Help Center> IoT Device Access> Service Overview> Security> Identity Authentication and Access Control

Updated on 2024-07-05 GMT+08:00

View PDF

Identity Authentication and Access Control

Identity Authentication

You are required to carry your identity credential and verify the identity validity when calling IoTDA APIs. Different identity credentials are used in the following IoTDA access scenarios:

IoTDA application APIs support authentication using an IAM token or access key (AK/SK). For details, see Authentication.
For MQTT device connection authentication, carry the client ID, device ID, and encrypted device secret. For details, see Device Connection Authentication.

For HTTP device connection authentication, carry the device ID, password authentication mode, timestamp, and encrypted device secret. For details, see Authenticating a Device.
For authenticating the connection between the AMQP client and IoTDA, carry accessKey and accessCode. For details, see AMQP Client Access.

Access Control

IoTDA supports access control through IAM. IAM permissions define which actions on your cloud resources are allowed or denied. After creating an IAM user, the administrator needs to add it to a user group and grant the permissions required by IoTDA to the user group. Then, all users in this group automatically inherit the granted permissions.

IAM presets system permissions for each cloud service so that you can quickly configure basic permissions. The following table describes all system permissions of IoTDA.

**Table 1** All system permissions of IoTDA
Role/Policy Name	Description	Type
Tenant Administrator	Permissions to perform all operations on all services except IAM	System-defined role
Tenant Guest	Permissions to perform read-only operations on all services except IAM	System-defined role
IoTDA FullAccess	Permissions to perform all operations on IoTDA resources.	System-defined policy
IoTDA ReadOnlyAccess	Permissions to perform read-only operations on IoTDA resources.	System-defined policy