Home > Storage > ObjectScale and ECS > Product Documentation > ECS: Overview and Architecture > ECS IAM
ECS Identify and Access Management (IAM) enables you to control and secure access to the ECS S3 resources. This functionality ensures that each access request to an ECS resource is identified, authenticated, and authorized. ECS IAM allows admin to add users, roles, and groups. Admin can also restrict the access by adding policies to the ECS IAM entities.
Note: ECS IAM is for use with S3 only. It is not enabled for CAS or filesystem enabled buckets.
ECS IAM consists of the following components
By using IAM, you can control who are authenticated and authorized to use ECS resources by creating and managing:
Each ECS system is allotted with an ECS IAM account. This account supports multiple namespaces and has related IAM entities that are defined in its namespace.
See the latest ECS Security Guide for more information about ECS IAM.
Today more customers are moving to Azure AD, and more apps are using OIDC (OpenID Connect), so that they can talk to a service provider like ECS that supports SAML (Security Assertion Markup Language). Apps in this environment are using an Azure AD On Behalf Of (OBO) workflow to exchange their OIDC token for a SAML assertion. With the support of this new workflow, our customers can integrate their S3 applications to authenticate identity.
The “OAuth 2.0 On-Behalf-Of” flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
ECS IAM features for S3 work with SAML identity providers to handle authentication and SAML Assertion generation. It provides the following for applications:
Note: In the SAML model there are two main roles for a participant: Identify Provider and Service Provider. Based on the ECS IAM SAML design ECS acts as the Service Provider and Azure AD acts as the Identity Provider and generates SAML Assertions.
The “on-behalf-of (OBO)” flow describes the scenario of a web API using an identity other than its own to call another web API. Referred to as delegation in OAuth, the intent is to pass a user's identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform.