18 min read

Learning Objectives

By the end of this module, you will be able to:

  • Explain the IONOS Role-Based Access Control (RBAC) model and its three core roles
  • Describe how Users and Groups enable scalable permission management
  • Identify when to use Token Manager for API authentication
  • Explain how IAM Federation and Single Sign-On (SSO) work in IONOS Cloud
  • Apply the Principle of Least Privilege to control access to cloud resources

Unit 3.2: Identity and Access Management

Introduction

Think of managing access to cloud resources like running a busy office building. You need some people to have master keys (administrators), others to access only specific floors (department teams), and visitors who need temporary badges for limited areas. Without a system to control who enters which rooms, security falls apart. Identity and Access Management (IAM) provides exactly this kind of control for your cloud environment.

In this unit, you will learn how IONOS Cloud implements IAM through Role-Based Access Control (RBAC), user and group management, API authentication tokens, and identity federation. Whether you are securing a small team's resources or managing access across multiple organizations, understanding IAM is essential for maintaining security, compliance, and operational efficiency.

1. IONOS Role-Based Access Control (RBAC) Model

IONOS Cloud uses a Role-Based Access Control (RBAC) model to manage who can perform which actions within a cloud contract. Access is granted through roles, privileges, and groups, allowing you to implement the Principle of Least Privilege across your entire platform.

1.1 The Three Core Roles

IONOS Cloud defines three primary roles, each with different levels of access:

Role Access Level Key Capabilities Restrictions
Account Owner Full access (unrestricted) - Holds all privileges and permissions (cannot be revoked)<br>- Receives all legal communications and invoices<br>- Can add or remove any other user<br>- Can change payment methods - Cannot be removed from the contract<br>- This role is automatically assigned to the user who creates the contract
Administrator Full access (nearly unrestricted) - Same rights as Owner for resource management<br>- Can add or remove users (except the Owner)<br>- Can manage all cloud resources (VDCs, servers, storage, etc.) - Cannot change payment methods<br>- Cannot remove the Owner
User Limited access (explicitly granted) - Can perform only actions explicitly assigned through privileges<br>- Can access only resources shared with their groups<br>- Ideal for applying Principle of Least Privilege - No default permissions<br>- Must be granted explicit privileges for each action

The Owner role is automatically created when you first sign up for IONOS Cloud and cannot be transferred or removed. This ensures that there is always an account holder responsible for billing and legal matters.

1.2 How Privileges Work

Privileges are action-level grants that define what a user or group can do. Examples include "create a Virtual Data Center," "read backups," "manage Network File Storage," or "share snapshots." Instead of giving someone broad administrative access, you assign only the specific privileges they need to perform their job.

Privileges can be assigned in two ways:

  • Directly to individual users - Useful for one-off or unique access requirements
  • To groups - Recommended for scalable management of teams with shared responsibilities

For example, a database administrator might receive privileges to "Access and manage Database as a Service" and "Create snapshots," while a monitoring specialist receives only "Access and manage Monitoring resources" without the ability to modify infrastructure.

1.3 The Principle of Least Privilege (PoLP)

The Principle of Least Privilege means granting users only the minimum permissions required to perform their tasks. This security best practice reduces the attack surface by limiting what a compromised account can access or damage.

IONOS enables PoLP implementation through:

  • Custom group profiles - Pre-defined sets of fine-grained privileges tailored to specific job functions
  • Resource-level permissions - Granting access to specific VDCs, images, snapshots, or IP blocks rather than all resources
  • Regular access reviews - Periodically auditing user accounts and revoking unnecessary privileges
  • Multi-Factor Authentication (MFA) - Requiring a second authentication factor for privileged accounts

When implementing PoLP, start by mapping each job function to the minimal set of actions required. Use the User role with explicit privileges instead of the Administrator role whenever possible, and conduct quarterly reviews to identify and remove stale access rights.

2. Users and Groups Management

Managing access for dozens or hundreds of users individually would be time-consuming and error-prone. IONOS Cloud provides Users and Groups functionality to streamline permission management at scale.

2.1 What Are Users?

A user is an individual identity that can log in to the IONOS Cloud Data Center Designer (DCD) console. Each user is identified by a unique email address and can be assigned specific privileges that define which actions they can perform.

When you create a user, you provide:

  • First name and last name
  • Unique email address (this becomes the login identifier)
  • Initial password (the user should change this on first login)

Regardless of whether a user is created through the DCD interface or via the API, they start with minimal default permissions and cannot see any resources unless those resources are explicitly shared with a group they belong to.

Only the contract Owner and Administrators can create and manage users.

