Product reference pages are available in English only.
Management

Identity & Access Management

What Is It?

Identity & Access Management (IAM) provides centralized control over user identities, authentication, and resource permissions within IONOS Cloud. It enables contract owners to create users and groups, enforce password policies, assign role-based privileges, and generate API authentication tokens. IAM ensures secure, fine-grained access control across Virtual Data Centers and cloud resources.

Quick Facts

Aspect Details
Type Identity and access control service
Core Components Users, Groups, Password Policy, Token Manager
Authentication Username/password, API tokens (JWT Bearer)
Authorization Model Role-Based Access Control (RBAC)
Token Limit Up to 100 active tokens per user
Password Policy One contract-wide policy, minimum 5 characters

IAM Components

Component Purpose Key Capabilities
Users Individual identities that can log in to the IONOS Cloud console or APIs. Assigned privileges determine allowed actions (e.g., create resources, manage tokens, enforce MFA). Created via Menu → Management → Users & Groups → Users → Create (first name, last name, unique e-mail, password). Password must comply with the contract's password policy.
Groups Logical collections of users used to apply permissions at scale. Groups simplify permission management for large or dynamic teams. Created via Groups → Create and can have members added from a drop-down list. Privileges (view, edit, share) are granted to the group; all members inherit them automatically. Administrators are exempt from group management because they already have full contract access.
Resources Any VDC object (VDCs, images, snapshots, IP blocks, etc.) that can be accessed by users or groups. Access can be granted or revoked only at the group level; resource sharing to an individual user is not supported outside of a group. When a resource is associated with a group, members can view, edit, or share it according to the selected check-boxes. Resources created by contract owners are hidden from non-admin users unless explicitly shared via a group.
Password Policy Centralized rules that enforce password strength for all sub-users. Defined by contract owners only. Customizable length, required uppercase/lowercase, numeric, and special-character counts; minimum length is 5 characters. Enforced on new user creation; existing accounts retain the previous policy.
Token Manager Generates short-lived authentication tokens for API/SDK access. Available to any user (mandatory for accounts with forced 2FA). Up to 100 tokens can be created, each with a selectable TTL (1 hour – 365 days). Token value is shown only once; it can be downloaded as a text file for safekeeping. Tokens can be deleted at any time, instantly revoking access.

Password Policy Specifications

Feature Core Capabilities Key Specifications
Enforcement Enforces password-strength rules for all contract sub-users. Customizable length, uppercase, lowercase, numeric and special-character requirements. Minimum length = 5 characters (cannot be set lower). No maximum limits on length or character counts (only minimum quantities are enforced). One policy per contract; existing accounts keep the old policy, new accounts follow the current one. Deleting the policy reverts to the IONOS standard (≥5 chars, mixed case, at least one number, optional special chars).
Management Create, read, update, delete via the Data Center Designer (DCD) or the IAM Identity Password Policies API (/{passwordPolicyId}/). Only contract owners can define or modify the policy. One policy per contract; you cannot have multiple concurrent policies. Minimum password length is 5 characters; you cannot set a policy below that. No maximum limits on length or on the number of required uppercase, lowercase, numeric or special characters, but each selected character-type must have a minimum quantity > 0. The policy is enforced only for new users; existing accounts keep their previous password rules.

Token Manager Specifications

Feature Details
Token Type JWT Bearer tokens for API/SDK authentication
TTL Options 1h, 4h, 1 day, 7 days, 30 days, 60 days, 90 days, 180 days, 365 days
Limit Up to 100 active tokens per user
Display Token value shown only once at creation
Revocation Instant invalidation upon deletion

What You Can Do

User Lifecycle Management

Create individual user accounts with unique email addresses and passwords that comply with your contract's password policy. Manage users through the Data Center Designer or the REST API. Users can be assigned directly to groups, and resource access is granted only through group membership.

Note: Only contract owners and administrators can create, edit, or delete users. Users created via the /um/users API endpoint have limited permissions until resources are explicitly shared with them.

Group-Based Access Control

Organize users into logical groups to apply permissions at scale. Assign privileges (view, edit, share) to groups rather than individual users, simplifying permission management for large or dynamic teams. Users inherit all privileges from their group memberships.

Note: Administrators automatically have full contract access and do not need group membership. Multiple group memberships are supported; privileges are the union of all assigned groups.

