IAM in BlueXP
IAM is a framework, a discipline, and a set of technologies that enable the right individuals
accessing the right resources at the right times for the right reasons is crucial.
On the BlueXP graphical user interface, we have designated a specific area for the administration of identity and access. With this function, you may manage who has access to the features and services farther down the line.
What is Identity Federation, and how does it work for BlueXP
Identity Federation is a phenomenon that is being used to access one application from another application using the same credentials. This setup creates a trust connection between BlueXP’s authentication service provider (auth0) and your own identity management provider.
The following image depicts how identity federation works with BlueXP:
- A user enters their email address on the BlueXP login page.
- BlueXP identifies that the email domain is part of a federated connection and sends the authentication request to the identity provider using the trusted connection.
When you set up a federated connection, BlueXP always uses that federated connection for authentication.
- The user authenticates by using credentials from your corporate directory.
- Your identity provider authenticates the user’s identity, and the user is logged in to BlueXP.
BlueXP supports 3 different types of user accounts:
- Local User account: Users who register to BlueXP directly and access BlueXP.
- NSS Account: Users who are NetApp customers and access BlueXP.
- External IDP Federated Account: Users who are part of external IDP and access BlueXP via Federation.
While using BlueXP IAM, you'll manage the following components:
- Organization: Your organization consists of folders, projects, members, roles, and resources.
- Folders: A folder enables you to group related projects together and separate them from other projects in your organization.
- Projects: A project represents a workspace in BlueXP that organization members access from the BlueXP canvas to manage resources.
- Resources: A resource is a working environment that you created or discovered in BlueXP.
- Members: Members of your organization are user accounts or service accounts.
- Roles and permissions: A role contains a set of permissions that enables a member to perform specific actions at a specific level of the resource hierarchy.
- Connectors: BlueXP Connectors enable secure communication between your storage, services, hyperscalers, and BlueXP itself.
IAM Model in BlueXP
Enterprise administrators can use RBAC to implement fine-grained access controls on who can access what resources once they have structured them.
The resource hierarchy organizes NetApp resources such as CVO, ONTAP, FSXn, GCNV, and others into a tree-like structure. By using the constructs of folders and projects, customers can rapidly create the hierarchy using the BlueXP UI or the API.
When resources are organized in a hierarchy, it's easy for BlueXP Org admins to set permissions for BlueXP users at the folder or project level.
At the top of the hierarchy is a business or organization. By arranging resources in folders, customers can more effectively organize them within an organization. A folder can represent a business unit or group within an organization (marketing vs. sales, etc.) or a location (e.g., us-east, us-west, EU, or APAC). Each customer may have up to eight different kinds of folders. You can use a folder as an optional structure to group NetApp resources together. The standard method that users use to organize their ONTAP resources is using the project structure, which is supported by us and can be accessed under the folder. A company could be working on several projects at once.
IAM Glance in BlueXP
If you click on the gear button on the right side of BlueXP's GUI, you can find the IAM tile (Identity and Access Management):
The resource structure can be set up with the following folders and projects, each with its own name that can be changed to fit the needs of the ORG:
For more information, please go to the below URL:
https://docs.netapp.com/us-en/bluexp-setup-admin/concept-identity-and-access-management.html