2.2 What Are Groups?

A group is a logical collection of users that enables you to apply permissions collectively rather than individually. Groups simplify RBAC for large or dynamic teams by allowing you to define privileges once and have all group members inherit those rights automatically.

For example, you might create groups such as:

When you add a user to a group, they immediately inherit all privileges assigned to that group. When you remove them from the group, they lose those privileges just as quickly.

2.3 Creating and Managing Groups

To create a group in IONOS Cloud:

  1. Navigate to Menu → Management → Users & Groups
  2. Switch to the Groups tab
  3. Click Create and provide a descriptive group name
  4. Add users to the group via the Members tab
  5. Assign privileges via the Privileges tab (changes apply immediately)
  6. Optionally, grant the group access to specific resources via Grant Access

Groups are particularly useful when team composition changes frequently. Instead of modifying privileges for each individual user, you simply add or remove them from the appropriate group. This approach is recommended for any permission that will be shared by two or more users.

2.4 Resource-Level Access Control

IONOS Cloud allows you to control access at the resource level, meaning you can specify which groups can view, edit, or share specific resources such as VDCs, images, snapshots, and IP blocks.

Resources can have three permission levels:

  • View - Group members can see the resource but cannot modify it
  • Edit - Group members can modify the resource configuration
  • Share - Group members can share the resource with other groups, granting them view rights

When you create a resource as the contract Owner, it is hidden from other users by default. To make it visible, you must share it with at least one group. This ensures that sensitive resources (such as production images or backup snapshots) remain confidential unless explicitly shared.

2.5 When to Use Groups vs Individual Permissions

Situation Recommended Approach Why
Standard roles shared by multiple people (e.g., developers, operators) Create a group and assign privileges to the group Scalable, consistent, easy to audit
Changing team composition (people join/leave frequently) Use groups - add or remove members without changing privileges Reduces administrative overhead
One-off or highly specific access (e.g., temporary read access to a single resource) Assign permissions directly to the individual user Avoids creating unnecessary groups for unique cases
Administrators and contract owners No group needed - they automatically have full access Administrators inherit all permissions by default
Fine-grained resource sharing (e.g., specific VDC or snapshot) Assign the resource to a group via Grant Access Only group members can see or manage the resource

In general, use groups for any permission shared by two or more users, and use individual permissions only for unique, temporary, or one-off requirements.

3. Token Manager for API Authentication

Many IONOS Cloud operations can be performed programmatically using the IONOS Cloud API. To authenticate API requests securely without sending your password, IONOS provides Token Manager.

3.1 What Is Token Manager?

Token Manager is a service that generates Bearer tokens (JSON Web Tokens or JWTs) representing your user session. These tokens can be used instead of your username and password when making API calls.

A token is a short-lived credential that you include in the Authorization header of every API request. Instead of authenticating with your password each time, you authenticate once by generating a token, then use that token for all subsequent API calls until it expires.

3.2 Why Use Token Manager?

Token Manager provides several benefits over password-based authentication:

  • Required for 2FA accounts - If your account has Two-Factor Authentication (2FA) enabled, you cannot use password-only authentication for API calls. Token Manager provides the only way to authenticate API requests in this scenario.
  • Improved security - Tokens are time-limited and can be revoked immediately if compromised, whereas changing a password affects all your access methods.
  • Separation of concerns - You can create multiple tokens for different applications or automation scripts, and revoke individual tokens without affecting others.
  • Audit trail - Token usage can be tracked separately from interactive console logins.

3.3 How Token Manager Works

To use Token Manager:

  1. In the Data Center Designer, navigate to Menu → Management → Token Manager
  2. Click Generate Token
  3. Select a Time-To-Live (TTL) for the token (options range from 1 hour to 365 days)
  4. Click Create - the token value is displayed once and cannot be retrieved again
  5. Copy the token value and store it securely

Once you have a token, include it in the Authorization header of your API requests:

Authorization: Bearer <your-token-value>

Each user can have up to 100 active tokens. You can delete a token at any time through the Token Manager interface, which immediately invalidates it even if the TTL has not expired.

3.4 Token Attributes

Each token has the following attributes:

  • Token ID - Used to reference the token in the API (for example, when deleting it)
  • Creation Date - When the token was generated
  • Expiration Date - When the token will automatically expire (based on the selected TTL)
  • TTL (Time-To-Live) - The lifespan of the token (selectable from 1 hour to 365 days)
  • Token Value - The actual secret string used for authentication (shown only once at creation)

For security reasons, it is recommended to use shorter TTLs (such as 1 day or 1 week) for tokens used in production environments, and to rotate tokens regularly.

