1{
2  "beforeAfterDiagram": {
3    "beforeImage": {
4      "url": "/img/use-cases/identity-based-access/identity-based-access-challenge.png",
5      "alt": "Grpahic — different identity icons around cloud tool icons"
6    },
7    "beforeHeadline": "The Challenge",
8    "beforeContent": "With the proliferation of different clouds, services, and systems all with their own identity providers, organizations need a way to manage identity sprawl",
9    "afterImage": {
10      "url": "/img/use-cases/identity-based-access/identity-based-access-solution.png",
11      "alt": "Graphic — organized idenetiy icons in boxes outline with vault icon"
12    },
13    "afterHeadline": "The Solution",
14    "afterContent": "Vault merges identities across providers and uses a unified ACL system to broker access to systems and secrets"
15  },
16  "features": [
17    {
18      "textSplit": {
19        "heading": "Identity Plugins",
20        "content": "Improve the extensibility of Vault with pluggable identity backends."
21      },
22      "logoGrid": [
23        {
24          "url": "https://www.datocms-assets.com/2885/1566919170-aws.svg",
25          "alt": "AWS logo"
26        },
27        {
28          "url": "https://www.datocms-assets.com/2885/1539799149-azure-stacked-color.svg",
29          "alt": "Microsoft Azure logo"
30        },
31        {
32          "url": "https://www.datocms-assets.com/2885/1513617132-google-cloud.svg",
33          "alt": "Google Cloud logo"
34        },
35        {
36          "url": "https://www.datocms-assets.com/2885/1540418681-kubernetes.png",
37          "alt": "Kubernetes logo"
38        },
39        {
40          "url": "https://www.datocms-assets.com/2885/1619808232-nomad-logomark-color.svg",
41          "alt": "Nomad logo"
42        },
43        {
44          "url": "https://www.datocms-assets.com/2885/1556657783-oktalogo.svg",
45          "alt": "Okta logo"
46        },
47        {
48          "url": "https://www.datocms-assets.com/2885/1608658344-pivotalcf.png",
49          "alt": "PivotalCF logo"
50        },
51        {
52          "url": "https://www.datocms-assets.com/2885/1506540149-black.svg",
53          "alt": "SSH logo"
54        },
55        {
56          "url": "https://www.datocms-assets.com/2885/1608143270-ellipsis.png",
57          "alt": "ellipsis icon"
58        }
59      ]
60    },
61    {
62      "textSplit": {
63        "heading": "Entities",
64        "content": "Integrated identities across platforms and using this information for policy and access control decisions.",
65        "textSide": "right"
66      },
67      "image": {
68        "url": "/img/use-cases/identity-based-access/entities.png",
69        "alt": "Vault UI showing entity entries"
70      }
71    },
72    {
73      "textSplit": {
74        "heading": "Control Groups",
75        "content": "Require multiple Identity Entities or members of Identity Groups to authorize an requested action."
76      },
77      "image": {
78        "url": "/img/use-cases/identity-based-access/control-groups.png",
79        "alt": "'Control Groups' UI prompting authorization"
80      }
81    },
82    {
83      "textSplit": {
84        "heading": "ACL Templates and Policy Control",
85        "content": "Create and manage policies that authorize access control throughout your infrastructure and organization."
86      },
87      "codeBlock": {
88        "options": { "showWindowBar": true },
89        "language": "hcl",
90        "code": "# User template (user-tmpl.hcl)\n# Grant permissions on user specific path\npath \"user-kv/data/{{identity.entity.name}}/*\" {\n  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]\n}\n\n# For Web UI usage\npath \"user-kv/metadata\" {\n  capabilities = [\"list\"]\n}\n\n# Group template (group-tmpl.hcl)\n# Grant permissions on the group specific path\n# The region is specified in the group metadata\npath \"group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*\" {\n  capabilities = [ \"create\", \"update\", \"read\", \"delete\", \"list\" ]\n}\n\n# Group member can update the group information\npath \"identity/group/id/{{identity.groups.names.education.id}}\" {\n  capabilities = [ \"update\", \"read\" ]\n}\n\n# For Web UI usage\npath \"group-kv/metadata\" {\n  capabilities = [\"list\"]\n}\n\npath \"identity/group/id\" {\n  capabilities = [ \"list\" ]\n}\n"
91      }
92    },
93    {
94      "textSplit": {
95        "heading": "Identity Groups",
96        "content": "Group trusted identities into logical groups for group-based access control.",
97        "textSide": "right"
98      },
99      "image": {
100        "url": "/img/use-cases/identity-based-access/admin.png",
101        "alt": "Vault UI showing admin members entries"
102      }
103    },
104    {
105      "textSplit": {
106        "heading": "Multi-factor Authentication",
107        "content": "Enforce MFA workflows when accessing a secret or a secret path."
108      },
109      "codeBlock": {
110        "options": { "showWindowBar": true },
111        "language": "shell-session",
112        "code": "$ curl --header \"X-Vault-Token: ...\" \\\n--header \"X-Vault-MFA:my_totp:695452\" \\\nhttp://127.0.0.1:8200/v1/secret/foo"
113      }
114    }
115  ]
116}
117