We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Identity and access management

Identity and access management (IAM) is how we give out identities and manage role-based access.

We manage your IAM through Okta. This then lets you prove who you are and control access to resources.

You and your teams’ identities are managed by the identity team.

What we set up for you

Groups

We set up Okta groups for you when you join the platform. We do role-based access control (RBAC) assignments to these groups, not individual users. 

We’ll assign each group a role. We set up groups with these roles to get you started:

AWS 

  • Administrators  - users have full administrative access to accounts and services
  • PowerUsers - users have full administrative access to accounts and services but cannot manage users and groups
  • ReadOnly  - users will have read only access
  • BillingAccess  - users will have read only access for billing and cost management information like account usage and payment methods   
  • SecurityAudit - users will have read only access to audit and security information 

Azure 

  • Owners - users will have full access to manage accounts and services
  • Contributors - users will have full access to manage accounts and services but cannot manage roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries 
  • Readers - users will have read only access
  • CostManagementReaders - users will have read only access for billing and cost management information like account usage and payment methods   

We also use the information you gave us in your landing zone document to set up more groups.

You’ll then be able to manage the users in your group through Okta. 

You can request a new group through our Service Desk. 

Once we set up your group, you’re responsible for managing the permission levels of them and who can access them. 

Permissions

We set up permissions for you. This is a set of policies given to accounts, subscriptions, users and groups. They are mostly assigned to your groups.

You can read about these permissions for Azure on the Microsoft Learn website.

You can read about these permissions for AWS on the AWS website.

Information we need from you

Although we take some information from your landing zone configuration document, there might be more you need to tell us when we're setting up new groups for you.

We need to know:

  • the account or subscription name that the group is for
  • who will manage these groups
  • what permissions to assign
  • what ‘AWS managed policy’ you want
  • the Azure equivalent policy
  • your customer managed policy (you have to have a verified J-SON file) 
  • user roles (job function)

What you manage yourself

You’ll manage the users from your groups through Okta.

Users with owner roles can do RBAC assignments to your groups. This will allow you to add or take away members in your groups.

You’ll have to use multi-factor authentication when managing your users.

You must follow our naming conventions when creating new users for groups.

Back to top