4. IAM Federation and Single Sign-On (SSO)

For organizations that already use an enterprise Identity Provider (IdP) such as Azure Active Directory, Okta, or OneLogin, IONOS Cloud supports IAM Federation. This feature allows users to authenticate using their corporate credentials instead of maintaining separate IONOS passwords.

4.1 What Is IAM Federation?

IAM Federation is a service that lets users authenticate to IONOS Cloud using credentials from an external Identity Provider. It supports two industry-standard protocols:

  • SAML 2.0 - A widely-used XML-based protocol for web-based single sign-on
  • OpenID Connect (OIDC) - A modern JSON-based protocol built on top of OAuth 2.0

When IAM Federation is enabled, users can log in to the IONOS Data Center Designer by clicking "Sign in with a linked account" and being redirected to their organization's IdP. After successful authentication with the IdP, they are automatically signed in to IONOS Cloud without entering an IONOS-specific password.

4.2 Benefits of IAM Federation

IAM Federation provides several advantages:

Benefit Description
Single Sign-On (SSO) Users sign in once and gain access to multiple IONOS services (DCD, Control Panel, Reseller Portal) without repeated logins
Improved Security Authentication is performed by your organization's trusted IdP, often with Multi-Factor Authentication and conditional access policies already in place
Reduced Phishing Risk User passwords are never stored in IONOS Cloud, eliminating one attack vector for credential theft
Centralized Authentication Sign-in is handled by your organization's trusted Identity Provider, so users authenticate through one central system rather than a separate IONOS login
Central Credential Control Disabling a user's account in your IdP immediately blocks their federated sign-in to IONOS Cloud. The IONOS Cloud account and its assigned privileges remain and are still managed within IONOS
Enhanced User Experience Seamless login with familiar corporate credentials, no need to remember multiple passwords
Fewer Separate Passwords Users sign in with their existing corporate credentials, so they do not need to create or remember a separate IONOS Cloud password

4.3 How IAM Federation Works

Setting up IAM Federation involves the following steps:

  1. Domain Ownership Verification - You prove ownership of your organization's domain (such as yourcompany.com) by creating a TXT record in your DNS
  2. Identity Provider Onboarding - You provide IONOS with your IdP's discovery endpoint information (such as the SAML metadata XML URL or OIDC configuration endpoints)
  3. User Account Linking - Each user links their existing IONOS Cloud account to their corporate identity via the IAM Federation menu in the DCD
  4. SSO Login - Users can now log in to IONOS Cloud by entering their corporate email address and selecting "Sign in with a linked account"

After linking, the user is redirected to the organization's IdP login page, authenticates there (often with MFA), and is then returned to the IONOS Data Center Designer fully authenticated.

4.4 IAM Privileges and Federation

It is important to understand that IAM Federation only handles authentication (verifying who the user is), not authorization (determining what the user can do). The IONOS RBAC privileges assigned to a user remain unchanged when they link to an external IdP.

For example, if a user has the privilege "Access and manage Database as a Service" before linking to federation, they will still have that same privilege after linking. Federation provides an alternative login method but does not change the underlying permissions.

5. Implementing IAM Best Practices

Effective IAM implementation goes beyond understanding the technical features. It requires following security best practices to protect your cloud environment.

5.1 Security Best Practices Checklist

When implementing IAM in IONOS Cloud, follow these guidelines:

  1. Apply the Principle of Least Privilege (PoLP) - Grant users only the minimum permissions required for their job functions. Use the User role with explicit privileges instead of the Administrator role whenever possible.

  2. Use Groups for Team-Based Access - Create groups that reflect organizational roles (such as developers, operators, auditors) and assign privileges to groups rather than individual users. This simplifies management and ensures consistency.

  3. Enable Multi-Factor Authentication (MFA) - Require MFA for the contract Owner, all Administrators, and any users with elevated privileges. This adds a critical second layer of security.

  4. Conduct Regular Access Reviews - At least quarterly, review user accounts, group memberships, and assigned privileges. Revoke access immediately when employees change roles or leave the organization.

  5. Rotate API Tokens Regularly - Use short TTLs for production tokens (1-7 days recommended) and rotate them on a regular schedule. Delete tokens that are no longer in use.

  6. Use IAM Federation When Available - If your organization already has an enterprise IdP, use IAM Federation to centralize authentication and leverage your existing security controls.

  7. Document Your IAM Policies - Maintain written documentation that defines roles, group structures, privilege assignments, and review schedules. This ensures consistency and helps with compliance audits.

