The Aritma IAM API lets you control who can do what across your Aritma resources. It provides fine-grained access control through a policy-based permission model, combined with tools for managing users, groups, clients, and external identity providers.
The IAM API is a REST API that acts as the central control plane for access management across all Aritma products.
A subject is anything that can be granted permissions. Subjects can be:
- Users - human identities linked to an Aritma ID account
- Clients - OIDC service clients used for machine-to-machine API access
- Groups - named collections of users and/or clients that share the same policies
An action is a string specifying some permission. Actions form a natural hierarchy - granting a parent action also grants all child actions beneath it.
banking ← top-level namespace
banking.manage ← grants all banking actions (role)
banking.consents.create ← specific permission (action)
banking.ais.read ← specific permission (action)
banking.pis.manage ← grants all banking payment initiation actions (role)
banking.pis.write ← specific permission (action)
banking.pis.read ← specific permission (action)A role is a named bundle of actions. Assigning a role to a subject is a shorthand for granting all the actions that role includes - instead of creating individual policies for each action, you assign a role and the permissions follow.
See the Actions Hierarchy page (coming soon) for the full live tree of available actions.
Tenant roles are OIDC roles tied to a subject within a tenant. Unlike IAM policies (which grant fine-grained access to specific resources), tenant roles are returned as claims in the subjects's OIDC token and represent their standing within the organization - for example TenantAdmin and tenant.subject.read.
These roles are used by Aritma services to make coarse-grained authorization decisions at the application level, and can be inspected by your own applications from the token claims.
A scope is a URI that identifies a specific resource. Policies are always scoped to a resource, so the same subject can have different permissions on different resources.
/subscriptions/123/resource-groups/456Similar to actions and roles, a sub scope will inherit from its parent scope.
A policy is the binding that grants a subject permission to perform an action on a scope. Every resource-based access decision in Aritma resolves to a set of policies.
subject: user-555
action: banking.manage
scope: /subscriptions/123/resource-groups/456This policy grants that user (with id 555) full banking management rights on resources under resource group 456 within subscription 123.
Additionally, due to the inheritance of scopes, any subscope of this resource group will inherit the permissions of this policy.
See the Policies guide for how to create, delete, and query policies.
Note, the ids used in these examples are not representative of the ids used in the actual api.
A group is a named collection of subjects. Policies assigned to a group apply to all members of that group. This makes it easy to manage access for teams without configuring each member individually.
See the Groups guide for how to create and manage groups.
| Capability | Guide |
|---|---|
| Invite users, assign roles | User Management |
| Organize users into groups | Groups |
| Grant fine-grained permissions | Policies |
| Verify domain ownership for direct user creation | Domains |
| Configure single sign-on (SSO) | SSO Setup |
| Sync users from an external directory | SCIM Provisioning |
| Create service clients for API access | OIDC Clients |
The IAM API uses OAuth 2.0. Two grant types are supported depending on your use case.
Use this when a backend service or script needs to access the API without a human user. Exchange a client ID and secret for a token:
curl -X POST https://id.dev.aritma.io/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-d "scope=services.iam"See OIDC Clients for how to create and manage service clients.
Use this when your application needs to act on behalf of a logged-in user. Redirect the user to the Aritma authorization endpoint:
GET https://id.dev.aritma.io/connect/authorize
?response_type=code
&client_id=<your-client-id>
&redirect_uri=<your-redirect-uri>
&scope=openid profile services.iam
&code_challenge=<code-challenge>
&code_challenge_method=S256
&state=<random-state>After the user authenticates and consents, exchange the authorization code for tokens:
curl -X POST https://id.dev.aritma.io/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=$CLIENT_ID" \
-d "code=$AUTHORIZATION_CODE" \
-d "redirect_uri=$REDIRECT_URI" \
-d "code_verifier=$CODE_VERIFIER"Include the returned access_token as a Bearer token in all IAM API requests:
Authorization: Bearer <access_token>