Skip to main content
IAM system is designed to provide secure, scalable, and user-friendly access management for modern applications. It includes a comprehensive set of features such as user and group management, multi-factor authentication, session control, and protocol support for seamless integrations. Additional capabilities like multi-tenancy, LDAP/AD connectivity, SCIM provisioning, and notification services ensure flexibility and compliance across diverse environments. With a focus on automation, security, and customization, our IAM solution empowers developers to build secure, user-centric applications with ease.
User Profile Management
  • View and update user profile details (name, email, phone number, etc.)
  • Manage privacy and communication preferences
    • Account Settings:
  • Password change and reset functionalities.
  • OTP management.
  • Access history and activity logs.
    • Role and Group Management
  • Assign roles to users.
  • View group memberships.
  • Manage user groups and permissions.
    • Access Tokens
  • View active sessions and associated tokens
  • Revoke specific or all active tokens
    • Refresh Tokens
  • Manage refresh token lifetimes and policies.
    • Token Details
  • Provide token metadata
  • Support for JWT and opaque tokens
  • Token introspection and validation
    • Authentication Methods
  • Email-based OTP.
    • MFA Enrollment
  • User-friendly MFA setup wizard and APIs
  • Management of multiple MFA devices
    • LDAP Support
  • Integrate with on-premise LDAP directories.
  • Support for LDAP authentication and user synchronization.
    • Active Directory (AD) Integration
  • Seamless integration with Microsoft AD for user and group synchronization.
  • Support single sign-on (SSO) via AD.
  • Periodic or event-driven user and group sync.
    • User Federation
  • Allow authentication using LDAP/AD credentials.
  • Map LDAP/AD groups to IAM roles
    • Standard Authentication Protocols
  • OAuth 2.0 for authorization.
  • OpenID Connect (OIDC) for authentication.
  • SAML 2.0 for federated identity and SSO.
    • Token Support
  • Support for JWT (JSON Web Tokens).
  • Token revocation endpoints.
    • Federation
  • Support for third-party identity providers (e.g., Google, Azure AD, Okta)
  • Enable SSO via SAML or OIDC with external identity providers.
    • Multi-Tenancy Support
  • Manage multiple tenants within the same IAM system
  • Separate user data, roles, and permissions for each tenant
  • Support for both “shared” and “isolated” tenant data models.
    • Per-Tenant Customization
  • Allow custom branding, themes, and domain configurations for each tenant.
  • Tenant-specific authentication methods or identity provider configurations
    • Tenant Isolation
  • Ensure strict isolation of user data, logs, and permissions between tenants
  • Enforce security policies specific to individual tenants.
    • Tenant-Level Administrators
  • Allow specific users to act as administrators for their respective tenants.
  • Provide scoped administrative capabilities (e.g., user management, group assignments) limited to their tenant.
    • Scoped Policies
  • Enable policy-based access control at the tenant level
  • Allow each tenant to define its own roles and permissions
    • Tenant-Specific User Pools
  • Maintain separate user directories for each tenant
  • Support user federation within a tenant’s boundaries (e.g., LDAP/AD for one tenant)
    • Group and Role Management
  • Assign roles and permissions that are valid only within the scope of a specific tenant
    • Disable Inactive Users
  • Automatically disable user accounts after a defined period of inactivity.
  • Configurable inactivity threshold (e.g., 30, 60, or 90 days).
  • Send reminder notifications to users before deactivation, encouraging them to log in.
  • Provide admins with a dashboard to view and manage inactive accounts.
  • Allow reactivation of disabled accounts through admin approval or user self-service.

    • Restrict Multi-Sessions
  • Limit the number of concurrent sessions per user (e.g., one session per device or user).
  • Configurable policies for multi-session restrictions:
  • Allow specific roles or users to bypass restrictions.
  • Define session limits per user, group, or role.
  • Automatically terminate previous sessions when a new session is created (optional).
  • Admin interface to monitor and revoke active sessions for any user.
  • Prevent simultaneous logins from different devices for sensitive roles or actions.
    • Organization GroupsOrganization Groups, a feature designed to enhance the structure and management of users within an organization or tenant. Organization Groups allow users to be categorized into different sections, each referred to as a group.Each group can have its own custom roles, permissions, and designated Group Admin(s). This feature introduces the concept of sub-organizations, enabling organizations to assign members to specific groups and define tailored permissions for each group, ensuring a more granular and flexible access control system.

