Docs
[IAM]

Users

Users are the core identity entities in IAM. They represent individual people or service identities that interact with the PLTFRMS ecosystem.

Every authenticated action within PLTFRMS ultimately originates from a user or a user-linked identity.

What is a user?

A user is a unique identity within a Realm that can:

  • Authenticate via OpenID Connect
  • Access applications and APIs
  • Belong to one or more organisations
  • Be assigned roles and permissions (directly or via groups)

Users are the primary actors in the IAM system.

User identity scope

A user always exists within a Realm, and optionally within one or more Organisations.

This means:

  • A user is never global across the platform
  • Identity is always scoped to a realm boundary
  • Access is evaluated within organisation context

This ensures strong isolation and predictable access control.

Authentication

Users authenticate through IAM using:

  • Hosted login flows
  • OpenID Connect (OIDC)
  • OAuth2-based sessions and tokens

After authentication, IAM issues tokens that represent the user’s identity and permissions within a specific context.

Users and organisations

Users can belong to multiple organisations within the same realm.

This allows:

  • Access to different business units or clients
  • Separation of personal and professional contexts
  • Multi-tenant usage for partners or resellers

A user’s permissions may differ per organisation.

Users and groups

Users are typically managed through groups for scalability.

This allows:

  • Assigning permissions to multiple users at once
  • Structuring users by teams or roles
  • Reducing direct user-level permission management

Groups act as an abstraction layer between users and roles.

Users and roles

Users receive access through roles, either:

  • Indirectly via groups (preferred model)
  • Directly in specific cases where needed

Roles define what a user is allowed to do within a given organisation and realm context.

Types of users

IAM supports multiple user types, including:

  • Human users (employees, customers, partners)
  • Administrative users (platform or organisation admins)
  • Service accounts (for machine-to-machine access)

Each type follows the same core identity model but may have different authentication or permission rules.

Lifecycle of a user

A user typically goes through the following lifecycle:

  • Created β€” identity is provisioned in a realm
  • Invited / Registered β€” user gains access via onboarding or invitation
  • Active β€” user can authenticate and access resources
  • Suspended β€” access is temporarily restricted
  • Deleted / Deactivated β€” identity is removed or disabled

Security model

User security is enforced through:

  • Strong authentication flows (OIDC)
  • Token-based access control
  • Role- and group-based authorization
  • Realm and organisation isolation
  • Auditability of identity actions

Why users matter

Users are the foundation of IAM because they represent:

  • The origin of all authenticated activity
  • The link between identity and access control
  • The entry point into organisations, roles, and permissions
  • The basis for secure interaction across PLTFRMS

Without users, there is no identity layer within the platform.