Admin

Onboard users with groups and roles that focus user access and permissions to your Akamai products.

1. Organize product access

Product access cascades down from your account's parent groups to the specific permissions you grant each user.

For example, if one of your parent groups has paired security and media services together. These products have both interconnected and unique functions. The teams and people's responsibilities within their team do, too.

Team	Function	Product access
Devops	Infrastructure management.	Both
Security	Devops sub-team focused on security.	Security
Marketing	Publishes your site's content.	Media

Within that product access, different people need to be able to read, create, or make changes to parts of your infrastructure.

Grouping access and granting permissions to the services that match a team’s function and purpose ensures the right people have access to the right parts of your infrastructure, reducing risk with changes.

To get a list of your products, run the Get-IAMAdminProducts command without parameters or with a specific account switch key.

Get-IAMAdminProducts

Get-IAMAdminProducts -AccountSwitchKey "A-CCT1234:A-CCT5432"

// Product list is specific to your account.

EdgeComputing for Java               
Streaming
Enhanced DNS
Site Delivery
Log Delivery Service
Security
NetStorage
Privacy
Luna Control Center MIB
EdgeSuite Secure (HTTPS Content Delivery)
Global Traffic Management (FirstPoint)
EdgeSuite (HTTP Content Delivery)
Luna Control Center
Luna Control Center Web Services

2. Create groups

Nest groups within each other starting from your account's main parent groups.

Parent groups can have multiple children and have access to everything a child group does.
Product access cannot straddle two parents. Child groups belong to a single parent
Initially, a child group will have the same access as its parent, but because you can edit and make limitations to reduce or restrict product access, a child may not have the same access as its parent.
Child groups can become parent groups.

Get a list of your group IDs to find a parent group's ID. Running the command without parameters returns all groups for your account in a JSON string. To get a flattened list, use the -Flatten switch.

$ Get-IAMGroup

groupId      : 12345
groupName    : My parent group
subGroups    : {@{groupId=98765; groupName=My child group; parentGroupId=12345; 
              subGroups=System.Object[]; createdDate=4/28/2023 12:00:00 AM; 
              createdBy=Akamai; modifiedDate=4/30/2023 05:00:46 AM; 
              modifiedBy=Akamai}, @{groupId=56789; groupName=My second child; parentGroupId=12345; subGroups=System.Object[]; 
              createdDate=5/20/2023 7:59:09 PM; createdBy=Akamai; 
              modifiedDate=5/20/2023 10:23:16 PM; modifiedBy=Akamai}}
createdDate  : 4/28/2023 12:00:00 AM
createdBy    : aadhikar
modifiedDate : 4/30/2023 05:00:46 AM
modifiedBy   : Akamai

groupId       : 98765
groupName     : My child group
parentGroupId : 12345
subGroups     : {}
createdDate   : 4/28/2012 12:00:00 AM
createdBy     : Akamai
modifiedDate  : 4/30/2023 05:00:46 AM
modifiedBy    : Akamai
groupId       : 56789
groupName     : My second child group
parentGroupId : 18385
subGroups     : {}
createdDate   : 5/20/2023 7:59:09 PM
createdBy     : Akamai
modifiedDate  : 5/20/2023 10:23:16 PM
modifiedBy    : Akamai

Create a child group using one of your group IDs as a parent and a human-readable name for your new group.

$ New-IAMGroup -ParentGroupID 12345 -GroupName "My new group"

groupId       : 23456
groupName     : My new group
parentGroupId : 123456
subGroups     : {}
createdDate   : 4/28/2023 12:00:00 AM
createdBy     : jsmith
modifiedDate  : 4/28/2023 12:00:00 AM
modifiedBy    : jsmith

3. Set up roles

Roles are collections of network specific rights or permissions that follow REST API write, read, update, and delete functions.

We've created standard, or grantable, roles for products and services. Get a list of these to see what permissions you can grant and combine them to build custom levels of user access.

Get your grantable roles.

$ Get-IAMGrantableRole

Id  Name                                        Description
--- ---------------                             ----------------------
  1  Account Manager                            Read and update account information.
  2  Admin                                      All privileges.
105  Image and Video Manager - All privileges   Create and manage policy sets.
106  Image and Video Manager - Production edit  Create and modify policies on production only.
107  Image and Video Manager - Staging edit     Create and modify policies on staging only.
108  Image and Video Manager - View only        View policies on production and staging.
1076 Security Configuration - Edit              View and edit security configurations.
1077 Security Configuration - View Only         View security configurations.

Combine grantable roles to create custom ones that fit your users' responsibilities.

This command uses the -Body parameter. Set the value to a variable or pass a JSON string.

