Granular user permissions give you fine-grained control over what IVM users can do with your policy sets and policies. You can restrict policy set access by user group, and policy permissions by user role. This can help you to maintain data integrity by preventing accidental or intentional damage to your policies by users who don’t require access to do their jobs.

For example, if you are working with a third-party vendor on a specific subset of policy sets, it may make sense to limit their access to those while barring access to all other policy sets on the contract. Likewise, you may want to restrict access to policy sets within your organization by region, department, or job function.

At a finer level, individual users within a group may require differing levels of access to do their jobs. Granular permissions allow you to control an individual’s ability to view or edit policies on staging or production.

How it works

Granular permissions are assigned via ​Akamai​S' Identity and Access Management tools and IVM’s policy set settings. To configure granular permissions, an account administrator will:

• Create groups in Identity and Access Management, then assign users to these groups based on common characteristics such as region, department, or job function.
• Create custom roles in Identity and Access Management and assign IVM permissions to each role. A “role” defines whether a user can view, edit, or delete a policy on the staging or production network.
• Assign each user on the contract one of the custom roles. This must be done for each group a user belongs to.
• Grant policy set access to the correct group.

If you create a new policy set in Property Manager, it is automatically assigned the group associated with the property. If you create a new policy set using IVM Policy Manager, select the appropriate group from the list. If you are editing an existing policy set, change the group to the one you are giving access. See Create and edit a policy set for more information.

The default group is “All groups on the contract”. When the group is set to this, any user with IVM permissions at the contract level has access to the policy set, but their actions are still governed by their assigned role. If any group other than “All groups on the contract” is assigned, only members of the assigned group can access the policy set.

📘

Assigning groups to existing policy sets

For policy sets created prior to the implementation of the new IVM granular permissions model, the group is automatically set to “All groups on the contract”. This can be changed manually by editing a policy set in Policy Manager. If you have many policy sets to be migrated to the new access control model, contact your ​Akamai​ support team for assistance.

IVM permissions

Permissions must be set for each custom role that you create. The IVM permissions that can be assigned to a role include:

• Image and Video Manager – All privileges. Users with this permission can create and manage policy sets. They can also create and modify policies on both production and staging networks. This is the highest level of permissions.
• Image and Video – Production edit. Users with this permission can create and modify policies on production and staging networks, but can’t create or manage policy sets.
• Image and Video Manager – Staging edit. Users with this permission can create and modify policies on the staging network only.
• Image and Video Manager – View only. Users with this permission can view policies but can’t edit them.

Example: Third party vendor

​Akamai​ customer MediaMogulOrg has an InfoSec policy stating that third party vendors should granted access to only the systems, data, and tools required to do the contracted work. In the context of IVM, this means that the vendor should have access to only the policy sets and policies they’ll be working on. Additionally, members of a vendor’s team should be granted the bare minimum permissions required to do their jobs.

MediaMogulOrg has hired IT support vendor, OutsourcingInc, to do some work for them. Three types of users work for this vendor, each requiring a different level of permissions:

• Team member: These users need to be able to create, edit, and delete policies on staging, but need only read access for policies on the production network.
• Team leader: These users need to be able to create, edit, and delete policies on both staging and production networks.
• Admin: These users need to be able to create, edit, and delete policies and policy sets on both staging and production networks.

To set up granular permissions for this vendor:

1. Log in to ​Akamai Control Center​ as an account administrator and navigate to ☰ >ACCOUNT ADMIN > Identity & access.

2. Use Identity and Access Management tools to create a group for the vendor, for example, “IT Support Vendor”.

3. Create three custom roles and select the permissions for each, for example:

   Custom role	IVM permission assigned
   OITeamMember	Image and Video Manager – Staging edit
   OITeamLeader	Image and Video Manager – Production edit
   OIAdmin	Image and Video Manager – All privileges

4. Assign one of the roles you created to each user in the IT Support Vendor group that you created.

5. Give the IT Support Vendor group access to the appropriate policy set:

   • Automatically via Property Manager. If you create a new policy set in Property Manager, it is automatically assigned the group associated with the property.

   • Manually via IVM Policy Manager. If you are creating a new policy set, select IT Support Vendor as the group. If you are editing an existing policy set, change the group to IT Support Vendor.

   📘

   To prevent a third party vendor or other group from accessing other policy sets, set the group for those policy sets to something other than “All groups on contract”. If Group is set to “All groups on contract”, all users on the contract have visibility into the policy set.

Once you have configured the group and roles and assigned the group to the policy set, only members of IT Support Vendor will have access. Individual users of the group will be able to view, edit, or delete policies or policy sets on staging or production according to the permissions granted by their assigned roles.