You appear to be using an unsupported browser, and it may not be able to display this site properly. You may wish to upgrade your browser.

We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Identity and access management

Identity and access management (IAM) is how we give out identities and manage role-based access.

We manage your IAM through Okta. This then lets you prove who you are and control access to resources.

You and your teams’ identities are managed by the identity team.

What we set up for you

Groups

We set up Okta groups for you when you join the platform. Your groups will be associated with a role that has not been used before.

We do role-based access control (RBAC) assignments to groups, not individual users.

We’ll assign each group a role, based on the information you gave us in your landing zone document. You must have at least one ‘administrators’ group.

You’ll then be able to manage the users in your group through Okta.

You can request a new group through our Service Desk.

Once we set up your group, you’re responsible for managing the permission levels of them and who can access them.

Permissions

We set up permissions for you. This is a set of policies given to accounts, subscriptions, users and groups. They are mostly assigned to your groups.

You can read about these permissions for Azure on the Microsoft Learn website.

You can read about these permissions for AWS on the AWS website.

Information we need from you

Although we take some information from your landing zone configuration document, there might be more you need to tell us when we're setting up new groups for you.

We need to know:

  • the account or subscription name that the group is for
  • who will manage these groups
  • what permissions to assign
  • what ‘AWS managed policy’ you want
  • the Azure equivalent policy
  • your customer managed policy (you have to have a verified J-SON file) 
  • user roles (job function)

What you manage yourself

You’ll manage the users from your groups through Okta.

Users with owner roles can do RBAC assignments to your groups. This will allow you to add or take away members in your groups.

You’ll have to use multi-factor authentication when managing your users.

You must follow our naming conventions when creating new users for groups.

Back to top