We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Identity and access management (IAM)

IAM is how we give out identities and manage role-based access. We manage your IAM through Okta. This then lets you prove who you are and control access to resources.

You and your teams’ identities are managed by the Scottish Government's identity team.

Okta group roles

We set up groups with these roles to get you started.

AWS 

  • Administrators  - users have full administrative access to accounts and services
  • PowerUsers - users have full administrative access to accounts and services but cannot manage users and groups
  • ReadOnly  - users will have read only access
  • BillingAccess  - users will have read only access for billing and cost management information like account usage and payment methods   
  • SecurityAudit - users will have read only access to audit and security information 

Azure 

  • Owners - users will have full access to manage accounts and services
  • Contributors - users will have full access to manage accounts and services but cannot manage roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries 
  • Readers - users will have read only access
  • CostManagementReaders - users will have read only access for billing and cost management information like account usage and payment methods   

We also use the information you give us in your landing zone document to set up your groups and roles.

Who can use IAM

All users on the platform.

You must be able to meet your responsibilities for IAM to join the platform.

How to get IAM

You'll start to use IAM as soon as you join the platform.

If you’re a current customer, you can ask for new roles through our service desk.

When you ask for a new role, you need to tell us:

  • the user role type (job function)
  • the name of the account or subscription the role is for
  • who'll manage these roles
  • what permissions to assign
  • what ‘AWS managed policy’ you want or the Azure equivalent policy
  • your custom managed policy (you need a verified JSON file) 

How much IAM costs

The price is included in your overall platform cost.

Back to top