{
  "beforeAfterDiagram": {
    "beforeImage": {
      "url": "/img/use-cases/identity-based-access/identity-based-access-challenge.png",
      "alt": "Grpahic — different identity icons around cloud tool icons"
    },
    "beforeHeadline": "The Challenge",
    "beforeContent": "With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl",
    "afterImage": {
      "url": "/img/use-cases/identity-based-access/identity-based-access-solution.png",
      "alt": "Graphic — organized idenetiy icons in boxes outline with vault icon"
    },
    "afterHeadline": "The Solution",
    "afterContent": "Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets"
  },
  "features": [
    {
      "textSplit": {
        "heading": "Identity Plugins",
        "content": "Improve the extensibility of Vault with pluggable identity backends."
      },
      "logoGrid": [
        {
          "url": "https://www.datocms-assets.com/2885/1566919170-aws.svg",
          "alt": "AWS logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1539799149-azure-stacked-color.svg",
          "alt": "Microsoft Azure logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1513617132-google-cloud.svg",
          "alt": "Google Cloud logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1540418681-kubernetes.png",
          "alt": "Kubernetes logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1619808232-nomad-logomark-color.svg",
          "alt": "Nomad logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1556657783-oktalogo.svg",
          "alt": "Okta logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1608658344-pivotalcf.png",
          "alt": "PivotalCF logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1506540149-black.svg",
          "alt": "SSH logo"
        },
        {
          "url": "https://www.datocms-assets.com/2885/1608143270-ellipsis.png",
          "alt": "ellipsis icon"
        }
      ]
    },
    {
      "textSplit": {
        "heading": "Entities",
        "content": "Integrated identities across platforms and using this information for policy and access control decisions.",
        "textSide": "right"
      },
      "image": {
        "url": "/img/use-cases/identity-based-access/entities.png",
        "alt": "Vault UI showing entity entries"
      }
    },
    {
      "textSplit": {
        "heading": "Control Groups",
        "content": "Require multiple Identity Entities or members of Identity Groups to authorize an requested action."
      },
      "image": {
        "url": "/img/use-cases/identity-based-access/control-groups.png",
        "alt": "'Control Groups' UI prompting authorization"
      }
    },
    {
      "textSplit": {
        "heading": "ACL Templates and Policy Control",
        "content": "Create and manage policies that authorize access control throughout your infrastructure and organization."
      },
      "codeBlock": {
        "options": { "showWindowBar": true },
        "language": "hcl",
        "code": "# User template (user-tmpl.hcl)\n# Grant permissions on user specific path\npath \"user-kv/data/{{identity.entity.name}}/*\" {\n  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]\n}\n\n# For Web UI usage\npath \"user-kv/metadata\" {\n  capabilities = [\"list\"]\n}\n\n# Group template (group-tmpl.hcl)\n# Grant permissions on the group specific path\n# The region is specified in the group metadata\npath \"group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*\" {\n  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]\n}\n\n# Group member can update the group information\npath \"identity/group/id/{{identity.groups.names.education.id}}\" {\n  capabilities = [ \"update\", \"read\" ]\n}\n\n# For Web UI usage\npath \"group-kv/metadata\" {\n  capabilities = [\"list\"]\n}\n\npath \"identity/group/id\" {\n  capabilities = [ \"list\" ]\n}\n"
      }
    },
    {
      "textSplit": {
        "heading": "Identity Groups",
        "content": "Group trusted identities into logical groups for group-based access control.",
        "textSide": "right"
      },
      "image": {
        "url": "/img/use-cases/identity-based-access/admin.png",
        "alt": "Vault UI showing admin members entries"
      }
    },
    {
      "textSplit": {
        "heading": "Multi-factor Authentication",
        "content": "Enforce MFA workflows when accessing a secret or a secret path."
      },
      "codeBlock": {
        "options": { "showWindowBar": true },
        "language": "shell-session",
        "code": "$ curl --header \"X-Vault-Token: ...\" \\\n--header \"X-Vault-MFA:my_totp:695452\" \\\nhttp://127.0.0.1:8200/v1/secret/foo"
      }
    }
  ]
}