Resource-Level Permissions

Control access to VDC resources (Virtual Data Centers, images, snapshots, IP blocks, etc.) by associating them with groups; individual users gain access only through their group memberships. Grant view, edit, or share permissions on a per-resource basis. Resources created by contract owners remain hidden from regular users unless explicitly shared.

Password Policy Enforcement

Define contract-wide password requirements including minimum length, character complexity (uppercase, lowercase, numeric, special characters), and minimum quantities for each character type. The policy applies automatically to all new user accounts.

Note: One password policy per contract. The policy is enforced only for new users; existing accounts retain their previous password rules until they change their password.

API Token Generation

Generate Bearer JWT tokens for programmatic access to IONOS Cloud APIs and SDKs. Each token has a configurable Time To Live (TTL) ranging from 1 hour to 365 days. Tokens respect the user's assigned privileges and can be revoked instantly by deletion.

Note: Token Manager is mandatory for accounts with forced 2FA. The token value is displayed only once at creation; download or store it immediately as it cannot be retrieved later.

Federation Integration

Connect IAM to external identity providers (Azure AD, Okta, OneLogin, etc.) using SAML or OpenID Connect protocols. Enable Single Sign-On (SSO) for interactive login to the DCD, Reseller Portal, and Control Panel.

Note: IAM Federation is authentication-only. It delegates sign-in (credentials and MFA) to the external IdP but does not provision, deprovision, or role-manage IONOS Cloud accounts (no just-in-time provisioning). Each user must already have an IONOS Cloud account and link it to the IdP; IONOS accounts and privileges are still managed in IONOS IAM.

Best For

Scenario Why It Fits
Multi-user environments Centralized user management with fine-grained resource permissions prevents unauthorized access and simplifies onboarding/offboarding
Development teams Group-based access control enables easy permission management for projects, environments (dev/test/prod), and team roles
API automation Token Manager provides secure, time-limited authentication for CI/CD pipelines, infrastructure-as-code tools, and custom integrations
Compliance requirements Contract-wide password policies enforce security standards; resource-level audit trails support compliance reporting
Enterprise SSO Federation with corporate identity providers delivers seamless authentication and reduces credential sprawl
Partner collaboration Federation lets users sign in with their corporate IdP credentials; each user must have an existing IONOS Cloud account linked to the IdP

Consider Alternatives If

If You Need... Consider Why
Advanced IAM features (adaptive MFA, risk-based policies) Third-party SaaS IAM (OneLogin, Okta) IONOS native IAM provides basic RBAC and password policies; advanced security requirements may demand specialized IAM platforms with adaptive authentication and extensive audit capabilities
Multi-cloud identity governance Third-party IdP with federation If you manage identities across multiple cloud providers, a centralized IdP (Azure AD, Okta) with SAML/OIDC federation to IONOS simplifies cross-cloud access control
Simple single-user scenarios Direct API credentials For small-scale automation or personal projects, generating a single API token may suffice without the overhead of users, groups, and policies

Key Considerations

Billing & Costs

  • Main billing: IAM features are included with IONOS Cloud contracts at no additional charge
  • No per-user fees: Create unlimited users and groups without incremental costs
  • Token usage: Token generation and management are free; API calls made using tokens follow standard IONOS Cloud pricing

Limitations

  • Only contract owners and administrators can create, edit, or delete users; only the contract owner can define or modify the password policy
  • Administrators automatically have full contract access and cannot be restricted through groups
  • One password policy per contract; you cannot have multiple concurrent policies
  • Password policy minimum length is 5 characters (cannot be set lower)
  • Password policy is enforced only for new users; existing accounts keep previous rules until password change
  • Up to 100 active tokens per user
  • Token TTL limited to predefined options (1h, 4h, 1 day, 7 days, 30 days, 60 days, 90 days, 180 days, 365 days)
  • Token value displayed only once at creation; cannot be retrieved later
  • Resources created by contract owner are hidden from non-admin users unless explicitly shared via groups
  • Users created via /um/users API endpoint have limited permissions until resources are shared
  • Privileges are fine-grained per resource; no contract-wide role templates

Management Options

  • Data Center Designer (DCD) web console under Menu → Management → Users & Groups
  • IAM REST API endpoints (/um/users, /um/groups, /{passwordPolicyId}/)
  • Language-specific SDKs (Python, Java, Go, Node.js) with Bearer token authentication
  • Token Manager for API/SDK authentication token lifecycle