Introduction

Summary

Astran AlwaysReady® provides a cohesive framework for managing authentication and authorization. In the following sections, you'll learn how these components interact to provide seamless security and how to manage them effectively. This document provides an overview of the access control concepts in our platform. It explains the core components like Partitions, Root account, Identity Provider (IdPs), Users, Groups, Policies, and API Keys, which are essential for managing authentication and authorization. Inspired by AWS IAM, our platform leverages these concepts to ensure fine-grained, secure control over user permissions and resource access.

Conceptual Diagram

The diagram above illustrates how these core components interact within the platform:

Partitions serve as the overarching containers for all resources associated with a customer.
Within each Partition, a Root account has all privileges on the system
Groups allow to aggregate users and assign them permissions through the Policies
Users authenticate in Astran through the built in Identity Provider
API Keys are used for programmatic access, allowing machine-based systems to interact with the platform directly, while Users represent individuals interacting with the solution.

Built-in Resources

Before diving into the key concepts, it's important to understand that Astran AlwaysReady® distinguishes between built-in resources and customer-defined resources:

Built-in Resources: These are pre-configured, standardized components provided by Astran AlwaysReady®. They include default groups, policies that simplify initial setup and ensure consistent security practices across all customer accounts. Built-in resources cannot be modified but can be utilized and assigned to users, groups, and applications.
Customer-Defined Resources: Customers can create and manage their own groups, policies, and configurations to tailor access controls to their specific needs. These resources offer flexibility for organizations to define custom permissions, groups, and integration setups.

Key Concepts

Partition

A Partition is a boundary within the platform, ensuring that customer resources are isolated from one another. Partitions contain all resources, accounts, and configurations specific to a customer, providing secure separation.

Root Account

A Root Account exists within a partition and allows to be the super admin of the system. Its privileges cannot be restricted. As much as possible, it should not be used for day to day activities.

Identity Providers (IdP)

Identity Providers (IdPs) handle user authentication and authorization. They determine who can log in and what permissions they have. Each customer is assigned two main IdPs:

Root Identity Provider: Provided to managing root users with full administrative privileges.
User Identity Provider: Dedicated to managing regular users in the customer's partition.

Users

Users are individuals who authenticate into the platform. They are assigned to up to 10 Groups that define their permissions.

Programmatic Access (API Keys)

API Keys provide long-term credentials for automated systems and services, bypassing the need for user-based authentication. API Keys are directly linked to Users within an account, inheriting their permissions.

Independent of IdPs: API Keys authenticate without relying on IdPs. They sign programmatic requests to the platform’s CLI, SDKs, or APIs, ideal for automated workflows.
Key Management: When an API Key is created, an access key ID and secret access key are generated. Ensure to store the secret securely, as it will not be retrievable once created.

Policies

Policies define permissions for accessing resources. Inspired by AWS IAM policies, they allow for precise control over what actions can be performed on which resources. Policies are attached to Groups, and there are two types:

Customer defined Policies: Created by users and customized to specific needs.
Built-in Policies: Predefined, read-only policies

Groups

Groups facilitate the management of user permissions. Users within a group inherit the group’s assigned Policies, streamlining access control. This setup is ideal for managing permissions across multiple users with similar access needs.

One user can belong to up to 10 groups. All the policies associated with the various groups the user belongs to apply. Since policies are evaluated on a deny first principle, in case a user belongs to 2 groups which define contradictory policies, the least privileges will be granted.

S3-Compatible Resources

The platform also supports S3-compatible resources, managing versions, objects, and buckets for storage. Groups and Policies can be configured to define who can access or modify these resources, ensuring secure data management.

How It All Comes Together

The strength of Astran AlwaysReady®’s access control lies in its flexible integration of these components:

Partitions ensure security and separation of customer data (kits, buckets, objects, etc...)
IdPs simplify the management of Users identities, and enforce security rules for user authentication like MFA (multi-factor authentication) and password policies.
Groups and Policies provide fine-tuned permissions, RBAC (Role-based access control) can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.

These elements collectively create a robust access control system, allowing you a very fine tuning to tailor the platform to your exact and most exigent requirements.

Next Steps

Now that you have an understanding of the core concepts, explore the following sections for in-depth details on each resource:

Summary​

Conceptual Diagram​

Built-in Resources​

Key Concepts​

Partition​

Root Account​

Identity Providers (IdP)​

Users​

Programmatic Access (API Keys)​

Policies​

Groups​

S3-Compatible Resources​

How It All Comes Together​

Next Steps​