# Identity and Access Management (IAM)

Here you can find an overview of the Emporix identity and access management (IAM) concept, along with its features and benefits.

{% hint style="info" %}

* Looking for code tutorials? Check out the [Identity and access management (IAM) Service guide](/api-references/api-guides/users-and-permissions/iam/iam.md).
* Looking for API reference? Check out the [IAM Service](/api-references/api-guides/users-and-permissions/iam.md) in the Emporix API Reference.
  {% endhint %}

### Purpose

The IAM feature has been introduced to help you control the user access level in specific services. By defining clear-cut roles and permissions, you can be sure that unauthorized users won't be able to modify or view sensitive data.\
We have prepared a set of predefined access control templates so that you can get started quickly.

### Features

The Emporix IAM concept introduces a set of features that make identity and access management easier:

| Feature                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **User types**                                   | For a tenant, there are two types of users available: customers and employees of that tenant.                                                                                                                                                                                                                                                                                                                                                                                                |
| **Employee groups**                              | Employee groups aggregate employees of a tenant that share the same access control within a particular service and resource. By assigning an employee to a particular group, you grant them a specific access control level. Access controls are applied to both the Emporix Management Dashboard and the APIs through scopes. To learn more about scopes, check out the [Authorization and scopes guide](https://developer.emporix.io/docs/content/introduction/#authorization-and-scopes). |
| **Access controls and access control templates** | Access controls combine both resources and roles. For example, a user with a `manager` role can view, create, delete, and edit resources within a service. You can use access control templates that contain predefined settings for roles. For more information, check out [Access control templates](#access-control-templates).                                                                                                                                                           |
| **Resources**                                    | Objects within Emporix API services, for example `area` and `time` resources in the **Delivery Service**.                                                                                                                                                                                                                                                                                                                                                                                    |
| **Roles**                                        | Roles encapsulate predefined permissions that allow users to perform actions on resources within services. For example, a user with a `manager` role can create, view, edit, and delete resources within a service.                                                                                                                                                                                                                                                                          |
| **Permissions**                                  | Permissions define what actions a user with a specific role can perform on resources within services. For example, a service might have permissions to perform the following actions on a resource: view, create, delete, and edit.                                                                                                                                                                                                                                                          |
| **Localized fields**                             | When creating or updating a group, permission, or role, you can specify its name and description in multiple languages.                                                                                                                                                                                                                                                                                                                                                                      |

### Overview

The following diagram presents an example of the information flow in the IAM Service.

{% hint style="success" %}
For example, a "Catalog editors" user group may comprise of users granted edit, create, and view permissions within the Catalog resource in the Catalog service.
{% endhint %}

<figure><img src="/files/TmgI7s05JWb5nUn1SvT8" alt=""><figcaption></figcaption></figure>

### Access control templates

Emporix provides you with several predefined access control templates that you can apply to a group:

| Name                          | Service/Resource                                                                                                                                 |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Catalog Manager**           | <ul><li>Catalog</li><li>Category</li><li>Product</li><li>Product template</li><li>Label</li><li>Brand</li><li>Supplier</li><li>Webhook</li></ul> |
| **Pricing Manager**           | <ul><li>Price Model</li><li>Price List</li><li>Tax</li><li>Unit</li></ul>                                                                        |
| **Order Fulfillment Manager** | <ul><li>Customer</li><li>Order</li><li>SEPA</li><li>Return</li><li>Checkout</li><li>Site</li></ul>                                               |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.emporix.io/ce/system-management/authentication-and-authorization/authorization/iam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.