10.3. Identity and Access Management for administrators (IAM)¶
The operations available to administrators are defined based on a list of allowed actions targeting the managed SFTPPlus components.
The Identity and Access Management (IAM) configuration is implemented in SFTPPlus using the following configuration elements:
administrators - defines the authentication and the identity of administrators
roles - defines the allowed access for administrators.
As a best practice, it is recommended to create an administrator configuration for each person interacting with SFTPPlus as an administrator.
When configuring an administrator, you define a name/username and a password.
Having multiple persons sharing the same administrator name and password is not recommended because it makes it harder to audit the actions of each administrator.
The configuration of an administrator also includes the associated role.
All the access permissions for the administrators are configured via the associated role.
When configuring a role, you define its name and a list of permissions.
By defining multiple roles, you can implement a separation of duties and have different levels of administrative access.
Each permission definition consists of:
an expression matching the permission target
a list of permission actions.
You can define a single permission-matching expression to target multiple configuration options or a class of configuration options.
To only allow updating the name of users and groups while denying updating any other option and creating or deleting groups, the following configuration can be used:
[roles/70c0-4e1d-8480] name = allow-name-updates permissions = configuration, read configuration/accounts/*/name, update configuration/groups/*/name, update
To only allow creating, deleting, and updating users and groups the following configuration can be used:
[roles/70c0-4e1d-8480] name = user-group-administrators permissions = configuration, read configuration/accounts/*, all configuration/groups/*, all
Below is a list of the target groups that can be targeted based on member UUIDs, with or without an option name:
* configuration/accounts * configuration/groups * configuration/roles * configuration/administrators * configuration/authentications * configuration/locations * configuration/resources * configuration/services * configuration/transfers * authentications * locations * resources * services * transfers * node_variables * status
You can target a class of configurations, or any configuration of a certain type. The following examples are valid:
configuration/services/* - target the configuration of any service
configuration/services/FTPS-server-UUID/* - target any configuration for the service with UUID
configuration/services/*/name/ - target all the name options for any service
configuration/services/FTPS-server-UUID/* - target only the name option for the service with UUID
services/* - target the status of any service
services/FTPS-service-UUID/* - target the status of the service with UUID
The following configurations do not have a member UUID, so they can only be targeted using the option name:
There is a special permission target named sync used to configure synchronization between the cluster controller and the cluster nodes. Administrative roles assigned to real persons should not use this target.