Home > Storage > ObjectScale and ECS > Product Documentation > ECS IAM Introduction > Identities
Namespace root user is an admin user in the namespace who can also access ECS UI by specifying a password during namespace creation or later. All S3 resources in a namespace are owned by the NS IAM root entity. The ECS UI access is not enabled by default with the accesskey/secretkey of root user.
IAM user represents a person or application in the namespace that can interact with ECS resources. It should consist of names, id, tags, and credentials. An IAM user can belong to one or more IAM groups. You can create, view, modify, delete, and list IAM users in ECS using both API and UI. IAM and Account Root user access S3 and IAM APIs using access keys. These are long-term credentials that consist of an access key ID and secret access key.
IAM group is a collection of IAM users. IAM groups do not nest, hence groups can contain only users. Groups let you specify permissions for all the users in the group, which makes management easier. Tagging on groups is not supported. Groups have a name, ID, and a list of users. You can create and manage groups from both UI and API.
IAM role is an identity that is assumable by anyone who needs it. It is typical to associate policies with a role that determines the access to ECS resources. A role does not have any credentials associated with it. Instead, an entity can assume a role by calling the appropriate API that provides it with temporary credentials to access a resource. A role can be assumed by a federated user who signs in using an external identity provider instead of IAM. It is also possible for a role to be assumed by an IAM user in the same or different account (cross-account access).