IAM
The Identity and Access Management (IAM) system allows the SafeCDx platform to provide itself and any clients the capabilities to securely control access to any resources and services that are part of the platform. IAM is a core system that provides the foundation for all access control within the platform. At a high-level, organizations can use IAM to control who is able to log in to the platform and what data and tools they are allowed to view or use. In other words, entities can use IAM to control who is authenticated (i.e., signed in) to the platform, as well as who is authorized (i.e., has the appropriate permissions) to access resources. The system follows the principle of least privilege, with a paradigm of default denying permissions to any account.
The IAM product offers a robust set of APIs and other tooling that facilitate the creation and management of user accounts and roles. This system caters to individual users, service (non-human) accounts, and groups, allowing organizations to efficiently handle diverse user types and access paradigms within their ecosystem. With the IAM System, organizations can seamlessly define granular permissions for different roles, allowing for fine-grained access control. This capability empowers organizations to establish and enforce proper authorization levels, ensuring data security and compliance with regulatory requirements. The IAM System serves as a critical component in managing user identities, roles, and permissions, providing a solid foundation for effective access control and user management within the organization’s ecosystem.
In addition to ensuring that the correct users within an organization have appropriate access to technology and data resources, our IAM system enables broader SafeCDx ecosystem-wide permissions and identity binding for use cases such as evaluating OTC diagnostics performed in non-clinical settings or providing dynamic permissions for one-off provider interactions with a patient. SafeCDx is agnostic to geographic location, political jurisdiction, provider network, member, organization, or group; and the IAM service has been designed to be a best-in-industry security solution that supported all existing and not-yet-launched CDx use cases.
Features
A Principal is an IAM entity that is allowed to interact with SafeCDx resources; includes Users, Service Accounts, and User Groups.
Authentication
Authentication refers to the processes, logic, and systems that are used to verify the identity of any entity trying to interact with SafeCDx systems. The platform authenticates the user or service account by matching provided credentials (whether a username/password, token, or third-party identity provider) to the identity. Only authenticated entities should be able to access SafeCDx, and our overall monitoring capabilities provide full audit trails for any successful or failed authentication request.
Authorization
The SafeCDX Authorization systems and features ensure that any Principals attempting to take actions on the platform have access only to the data and resources that have been explicitly identified as allowed. The platform utilizes role-based access control, and any authorization decisions are made based on defined Policies, which associate the specific Permissions included in a Role with the relevant Principals.
Certificate
Certificates are digital documents that contain keys and other relevant metadata, and they are used to identify a Principal in the platform. Certificates primarily serve as an authentication method for Service Accounts (i.e., non-human entities) when SafeCDx systems need to verify the identity of devices or external services that are attempting to take actions on the platform.
Configuration Group
Description missing
Connection
A connection represents an “authenticating body” that can attest to a user’s identity when trying to log in to the system. While SafeCDx provides its own native connection in the form of email/username and password combinations for users, the platform overall provides extensive functionality for organizations to bring their own sign-in credentials or use a third-party Identity Provider, such as Google Workspace. Once a connection has been onboarded to SafeCDx by an organization, then the platform can fully use the connection for any authentication decisions.
Dynamic Group
Groups are a form of Principal identity in the SafeCDx platform and represent sets of multiple Users, Service Accounts, and/or groups. All of the Principals that are part of a specific group receive all permissions and access that have been bound to the group. The SafeCDx platform supports multiple ways to specify group membership in order to best fit any client workflows – we include static membership management for explicitly adding/removing users and other accounts, as well as dynamic membership rules in which the platform itself can automatically adjust members in a group based on predefined conditions.
Permission
Permissions represent the base layer of the SafeCDx role-based access control mechanism by defining which operations are allowed at a resource level (such as create, read, update, and delete).
Policy
A policy represents the full binding (or linking) of a Principal with a Role or set of Permissions and the end resource that is impacted. Policies are required to associate defined Permissions in a Role with the end User, Service Account, or Group who needs the access.
Role
Roles are defined collections of Permissions that can be attached to Users, Service Accounts, and other Principals in the system in order to define what actions they are able to take on the platform. SafeCDx provides and maintains predefined (or “built-in”) roles that can be used to manage access based on common out-of-the-box use cases, as well as custom roles that are organization-specified lists of permissions. When predefined roles are not granular enough, the ability to define custom roles is important for organizations to meet their own specific use cases.
Role Binding
Description missing
Service Account
Service accounts are non-human Principals in the system that have associated permissions. They represent services or automated applications that interact with resources and services within SafeCDx systems. Examples include recurring batch jobs or resource-monitoring services. Our APIs provide functionality for any client to manage service accounts.
User
Users are resources in the system that have associated credentials and permissions. More specifically, users represent humans taking actions on and interacting with the SafeCDx systems. Our APIs provide support for full user management.
User Group
Description missing
