Identity Plane — Who and What Has Access

Purpose

The Identity Plane answers three questions: who are you (authentication), what can you do (authorization), and where do you belong (tenancy). It is modeled after AWS IAM and Organizations — accounts, policies, cross-account access — adapted for a robotics APaaS context.

Services

Service

Responsibility

Detail

DotID

Identity and access management umbrella

Built on Keycloak, the single OIDC issuer

Org Service

Account hierarchy and organization structure

Multi-tenant relationships, three-tier model

IAM Identity Center

Cross-account access and SSO

Visibility and permission sharing across org boundaries

StarGate

Internal admin web application

Administers the Identity Plane

Subsystem Relationship

DotID (umbrella)
├── Keycloak (OIDC provider, user federation, SSO)
├── Authorization Service (fine-grained ABAC/RBAC evaluation)
├── Org Service (who belongs where)
├── IAM Identity Center (who can access what, across accounts)
└── StarGate (admin UI for managing it all)

DotID is not a single service — it is the umbrella name for the entire Identity Plane. Keycloak handles authentication. The Authorization Service evaluates fine-grained policies. Org Service manages the tenant hierarchy. IAM Identity Center enables cross-tenant access. StarGate is the admin UI.

Interaction Model

  • Every other plane depends on the Identity Plane for authentication and authorization. All API calls carry JWT tokens issued by DotID/Keycloak.

  • Governance Plane collaborates closely — the Policy Service may consult Identity Plane to resolve “who is this actor” and “what policies apply to this account.”

  • Applications interact with DotID via standard OIDC flows (PKCE for SPAs, client credentials for machine-to-machine).

Endpoints

Subdomain

Service

Purpose

auth.flexgalaxy.com

DotID / Keycloak

OAuth2 / OIDC issuer

api.flexgalaxy.com/iam/v1/...

Authorization, Org, Identity Center

Identity APIs via gateway

Data Ownership

Data

Owner

Consumers

Users, credentials, sessions

DotID (Keycloak)

All planes

Organizations, accounts, OUs

Org Service

All planes (tenancy)

Cross-account permissions, SSO

IAM Identity Center

Applications

Authorization policies (ABAC/RBAC)

Authorization Service

All planes