.png){kind=small}
Platform components
Identity and access management (IAM)
Nexorra Private Cloud's Identity and Access Management (IAM) component is a crucial part of the overall cloud infrastructure. It offers seamless integration with Active Directory, which is widely used in enterprises, or can be integrated with other LDAP systems as needed. In cases where corporate LDAP is unavailable, IAM can manage users within the cloud environment. The primary goal is to allow users to log in to the Nexorra Private Cloud Portal using their standard corporate credentials while maintaining a consistent RBAC model across the enterprise.
The built-in IAM functionality enables flexible user RBAC based on user groups (roles) with a defined set of user rights. There are three types of access groups utilized:
Global:
These groups define access rights at the platform level, typically for administrators, information security specialists, customer success managers, and similar roles.
Billing:
These groups define access rights at the billing account level, ensuring appropriate access to financial-related activities such as balance top-ups, adjustments, and financial monitoring of cloud usage.
Project:
These groups define access rights at the project level, enabling control over resources and services within specific projects.
Rights within IAM encompass a range of privilege levels, from "no access" to "delete." These rights are assigned to specific cloud services and functionalities. When creating billing accounts and projects, default access groups are automatically generated, simplifying the organization of user access within the project.
An additional feature of IAM is the ability to differentiate access rights when connecting to virtual machines in the Virtual Machines cloud service, such as granting sudo privileges. This differentiation occurs automatically.
IAM provides several use case examples:
Granting access to all projects and resources exclusively to cloud platform DevOps engineers from the cloud platform operations team to address user-related issues within their projects.
Providing access to a limited number of specialists for all billing accounts to perform tasks such as checking balances, making balance adjustments, and monitoring cloud usage financially.
Enabling full access to cloud services for the DevOps/SRE team engineers within a project, while restricting developers to limited access (usage only, without modification or deletion).
Allowing a specific group of employees access only to Kubernetes (k8s) cloud services and the network within a project.