    Functional Details

    Feature WorkflowThe IAM service provides robust functionality for creating and managing organizations or tenants. These organizations serve as central entities where users can be invited to join and participate. Once part of an organization, users are assigned specific roles and permissions, which determine their level of access to the organization’s resources. These roles and permissions are integral to maintaining a secure and well-structured access control system, ensuring that users can only interact with the resources relevant to their responsibilities.Furthermore, Organization Groups support the assignment of Group Admins, who are entrusted with the responsibility of managing the group’s members and their respective roles. This decentralization of administrative tasks empowers organizations to distribute responsibilities effectively, particularly in larger, more complex environments. By allowing distinct groups to operate independently while still adhering to the broader organization’s governance, this feature provides a scalable solution for managing diverse teams and their unique needs.

    Hierarchy Flow

    Hierarchy Diagram

    • Super Admin is at the top level.
    • Organizations under the Super Admin, each with its own Organization Admin.
    • Groups within each organization.
    • Group Admins managing individual group members.
    • Group Members at the final level, managed by Group Admins, Org Admins, and Super Admin.

    Technical Details

    ArchitectureThe architecture of Organization Groups is built on a modular design, leveraging the core IAM service for user and role management. The Group Management Module acts as an extension, allowing organizations to define and manage sub-entities (groups) with their own custom roles and permissions.Key Components
    • IAM Service: Handles the creation and management of organizations, users, roles, and permissions.
    • Group Management Module: Responsible for creating and managing Organization Groups, assigning roles, and defining group-specific permissions.
    • Group Admin Interface: Provides tools for Group Admins to manage members and permissions within their group.
    • Database Layer: Stores information about organizations, groups, members, roles, and permissions.
    • API Layer: Exposes endpoints for creating and managing groups, assigning roles, and retrieving group details.

    Data Flow

    1. Group creation.
    2. Setting and enforcing group-specific roles and permissions.
    3. Assigning users to groups.
    4. Administering group members via the Group Admin interface.
    Group ManagementGroup Admin Flow
    Email Notifications
  • Send email alerts to users for key events, including:
    • Account creation and activation
    • Password reset requests
    • Account creation and activation
    • Successful password changes
    • Failed or suspicious login attempts
    • Session expiration warnings
    • Multi-Factor Authentication (MFA) setup and confirmation
    • Role or permission changes
    Customizable Email Templates
  • Provide prebuilt templates for common notifications
  • Allow admins to customize email content and branding (e.g., logo, colors, and footer)
    • Localized Emails
  • Support for multilingual email notifications based on user preferences
    • Delivery Status Tracking
  • Track email delivery, open rates, and failures
  • Provide error logs for failed email deliveries
    • Per-Tenant Email Configuration (for multitenancy)
  • Allow tenants to configure their own email sender details (e.g., sender name, domain)
  • Provide support for tenant-specific email templates
    • Event-Driven Notifications
  • Configure notifications for various user lifecycle events (e.g., role assignment, account deactivation)
  • Enable/disable specific notifications at the admin level
    • Encryption
  • Data encryption (at rest and in transit). Support both symmetric and Asymmetric encryption
    • Audit and Logging
  • Record login attempts, token usage, and administrative actions
  • Real-time monitoring and alerts for suspicious activities
    • Access Policies
  • Granular policy-based access control ( Cerbos)
    • Password Recovery
  • Secure password reset flow (via email)
    • Account Management
  • Self-service account deactivation
  • User-initiated session termination
    • APIs
  • Comprehensive REST APIs for managing IAM functionalities
    • SDKs
  • SDKs for popular languages (nodejs)
  • Prebuilt UI components for embedding IAM features
    • Documentation
  • Detailed developer documentation and guides
  • Example integrations and tutorials
    • Delegated Administration
  • Allow specific users to manage subgroups or tenants
    • Tenant Management
  • Multi-tenancy support for SaaS applications
    • Custom Branding
  • Customizable login and profile pages
  • Support for custom domain names.