// All parameters required

$body = @{
  grantedRoles = @(
    @{grantedRoleId = 105}
    @{grantedRoleId = 1076}
    @{grantedRoleId = 1077}
  )
  roleDescription = "Img/Vid all privileges and security config read and update."
  roleName = "DevOps Lead"
}

$ New-IAMRole -Body $body

// All parameters required

$ New-IAMRole -Body '{@{"grantedRoles": [{"grantedRoleId": 105},{"grantedRoleId": 1076},{"grantedRoleId": 1077}],"roleDescription": "Img/Vid all privileges and security config read and update.","roleName": "DevOps Lead"}'

Name                           Value
----                           -----
createdBy                      jsmith
createdDate                    9/11/2023 1:43:54 PM
grantedRoles                   {Image and Video Manager - All privileges…
modifiedBy                     jsmith
modifiedDate                   9/11/2023 1:47:32 PM
roleDescription                Img/Vid all privileges and security confi…
roleId                         12345
roleName                       DevOps Lead
type                           custom

4. Create users

Add your groups and roles to a user's profile information to clone an existing user or create a new one.

Note: Admins can also create other admins to share workload.

Clone an existing user

Get a list of your users to find a user to clone. Without parameters or switches, you get high level details for each of your users. Add one or more filters to get more detailed information.

-GroupId <int> returns only users for a given group.
-Actions adds in users' REST API CRUD capabilities.
-AuthGrants adds in users' role assignments.

$ Get-IAMUser

uiIdentityId                       : A-BC-1234567
firstName                          : John
lastName                           : Smith
uiUserName                         : jsmith
email                              : jsmith@example.com
accountId                          : A-CCT1234
lastLoginDate                      : 8/25/2023 11:12:25 PM
tfaEnabled                         : True
additionalAuthentication           : TFA
tfaConfigured                      : True
additionalAuthenticationConfigured : True
isLocked                           : False

uiIdentityId                       : A-BC-1234567
firstName                          : John
lastName                           : Smith
uiUserName                         : jsmith
email                              : jsmith@example.com
accountId                          : A-CCT1234
actions                            : @{canEditMFA=False;
                                      resetPassword=True; editProfile=True; canEditTFA=False; edit=True; delete=True; isCloneable=True; editRole=True; thirdPartyAccess=False; canEditNone=False; apiClient=True}
lastLoginDate                      : 8/25/2023 11:12:25 PM
tfaEnabled                         : True
additionalAuthentication           : TFA
tfaConfigured                      : True
additionalAuthenticationConfigured : True
isLocked

uiIdentityId                       : A-BC-1234567
firstName                          : John
lastName                           : Smith
uiUserName                         : jsmith
email                              : jsmith@example.com
accountId                          : A-CCT1234
phone                              : (617) 555-1234
timeZone                           : GMT-4
authGrants                         : {@{groupId=12345; roleId=108;
                                      groupName=My Group; roleName=Image and Video Manager - View only; roleDescription=View policies on production and staging.; subGroups=System.Object[]}}
lastLoginDate                      : 8/25/2023 11:12:25 PM
tfaEnabled                         : True
additionalAuthentication           : TFA
preferredLanguage                  : English
sessionTimeOut                     : 900
passwordExpiryDate                 : 11/23/2023 10:43:55 PM
address                            : 1234 Main Street
city                               : Boston
state                              : MA
country                            : USA
tfaConfigured                      : True
additionalAuthenticationConfigured : True
isLocked                           : False

Once you've found a user to clone, use their uiIdentityId as the value for cloneFrom in the new user command.

Create new user

To create a new user, pass the required parameters as a variable or a JSON string.

Parameter	Description
Required parameters
`firstName`	The user's given name.
`lastName`	The user's surname.
`phone`	The user's phone number, including area code.
`email`	The user's email address.
`state`	The user's state of residence.
`country`	The user's country of residence.
`additionalAuthentication`	Sets a user's multi-factor authentication method. Values are `TFA`, `MFA`, `NONE`.
`authGrants`	Details about the role to assign the user. All parameters required. `groupId`. The role's group ID. `groupName`. The role's group name. `isBlocked`. A users restriction state. `roleDescription`. The human-readable list of a role's permissions. `roleId`. The role's ID. `roleName`The role's name. `subGroups`. An array of details about any child groups. Permissions set for the parent cascade down. While required, it can be sent empty. `groupId` `groupName`
Optional parameters
`address`	The user's street address. Include the building number and the street name and type.
`city`	The user's city of residence.
`cloneFrom`	The `uiIdentityId` of the user to clone.
`contactType`	Designates a user as a technical or business decision maker or part of billing or security.
`jobTitle`	The user's position title within your company.
`mobilePhone`	The user's mobile phone number, including area code.
`notifications`	The user's contact settings. If used, all parameters are required. `options` `newUserNotification`. Whether to send the user their password in their initial service email. If `true`, the user is sent their computer generated password. If `false`, the password is returned to you in the output. `passwordExpiry`. The ISO 3601 date on which the user's password expires. `proactive`. An array of services for which a user is sent messages detailing future-facing changes like upcoming new features. `upgrade`. An array of services for which a user is sent messages detailing service updates. `enableEmailNotifications`. Whether to email notifications to the user.
`preferredLanguage`	The language the user speaks or prefers to speak.
`sessionTimeOut`	The number of seconds of inactivity before a users Control Center session ends.
`secondaryEmail`	The user's alternate email.
`timeZone`	The user's location GMT +/- time zone.
`zipCode`	The user's postal code.