  8. Monitor Activity Logs - Use the Activity Logs service (covered in Unit 3.4) to track who performed which actions and when. This provides an audit trail for security and compliance purposes.

5.2 Common IAM Mistakes to Avoid

Several common mistakes can undermine IAM security:

  • Over-privileging users - Granting Administrator rights when specific privileges would suffice increases risk if an account is compromised
  • Sharing credentials - Each individual should have their own user account and credentials, never shared with teammates
  • Ignoring stale accounts - Failing to remove users who have left the organization or changed roles leaves unnecessary access in place
  • Using long-lived tokens - Tokens with 365-day TTLs are convenient but create long-term security risks if compromised
  • Forgetting to enable MFA - Relying on passwords alone leaves accounts vulnerable to phishing and credential stuffing attacks
  • Not documenting group structures - Without documentation, privilege assignments become unclear over time, making audits difficult

Common Use Cases

Real-world scenarios where Identity and Access Management is essential:

  1. Multi-Team Development Environment: A software company has separate teams for frontend, backend, and DevOps. Using IONOS Groups, they create "Frontend Developers" with privileges to manage Compute Engine and Load Balancers (covered in Unit 2.2 and 2.4), "Backend Developers" with access to Database as a Service and Object Storage (Unit 2.5 and 2.3), and "DevOps Engineers" with full infrastructure privileges. When developers change teams, administrators simply move them to the appropriate group rather than reconfiguring individual permissions.

  2. Federated Access for Enterprise: A large corporation already uses Azure Active Directory for employee authentication across all internal systems. By implementing IAM Federation (Section 4), they allow employees to sign in to IONOS Cloud using their corporate credentials and MFA policies. When an employee leaves, disabling their Azure AD account blocks their federated sign-in to IONOS Cloud. The employee's IONOS Cloud account should still be removed as part of your normal deprovisioning process.

  3. API Automation with Token Manager: An e-commerce platform uses automated scripts to provision test environments every morning and tear them down each evening to save costs. Using Token Manager (Section 3), they generate a 7-day API token with minimal required privileges ("Create VDC," "Create Servers," "Delete Resources") and use it in their automation scripts. The token is rotated weekly and provides an audit trail separate from individual user accounts.

Summary

Identity and Access Management is the cornerstone of cloud security, determining who can access your resources and what they can do with them. IONOS Cloud provides a comprehensive IAM framework built on Role-Based Access Control, enabling you to implement fine-grained security policies that scale from small teams to large enterprises.

You have learned how IONOS's three-tier role system (Owner, Administrator, User) provides flexibility in access control, how Users and Groups enable scalable permission management, and how Token Manager secures API authentication. You have also explored how IAM Federation and Single Sign-On can integrate IONOS Cloud with your existing enterprise identity infrastructure, streamlining authentication while improving security.

Effective IAM implementation requires more than technical configuration. It demands a commitment to the Principle of Least Privilege, regular access reviews, Multi-Factor Authentication enforcement, and clear documentation of policies and procedures. By following these best practices, you can significantly reduce security risks while maintaining operational efficiency.

Key Points:

  • IONOS Cloud uses a Role-Based Access Control (RBAC) model with three roles: Owner (full unrestricted access), Administrator (full access except payment changes), and User (explicitly granted privileges only)
  • Groups enable scalable permission management by allowing you to assign privileges collectively to multiple users rather than individually
  • Token Manager generates Bearer tokens for secure API authentication, required for accounts with Two-Factor Authentication enabled
  • IAM Federation supports SAML 2.0 and OpenID Connect, allowing users to authenticate with external Identity Providers for Single Sign-On
  • The Principle of Least Privilege means granting users only the minimum permissions required for their job functions, reducing security risk
  • Best practices include enabling MFA, conducting quarterly access reviews, rotating API tokens regularly, and documenting IAM policies

Important Terminology:

  • RBAC (Role-Based Access Control): A model for managing access based on predefined roles with specific privileges
  • Privilege: An action-level grant that defines what a user or group can perform (e.g., create VDCs, manage databases)
  • Group: A logical collection of users that inherit privileges collectively
  • Token Manager: A service for generating Bearer tokens (JWTs) used for API authentication
  • IAM Federation: A service allowing users to authenticate with external Identity Providers using SAML 2.0 or OIDC
  • SSO (Single Sign-On): Authentication method allowing users to log in once and access multiple services without repeated credential entry
  • Principle of Least Privilege (PoLP): Security practice of granting users only the minimum permissions required for their tasks

Next Steps

Continue Learning: Unit 3.3: Cost Management and Billing

Related Topics: