Skip to content

Revise the IAM Overview page #1641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Revise the IAM Overview page #1641

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f7530b0
initializing
sg-writer Oct 17, 2025
17d47bd
match UG rewrite structure
sg-writer Nov 5, 2025
d6d1273
merge main
sg-writer Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 59 additions & 33 deletions iam/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,70 @@
---
title: Identity and Access Management
sidebarTitle: IAM
title: Identity and Access Management Overview
sidebarTitle: Overview
description: Learn about ngrok's identity and access management system for managing credentials, enforcing access controls, and federating identity.
---

## Overview
ngrok includes a robust identity and access management (IAM) system that enables you to:

ngrok includes a robust identity and access management (IAM) system. ngrok's
IAM functionality enables you to:

- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process).
- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process)
- Enforce least-privilege access for each principal acting within your ngrok account
- Attribute all mutations to distinct principals in your ngrok account recorded in audit logs
- Configure single sign-on (SSO) to federate identity and SCIM to enable provisioning from your own IdP
- Administrate multiple ngrok accounts with a single user

## Concepts

Before diving into ngrok's IAM system, it's helpful to be acquainted with the
terminology and concepts ngrok uses to describe its IAM primitives.

- **Accounts**: ngrok Accounts are the containers in which you create and consume ngrok services.
- [**Users**](/iam/users/): An Account contains one or more **Users**. Users are members of
the Account who can take actions within it, like creating objects, start agents
or making API requests. Users may be members of multiple accounts and are not owned by any single account.
- [**Service Users**](/iam/service-users): Accounts also contain **Service Users** which are like Users but
meant to be used for automated processes. Other systems may call these 'Service
Accounts'.
- [**Principals**](/obs/events/#principal-object): A principal is either a User or Service User. Principals are
members of an Account that may take actions inside of it.
- [**Credentials**](/iam/users/#credentials): These are the keys and tokens that Principals use to
authenticate with the ngrok service. Types of Credential include Authtokens,
API Keys, and SSH Public Keys.
- [**Authtokens**](/agent/#authtokens): Principals begin Agent sessions and create Endpoints by
authenticating with Authtoken.
- [**API Keys**](/api/#authentication): Principals make API Requests by authenticating with an API Key.
- [**SSH Public Keys**](/agent/ssh-reverse-tunnel-agent/#authentication): Principals create Endpoints via the SSH Reverse Tunnel
Agent with an SSH Public Key.
- [**Invitations**](/iam/users/#invitations): Invitations are a mechanism to add a new User with a given
email address to an Account.
- [**RBAC**](/iam/rbac/): Role Base Access Control is used to limit the permissions of what
actions a User may take within your account.
- [**Account Domain Controls**](/iam/domain-controls/): Account Domain Controls are used to create
policy on Users who log in or sign up with a given email domain.
Here are the core elements you should familiarize yourself with to make the most of ngrok's IAM system:

<Columns cols={1}>
<Card title="Users" href="/iam/users/" horizontal>
Manage human users who can log into the dashboard, start agents, create endpoints, and access the API.
</Card>
<Card title="Service Users" href="/iam/service-users/" horizontal>
Create dedicated credentials for automated processes that interact with your ngrok account programmatically.
</Card>
<Card title="Role-based Access Control" href="/iam/rbac/" horizontal>
Enforce least-privilege access by restricting what actions each user can take within your account.
</Card>
<Card title="Single Sign-On" href="/iam/sso/" horizontal>
Federate identity with your IdP and enable SSO authentication for dashboard access.
</Card>
<Card title="Account Domain Controls" href="/iam/domain-controls/" horizontal>
Enforce organization-wide account usage by requiring users with your email domain to use your account.
</Card>
</Columns>

## Use cases

Here are some of the most common use cases for ngrok's IAM system:

<Columns cols={2}>
<Card
title="Use Service Users for automated processes"
icon="robot"
href="/guides/site-to-site-connectivity/"
>
Create Service Users for isolated agent management with authtokens and ACL restrictions.
</Card>
<Card
title="Enforce least-privilege access with RBAC"
icon="shield"
href="/guides/security-dev-productivity/"
>
Restrict developer permissions with RBAC and create user-specific authtokens with ACL rules.
</Card>
<Card
title="Secure SSH and RDP access"
icon="key"
href="/guides/ssh-rdp/"
>
Create Service Users and authtokens with ACL restrictions for secure remote access to edge gateways and servers.
</Card>
<Card
title="Secure remote device access"
icon="building"
href="/guides/device-gateway/agent/"
>
Create Service Users and authtokens with ACL restrictions for secure remote access to IoT devices and services.
</Card>
</Columns>