// To use a clone, add cloneFrom=<string> to your body. 

$body = @{
  firstName = "John"
  lastName = "Smith"
  phone = "(617) 555-1234"
  email = "jsmith@example.com"
  state = "MA"
  country = "USA"
  additionalAuthentication = "TFA"
  authGrants = @(
    groupId = 12345
    groupName = "My Group"
    isBlocked = false
    roleDescription = "View policies on production and staging."
    roleId = 108
    roleName = "Image and Video Manager - View only"
    subGroups @()
  )
}

$ New-IAMUser -Body $body

// To use a clone, add cloneFrom=<string> to your body. 

$ New-IAMUser -Body '{@{firstName="John", lastName="Smith", phone="(617) 555-1234", email="jsmith@example.com", state="MA"; country="USA", additionalAuthentication="TFA", authGrants=@(groupId=1234,; groupName="My Group", isBlocked=false, roleDescription="View policies on production and staging.", roleId=108, roleName="Image and Video Manager - View only", subGroups @())}'

Name                           Value
----                           -----
actions                        {[canEditMFA, False], [resetPassword, Tru…]}
additionalAuthentication       TFA
address                        TBD
authGrants                     {My Group}
city                           TBD
contactType                    
country                        USA
email                          jsmith@example.com
firstName                      John
lastName                       Smith
passwordExpiryDate             5/5/2024 10:38:39 PM
phone                          (617) 555-1234
preferredLanguage              TBD
state                          MA
uiIdentityId                   A-BC-9876543
uiUserName                     jsmith@example.com

Manage access

Manage your groups, roles, and users access and permissions.

Groups

You can update a group's name, move it to a different parent, or delete it.

Note: There is no output for the move or remove commands.

// Update name
$ Set-IAMGroup -GroupID 98765 -GroupName "New group name"

// Move
$ Move-IAMGroup -DestinationGroupID 23456 -SourceGroupID 98765

// Delete
$ Remove-IAMGroup 98765

$ groupId     : 98765
groupName     : New group name 
parentGroupId : 12345
subGroups     : {}
createdDate   : 09/11/2023 15:25:00
createdBy     : jsmith
modifiedDate  : 09/11/2023 17:06:20
modifiedBy    : jsmith

Roles

Add or remove grantable roles from your custom roles or completely delete a custom role.

On update, pass all of the grantable roles that you want to keep, adding any new ones as a variable or JSON string.
Grantable roles not included in the command are removed.
To delete a custom role, pass its role ID as a parameter. This command does not return any output.

// All parameters required

$body = @{
  grantedRoles = @(
    @{grantedRoleId = 108}
  )
  roleDescription = "Img/Vid all privileges and security config read and update."
  roleName = "Image management"
}

$ Set-IAMRole -Body $body

// All parameters required

$ Set-IAMRole -Body '{@{"grantedRoles": [{"grantedRoleId": 108},{"grantedRoleId": 1076},{"grantedRoleId": 1077}],"roleDescription": "Img/Vid all privileges and security config read and update.","roleName": "Image management"}'

$ Remove-IAMRole -RoleID 12345

Name                           Value
----                           -----
actions                        {[delete, True], [edit, True]}
createdBy                      jsmith
createdDate                    9/11/2023 1:43:54 PM
grantedRoles                   {Image and Video Manager - All privileges…
modifiedBy                     jsmith
modifiedDate                   9/11/2023 1:47:32 PM
roleDescription                View policies on production and staging.
roleId                         12345
roleName                       Image management
type                           custom

User

As a variable or a JSON string, pass the required parameters listed and any optional parameters to update users' profile information.

firstName
lastName
phoneNumber
country

To remove a user, pass their UIIdentityID as a parameter. This command does not return any output.

$body = @{
  firstName = "John"
  lastName = "Smith"
  phone = "(617) 555-9876"
  country = "USA"
}

$ Set-IAMUser -Body $body

Set-IAMUser '{@{firstName="John"; lastName="Smith"; phone="(617) 555-9876"; country="USA")}'

Remove-IAMUser -UIIdentityID "A-BC-9876543"

Name                           Value
----                           -----
actions                        {[canEditMFA, False], [resetPassword, Tru…]}
additionalAuthentication       TFA
address                        TBD
authGrants                     {My Group}
city                           TBD
contactType                    
country                        USA
email                          jsmith@example.com
firstName                      John
lastName                       Smith
passwordExpiryDate             5/5/2024 10:38:39 PM
phone                          (617) 555-9876
preferredLanguage              TBD
state                          MA
uiIdentityId                   A-BC-9876543
uiUserName                     jsmith@example.com

Updated 4 months ago