instance or the root account of an RDS instance.

What standard IAM permissions are available?

Permissions are described in the Help Center.

How can I create custom IAM policies according to my needs?

This is described in the Help Center. In addition, this blog article gives an overview of the supported actions per service.

Do you have any questions?

Are you interested in IAM or do you have any questions regarding IAM? I will be happy to answer your questions in a free consultation!
T-Systems International GmbH
Tino Fehnle

New Features

02/28/2023Cloud Backup & Recovery (CBR) supports IAMs policies in EU-NLView Details

04/04/2023SFS Turbo supports IAM fine-grained policiesView Details

04/12/2023OBS supports IAM granular access permissions in NLView Details

COMING SOONQ2/2023 - IAM upgrade to version 2.6

Bekijk alle Release Notes

Find out more

Bestel nu en ontvang starttegoed ter waarde van € 250* (code: 4UOTC250)

Book now

Profiteer van ons adviesaanbod!
Gratis en deskundig.

Wij beantwoorden je vragen over de testmogelijkheid, boeking en het gebruik – gratis en persoonlijk. Probeer het uit!

088 447777(tijdens kantooruren)

+800 33044770internationale hotline (24/7)

Stuur een e-mail

* Voucher is inwisselbaar tot 31.12.2023. Neem contact met ons op voor het bedrag van de voucher bij de boeking. Het kortingsvolume is alleen geldig voor klanten met een factuuradres in Duitsland en vervalt 2 maanden na het afsluiten van het contract. Het tegoed wordt verrekend met de geldige catalogusprijzen volgens de servicebeschrijving. Een uitbetaling is uitgesloten.