Identity and Access Management (IAM)

Identity and Access Management (IAM) is a vital framework for securely managing user identities, authentication, authorization, and access privileges within Unique. Unique has adopted Zitadel as its core IAM solution to streamline these processes across its platform. Zitadel is a critical component in managing the lifecycle of user identities and ensuring secure access control within Unique's ecosystem.



User Management

User accounts for the Unique platform are created within Zitadel. This happens either manually when creating users by hand or automated when syncing users from external systems (e.g.: via Single Sign-On). This centralized management facilitates the oversight of user activities and access rights, ensuring that only authorized individuals can perform specific actions on the platform.

Role-Based Access Control

Users are assigned specific roles that determine their access to Unique's features. Each role gives the user a varying levels of permissions and access rights. There are parts of the Unique platform that are only meant to be used by a specific group of users, like administrators that need to be able to configure certain settings or developer who need to manage their API keys for their integrations.

This role-based access control is essential for enforcing the principle of least privilege and ensuring that users have appropriate access to the features of the Unique platform.

Roles on the Unique platform:

Single Sign-On Integration

Unique supports integration with a variety of Identity Providers (IdPs), enabling users to authenticate via Single Sign-On. This feature simplifies the login process for users by allowing them to access multiple services with a single set of credentials, enhancing both user experience and security.

A guide on how to setup SSO for the Unique platform can be found here: Single Sign-On (SSO) setup

Service users

Unique’s IAM solution also allows for the creation of service users, also known as machine users. These non-human accounts are used to integrate external systems with Unique's platform and to perform automated tasks such as configuration and maintenance through the API. Service users are necessary to enable system-to-system interactions and automating processes within the Unique infrastructure.

A guide on how to create and configure service users can be found here: Service User configuration

The following sections contain use cases for which Unique uses service users.

User Management Sync

The Unique application needs a service user for syncing the user data we have in Zitadel with our Unique System. With the introduction of the user management UI and space management UI to be able to adjust groups and also manage access to spaces we need to query user data for the frontend. But we do not want to overload the IAM system with directly querying user data for our system. Because of this we did implement a user sync solution. To be able to query Zitadel periodically what has changed we needed a service user. This service user is required for the Unique system otherwise we cannot show the list of users in the UI.

There is one service user for a whole instance (multiple organisations). Because it is one user for the whole instance this user needs read access to all organisations so we can fetch all the changes that happened on Zitadel and replicate it in our application.

This service user needs to be created in one organisation. It needs to be assigned as an “Instance Viewer” in Zitadel. Also a PAT needs to be created and add into the vault as a secret with the name manual-zitadel-scope-mgmt-pat.

Maintenance

For some customers we have created a service user for maintaining and support the customer in therms of configurations. This user is optional an not needed to run Unique chat solution. This service user is created in the Zitadel organisation of the customer and only has the chat.admin.all role. This role is not allowed to query customer data like chats / messages / content (documents) and chunks (text segments). It is used for doing configurations on a customer organisation like:

  • Creating groups

  • Applying configurations for spaces or AI modules

  • Applying company settings

For this service user we using mostly the clientId and clientSecret approach to get a token and be able to adjust the needed configuration.

3rd Party integrations

Unique has integrations to 3rd party software like Microsoft SharePoint or Atlassian Confluence. For each integration create a new service user. This service user is created inside the target customers organisation and needs the relatives roles for its purpose. In most cases its the role to be able to send data to our ingestion service.


Authors

@Sandro Camastral @Adrian Gugger

 

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service