Overview

A “principal” is somewhat of an overloaded term representing an “identity”.

The Control Plane Platform supports 4 principal types.

Each principal type is scoped to an org and can be granted permissions to certain resources or whole resource types through policies.

  1. Users

    A user represents a distinct human being. This principal type is associated with an email. A user is a member of one or more orgs. An authorized principal can invite users to an org (by providing their email address).

  2. Service Accounts

    A service account is a non-human, often an application that is utilized to consume the API.

  3. Groups

    A group is a named collection of users and service accounts. When inviting users to an org, a group can optionally be assigned to the inviting users.

  4. Identity

    An identity is short for workload identity. It is a reusable (can be leveraged by multiple workloads) named principal that is only used by workloads. An identity encapsulates a set of Cloud Access rules. Cloud Access rules define least privilege policies governing access to resources in the org’s configured cloud accounts. In addition to Cloud Access rules, an identity also defines a set of Network Resources.

Examples

  • To allow a user or group access to perform actions within the console, an administrator would create a policy that bounds the user or group to the resource and the necessary permissions.

  • To allow a workload the ability to access secured resources within Control Plane (e.g., a secret used as an environment variable), an administrator creates a policy that assigns the necessary permissions to the user or group for the specified resource.