Docs
[IAM]

Realms

Realms are the highest-level isolation boundary within IAM and form the foundation of multi-tenancy in PLTFRMS.

Each realm represents a completely separate identity and access management environment, containing its own users, organisations, roles, permissions, and applications.

What is a realm?

A realm is an isolated IAM container that defines:

  • Identity space (users and authentication)
  • Access control model (roles, groups, permissions)
  • Application layer (OAuth2/OpenID clients)
  • Organisational structure
  • Security and policy boundaries

Nothing is shared between realms unless explicitly designed through controlled integration.

Isolation model

Realms are strictly isolated from each other:

  • Users in one realm cannot authenticate into another realm
  • Roles and permissions are not shared across realms
  • OAuth2 tokens are only valid within a single realm context
  • Clients and applications are bound to a specific realm

This ensures strong tenant separation at the identity layer.

What exists inside a realm?

Each realm contains its own complete IAM structure:

  • Users
  • Groups
  • Roles
  • Permissions (scopes)
  • Organisations
  • OAuth2 / OpenID clients
  • Policies and configuration

A realm is effectively a full IAM environment in itself.

Realms and organisations

Within a realm, organisations provide an additional structural layer.

  • A realm can contain multiple organisations
  • Users can belong to one or more organisations
  • Access is always evaluated in both realm and organisation context

This allows fine-grained separation of business units within a single identity boundary.

Realms and applications

Each realm can act as an independent identity provider.

This means a realm can:

  • Authenticate users via hosted login
  • Issue OAuth2 access tokens
  • Serve as an OpenID Connect provider
  • Manage applications (clients) independently

In practice, each realm behaves like its own identity system instance.

Customer-owned realms

A key feature of IAM is that realms are customer-owned and customer-managed.

This allows customers to:

  • Create and manage their own identity environments
  • Define their own users, roles, and permissions
  • Configure hosted login experiences
  • Integrate IAM into their own applications

This makes IAM a full identity platform rather than only an internal system.

Use cases

Realms are used for:

  • Multi-tenant SaaS isolation
  • Enterprise customer separation
  • White-label IAM deployments
  • Environment separation (dev, staging, production)
  • Partner or reseller identity domains

Why realms matter

Realms are the core building block that enables IAM to scale securely.

They ensure:

  • Strong isolation between customers and environments
  • Predictable security boundaries
  • Scalable multi-tenant architecture
  • Independent identity ecosystems per customer

Without realms, IAM would not be able to safely support multi-tenant identity at scale.