IAM Identity Center¶

Plane: Identity Plane (part of DotID)

Purpose¶

Cross-account access and SSO delegation. IAM Identity Center enables visibility and permission sharing across organizational boundaries. For example, a leasing company can get read-only visibility into device status across all its contractors’ accounts.

Responsibilities¶

Manage cross-account access grants
Federate SSO sessions across account boundaries
Enforce permission boundaries on cross-account access
Provide audit trail for cross-account actions

Key Scenarios¶

Asset Owner Visibility¶

Leasing Company (Account A)
    │ read-only access to device status
    ▼
Contractor (Account B)        Contractor (Account C)
    │ full operational access      │ full operational access
    ▼                              ▼
  Devices                        Devices

The leasing company doesn’t operate the devices, but needs visibility into asset health, utilization, and location across all contractors.

Shared Service Access¶

Platform Service Account
    │ scoped access via permission set
    ▼
Customer Account A    Customer Account B

Platform services that need to act across accounts (e.g., aggregated analytics) use Identity Center to obtain scoped, auditable access.

Key Entities¶

Entity	Description
Access Grant	A cross-account permission delegation
Permission Set	The set of actions allowed in the target account
Trust Relationship	Bidirectional agreement between accounts

Dependencies¶

Service	Relationship
Org Service	Resolves org hierarchy and account relationships
Authorization Service	Evaluates whether cross-account actions are permitted
DotID (Keycloak)	SSO session federation

Consumed By¶

Consumer	Usage
StarGate	Admin UI for managing cross-account grants
ClearJanitor	Leasing company cross-account visibility
Applications	Any multi-tenant scenario requiring cross-account access