Administering IAM Policies
Provides an overview of IAM policies in Data Fabric.
Identity Access Management Policy
An identity access management (IAM) policy is a security mechanism that states actions that can or cannot be performed by identities such as SSO users or groups on one or more resources that belong to one or more fabrics in a global namespace. An IAM policy defines allowable and disallowable actions on volumes, objects, and tables on more than one fabrics in a global namespace.
A fabric manager can create, modify, view, and delete IAM policies. A fabric manager can assign IAM policies to roles and vice-versa. A fabric manager can manage IAM policies from the Data Fabric UI, regardless of whether the fabric manager is logged on to the Data Fabric UI from the primary fabric or a non-primary fabric.
Use of IAM policies is recommended if you wish to associate a common set of allowable/disallowable actions on multiple disparate fabric resources at one go, that is, volumes, objects, tables in a global namespace for one or more SSO users and/or SSO groups.
- Security policy can be configured exclusively for volumes belonging to a single fabric.
- Bucket policies can be applied exclusively to buckets on an object store from a fabric.
- A security policy or a bucket policy is associated with resources, while identity access management policy is associated with identities such as SSO users/groups and roles. As they apply to separate entities, security policies, bucket policies, and IAM policies can co-exist simultaneously.