IAM

IAM

Identity and Access Management

iam-illustration

What is IAM?

IAM stands for "Identity and Access Management". The goal of this feature is to let you define precisely who can access to what on the OVHcloud products.

It relies on two main functions:

  • Enable SSO through OVHcloud products, and let you use the Identity Provider of your choice (Active Directory, OKTA, etc.) to log on the OVHcloud Control Panel through federation protocol (SAMLv2).
  • Manage fine grained access policy, by giving specifics and different rights to every users to match their needs and enforce a Zero Trust policy.

So as an IT admin, or a CISO, you will be able to fully define and apply the rights available for every users who needs to access to your OVHcloud products and:

  • Save Time by removing the hassle of managing multiple accounts.

  • Improve your security. No more shared accounts. No shadow IT as a result as having exhaustive control of credential management.

  • Find a single pane of glass for credential management, aligned with market standards.

How it works?

OVHcloud's access management is based on a policy management system. It's possible to write different policies that give access to your users to the specific features attached to the products linked to your OVHcloud account.

These policies contains:

  • One or more identities concerned by this policy.
    • It can be users or groups from your own directory.
  • One or more resources impacted by this policy.
    • Resource is a product from OVHcloud that will be impacted by this policy (like a domain name, a Nutanix server, a load balancer, etc...)
  • One or more actions allowed by this policy.
    • Actions are the specific rights affected by this policy (rebooting the server, create an email address, terminate a product, etc.)

For instance, you can create a policy to give to your "Intern" user group the right to reboot the VPS on the testing environment.

iam-user-guide

You can check the user guide already available:

How to discuss about the Beta?

A discord channel is available on the OVH Discord : https://discord.gg/ovhcloud

You will find our channel #iam under the section Automation & Security section.

Limitation for the Beta

  • Policies manageable only using API during the Beta.
  • Policies handle only OVHcloud API (api.ovh.com, ca.api.ovh.com) access or OVHcloud customer panel (www.ovh.com/manager). It do not cover OpenStack, VMware,... yet.
  • Few routes of the public API can't be delegated through the IAM for now: /ip, /order, /services, /service, /email/exchange
  • Contact change for any products can't be delegated through the IAM for now.
  • Delegation to an other account ID is not supported

Register here!

To be part of this Beta, please request an access by filling the survey.

Request here

FAQ

Will OVHcloud IAM be charged for the customers?

No, OVHcloud IAM will be free of charge for every customer.

Does the activation of IAM bring a breaking change on the current access?

No, the current access will still working until you change them using the policies.
Please note that this Closed Beta is changing the autorisation system of your OVHcloud account, and might introduces problem to access to some of your resources in case our new system have bugs.

Is it possible to define the policy through the OVHcloud Control Panel?

Not yet, but our team is working to add a GUI for it in the next weeks.

What is the protocol used for the federation ?

We support SAMLv2

  • Alpha
  • Beta
  • Early Access
  • General Availability