IAM stands for Identity and Access Management. But is more than handling user accounts: it encompass authentication, authorization and privacy, making this perimeter quite complex. It is an essential pillar of the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This knowledge base expose all the technologies, protocols and jargon of the domain in a comprehensive and actionable manner.



In a Stanford class providing an overview of cloud computing, the software architecture of the platform is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger ecosystem, plus some critical features.


Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.


The whole authentication stack is based on cryptography primitives. This can't be overlooked.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.


Protocols and technologies to verify that you are who you pretend to be.



Security Key



TL;DR: don't. For details, see articles below.

Public-Key Infrastructure (PKI)

Certificate-based authentication.


JSON Web Token is a bearer's token.

OAuth2 & OpenID

OAuth 2.0 is an authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.


Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity provider is an institution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.


Now that we know you are you, are you allowed to perform what you want to do?

Policy specification is the science, enforcement is the art.

Policy models

As a concept, access control policies can be designed to follow very different archetypes, from classic Access Control Lists to Role Based Access Control. In this section we explore lots of different patterns and architectures.

Open-source policy frameworks

Collection of open-source projects if you're looking to roll your own policy implementation.

AWS policy tools

Tools and resources exclusively targetting the AWS IAM policies ecosystem.


A clever curiosity to distribute and delegate authorization.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.

A critical intermediation complex driven by a policy and constraint by local laws, the Trust & Safety department is likely embodied by a cross-functional team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extension of customer support services, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harassment, handling of warrants and copyright claims, data sequestration and other credit card disputes.

User Identity

Most businesses do not collect customer's identity to create user profiles to sell to third party, no. But you still have to: local laws require to keep track of contract relationships under the large Know You Customer (KYC) banner.


As an online service provider, you're exposed to fraud, crime and abuses. You'll be surprised by how much people gets clever when it comes to money. Expect any bug or discrepancies in your workflow to be exploited for financial gain.


Any online communities, not only those related to gaming and social networks, requires their operator to invest a lot of resource and energy to moderate it.

Threat Intelligence

How to detect, unmask and classify offensive online activities. Most of the time these are monitored by security, networking and/or infrastructure engineering teams. Still, these are good resources for T&S and IAM people, who might be called upon for additional expertise for analysis and handling of threats.


Another line of defense against spammers.


The first mechanical line of defense against abuses consist in plain and simple deny-listing. This is the low-hanging fruit of fraud fighting, but you'll be surprised how they're still effective.

Hostnames and Subdomains

Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.


Reserved IDs



As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.


As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business and customer data. To allow for internal analytics, anonymization is required.


The well-known European privacy framework


As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will get from your product, and can't be overlooked: you'll have to carefully design it with front-end experts. Here is a couple of guides to help you polish that experience.

Competitive Analysis

A bunch of resources to keep track of the current status and progress of all companies operating in the domain.



Your contributions are always welcome! Please take a look at the contribution guidelines first.


The header image is based on a modified photo by Ben Sweet.

[1]: Poison Study (Mira, 2007). [↑]