Skip to content

SysEleven IAM

SysEleven IAM (Identity and Access Management) is a free product for all SysEleven Cloud users. It enables flexible, fine-grained management of users, teams, organizations, projects, and resources.

Our IAM system is based on Relationship-Based Access Control (ReBAC), organizing permissions based on relationships between users and cloud resources. This modern approach extends classic paradigms like role-based access control (RBAC), suiting dynamic cloud environments.

SysEleven IAM is built on OpenFGA, a CNCF project providing a declarative authorization language and runtime.

Free Product

SysEleven IAM is available at no cost to all SysEleven Cloud users.

Key Concepts

Organizations, Projects & Resources

SysEleven uses a three-tiered hierarchical model:

  • Organizations more

    Top-level entity

    • Container for all cloud assets
    • Represents a business organization or major division
    • Users can be owners, admins or members of multiple organizations
    • Defines overarching cloud policies and permissions
    • Billed as a single entity

  • Projects more

    Middle Management Layer

    • Sub-containers within organizations
    • Represent units like dev or stage environments
    • Enable fine-grained access control and resource isolation

  • Resources more

    Operational Core

    • Tangible elements: VMs, networks, storage, Kubernetes clusters, databases, etc.
    • Allocated to specific Projects
    • Where cloud infrastructure management occurs
    • Authorization based on Project Permissions

Users

Users in SysEleven IAM authenticate using a username and password. They can then manage resources they have access to, across organizations and projects.

  • Exist exactly once on the platform, irrespectively of the organization(s) they are members of
  • Access controlled through fine-grained permissions

Teams

Teams are organization-scoped groups of users. They are used to simplify management of access to projects and resources.

For more information, visit the Teams section.

Service Accounts

Service Accounts are organization-scoped machine identities. Service Accounts authenticate against the SysEleven APIs to access and manage resources.

  • Scoped to a specific organization
  • Can be created and managed by users or another Service Account
  • Flexible configuration of organization and project permissions
  • Support multiple credentials

For details, see the Service Accounts section.

(deprecated) API Keys

API keys enable programmatic access to SysEleven Cloud:

  • Scoped to a specific project
  • Can be created and managed by users (possibly via a team)
  • Receive project permissions once during creation, single credential
  • Revocable at any time

For details, see the API Keys section.

Advanced Topics

Connecting External IdPs

SysEleven supports connecting external identity providers (IdPs), allowing users to authenticate with existing credentials. For more information, head to Connect Your IdP.

Understanding ReBAC and Fine-Grained Permissions

Note: The terms permissions and relations are used interchangeably.

This diagram shows a simplified representation of user-organization relationships:

Concept - Organizations

Key points: - UserA has direct relations to OrgA - UserB has direct relations to both OrgA and OrgB - UserC has direct relations only in OrgB

This shows explicit permissions. Users can also inherit permissions, e.g., an organization Owner has implicit full access to all projects within that organization.

Fine-grained Permissions in Detail

This diagram illustrates permission evaluation in SysEleven IAM:

Concept - Permissions

Key points:

  • UserA, as owner of OrgA, has full access to all OrgA resources
  • Exemplified by the implied can_assign_permissions relation in ProjectA.1
  • UserA assigned can_administrate_project to UserB in ProjectA.2
  • UserB has can_read_project for ProjectA.2 via two paths: OrgA membership and direct can_administrate_project relation