Access control overview

Alpacon’s IAM (Identity and Access Management) allows administrators to centrally manage access control for resources registered in a workspace. Control who has access to which resources and manage collaboration through role-based permissions.

What is IAM?

IAM provides a unified system for managing user identities, roles, and access permissions across your entire infrastructure. Whether you’re managing cloud servers, on-premise machines, or hybrid environments, IAM ensures consistent access control.

Key benefits:

• Centralized user and group management
• Role-based access control (RBAC)
• Granular permissions for servers and resources
• Audit trails for security compliance

Core components

Users

Manage individual users who have access to workspace resources. Each user receives permissions through assigned roles or groups.

User roles:

• User: Access assigned servers, edit own profile
• Staff: Manage users/groups, some workspace settings
• Superuser: All permissions, full workspace control

What you can do:

• Invite and register new users
• Assign roles to each user
• Activate or deactivate user accounts

Groups

Organize users into groups based on shared responsibilities or access levels. Groups make it easy to manage permissions for multiple users at once.

Group features:

• Group-based server access control
• Multiple group membership per user
• Role hierarchy within groups (Owner, Admin, Member)

What you can do:

• Create and edit groups
• Add or remove users from groups
• Configure group-level permissions

Permissions

Control access to servers and features through a two-level permission model:

1. Workspace-level roles: User, Staff, Superuser
2. Server-level access: Group-based assignments

Learn more: Set permissions

API tokens

Create API tokens for programmatic access to Alpacon API without user passwords.

Use cases:

• Automation scripts
• CI/CD pipelines
• Third-party integrations

Learn more: API tokens

How IAM works

Access control flow

1. User invited → Receives workspace access
2. Role assigned → Determines workspace permissions
3. Added to groups → Gains server access
4. Permissions applied → Can access assigned servers

Permission inheritance

• Users inherit permissions from their workspace role
• Additional access granted through group membership
• Superusers access all servers without group assignment
• Staff and Users only access servers assigned to their groups

Security best practices

Principle of least privilege:

• Grant minimum required permissions
• Regularly review and adjust permissions

Use groups:

• Manage permissions via groups rather than individual users
• Separate groups by environment, project, or role

Limit Superusers:

• Keep Superuser role to minimum
• Grant only to trusted administrators

Regular audits:

• Review user access regularly
• Remove inactive users promptly
• Monitor access logs for suspicious activity

Getting started

For administrators

1. Invite team members
2. Create groups for different teams or projects
3. Assign users to groups
4. Configure server access

For API integration

1. Create API tokens
2. Use tokens in automation scripts
3. Monitor token usage regularly

Related docs

• Manage users
• Manage groups
• Set permissions
• API tokens