Skip to content

IAM Service

The IAM Service writes OpenFGA tuples for user role assignments. It does not manage stores or authorization models. It exposes a GraphQL API that assigns roles to users and persists those relationships in OpenFGA.

Overview

The IAM Service handles two responsibilities:

  1. Role assignments - Write and delete role tuples for users
  2. Invites - Create Invite resources when a user does not yet exist

Note

Role assignments are not managed by a CRD. They are created directly through the IAM Service GraphQL API.

Entry Points

Action API Behavior
Assign roles GraphQL assignRolesToUsers Writes role assignment tuples to OpenFGA
Remove role GraphQL removeRole Deletes the corresponding tuple in OpenFGA

Store Resolution

The IAM Service resolves the target OpenFGA store using the organization name from the request context:

  • storeId = GetStoreID(ctx, organizationName)

This ensures all role assignment tuples are written to the org's store.

Tuple Format (Role Assignment)

When a role is assigned, the IAM Service writes two tuples:

  1. User is assigned to a role
  2. Role grants permissions on the target object

Example tuple pair:

user:<user-email>               assignee  role:<type>/<cluster>/<resource>/<role>
role:<type>/<cluster>/<resource>/<role>#assignee  <role>  <type>:<cluster>/<resource>

Example (Placeholders)

Assume a user is assigned the owner role on an Account.

user:<user-email> assignee role:core_platform-mesh_io_account/<cluster-id>/<account-name>/owner
role:core_platform-mesh_io_account/<cluster-id>/<account-name>/owner#assignee owner core_platform-mesh_io_account:<cluster-id>/<account-name>

Invite Behavior

If a user does not exist in the IDM system, the IAM Service creates an Invite resource in the account workspace:

  • Invite.spec.email = <user-email>
  • No tuples are written by the Invite itself

The IAM Service still writes role tuples even if the invite creation fails.

Deletions

The removeRole mutation deletes the user-to-role tuple using OpenFGA's Write API with deletes.

Component Interaction

graph TB
    subgraph "IAM Service"
        IAM[assignRolesToUsers]
        INV[Create Invite]
    end

    subgraph "OpenFGA"
        Store[(Store)]
        Tuples[(Tuples)]
    end

    IAM --> Tuples
    INV -->|CRD| Invite[Invite Resource]
Hold "Alt" / "Option" to enable pan & zoom