# Identity and Access Management (IAM) VGS Identity and Access Management (IAM) defines how users, systems, and automated services securely access and administer your organization’s VGS resources.\ The IAM system governs both **Control Plane** operations (configuration, vault management, user administration) and **Data Plane** operations (credential management, tokenization, detokenization, and secure data exchange). IAM enables organizations to implement least-privilege access, strong authentication, and auditability across all VGS environments. *** ### Architecture Overview | Plane | Purpose | Example Operations | Authentication | | ----------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | | **Control Plane** | Manage configuration and metadata — e.g. users, vaults, routes, and permissions. | Create vaults, rotate credentials, configure routes, manage service accounts. | OAuth 2.0 Bearer Tokens (Client Credentials), optional mTLS or PrivateLink. | | **Data Plane** | Handle runtime data exchange — tokenization, detokenization, proxying, and routing. | Collect payment credential objects, forward payment data to third-party APIs, tokenize and reveal data in-transit. | OAuth 2.0 Bearer Tokens (Client Credentials), Proxy Basic Auth, mTLS, or key-based credentials. | The separation of planes ensures that **operational data** never mixes with **administrative metadata**, maintaining strong isolation boundaries and compliance posture. *** ## IAM Components ### Service Accounts VGS utilizes scoped service accounts for authenticating to services via OAuth 2.0. For automation use-cases you can programmatically create [service account credentials](/enterprise-platform/access-management/service-accounts-for-programmatic-access.md). These are ideal for scripting workflows such as [creating a git driven change management flow](/vault/developer-tools/vgs-git-flow.md#apply-changes-to-your-git-repo). ### Permissions User and Service account permissions are controlled via the VGS Dashboard's [User Access Control](/enterprise-platform/developer-resources/api-reference/useraccess.md) screen. Complex runtime permissioning may be implemented using [VGS Compute, the VGS secure runtime](/vault/developer-tools/larky.md). ### Custom Identity Providers Custom IdP and Single Sign-on (SSO) can be enabled by reading the [IdP and SSO configuration guide](/enterprise-platform/access-management/enterprise-identity-providers.md). ### Authentication Technologies VGS uses multiple forms of authentication for our APIs and proxies. All authentication is underpinned by common best practices including TLS 1.2 encryption, IP address restrictions, audit and access logs, and monitored by our in-house security operations team. #### Basic Authentication Basic authentication as implemented in [RFC 7617](https://datatracker.ietf.org/doc/html/rfc7617) is used for accessing data via the Outbound Proxy and transmits credentials as user ID/password pairs, encoded using base64. These APIs are served over TLS 1.2 and are additionally complemented with IP address based restrictions for our [HTTP Routes](/vault/http-proxy.md) to ensure credentials cannot leak from authorized systems to enable a zero trust like posture. We follow [Mozilla’s recommended best practices](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for implementation. #### Bearer Authentication Bearer authentication as implemented in [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750) is used for accessing configuration APIs in conjunction with OAuth 2.0. This separate credential is used for service accounts and user administration of VGS to ensure [separation of concerns](/enterprise-platform/access-management/manage-users/assigning-roles-to-users.md). #### Public / Private Key Authentication SFTP and TCP Proxy Routes additionally utilize optional key-based authentication as described in RFC 4252 and RFC 2246, respectively. Certificate-based authentication utilizes standard PEM-based certificates. #### mTLS Authentication mTLS authentication can be used on the Data Plane Proxies for both inbound and outbound traffic. More information is available at [Mutual TLS Certificates](#mtls-authentication) documentation. #### Private Connections Private connections can be configured via a VPN, AWS PrivateLink, or similar technology (including hosted, managed VPN appliances) on demand. More information is available in our [Connectivity](/enterprise-platform/developer-resources/advanced-connectivity.md) documentation. ### Data Plane Encryption, Authentication, and Authorization Custom authentication mechanisms, payload level encryption, secure message authentication and other cryptographic operations can be codified directly into the VGS data plane's proxies using a variety of pre-built [VGS Compute extensions](/vault/developer-tools/larky.md) and utilize our secure compute environment to ensure that keys are securely managed on your behalf. Contact your VGS solutions engineer to learn more about these patterns and to get assistance. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.verygoodsecurity.com/enterprise-platform/access-management/identity-and-access-management-iam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.