DotID Documentation

DotID is the centralized identity and access management service for the FlexGalaxy.AI platform, providing OAuth 2.0 / OpenID Connect authentication and a fine-grained resource-based authorization service.

Features

• Identity Provider: OAuth 2.0 / OIDC with client credentials grant

• Resource-Based Authorization: FRN (FlexGalaxy Resource Name) based policies

• Policy Engine: Hierarchical policy sets with Allow/Deny effects

• Organization Management: Multi-account organizations with OUs and SCPs

• Account Lifecycle: ACTIVE / SUSPENDED / PENDING_CLOSURE / CLOSED state machine

• Delegated Administrators: Org-wide service access delegation (e.g., audit)

• Service Quotas: Configurable resource limits with increase request workflow

• Audit Service: CloudTrail-style API activity logging with role-based access

• Token Verification: Asymmetric signing via JWKS endpoint

• API-First Design: Full REST API with OpenAPI documentation

Quick Links

Authorization Model

Resource-based authorization concepts and design

IAM Policies vs Identity Center Permission Sets

IAM Policies vs Identity Center Permission Sets — when to use which

FRN Specification

FlexGalaxy Resource Name specification

API Reference

REST API reference for all FlexGalaxy.AI services

Programmatic API Credentials

Static access keys (acc-) and STS temporary credentials (idc-)

TraceBook Access Model

TraceBook audit trail access scoping and authorization

Audit Events

Complete catalog of TraceBook audit events

Table of Contents

Authorization

• Authorization Model
  • Core Concepts
  • Evaluation Algorithm
  • Capabilities
  • Related References
  • Cache Invalidation
• IAM Policies vs Identity Center Permission Sets
  • Overview
  • IAM Policies (AdminCenter)
  • Permission Sets (Identity Center)
  • How They Relate
  • Platform-Managed vs Customer-Managed
  • AWS Analogy
• Access Control Layers
  • Layer 1: Role
  • Layer 2: Service Control Policy (SCP)
  • Layer 3: Capability
  • How the Three Layers Interact
  • Comparison
  • Service-Specific Capability Checks
  • UI Visibility
• FRN Specification
  • Canonical Format
  • Wildcards
  • Matching Rules
  • Examples
  • Validation
• FRN Resource Registry
  • Resource Scoping
  • iam — Identity & Access Management
  • org — Organizations
  • scp — Service Control Policies
  • audit — Audit
  • quota — Service Quotas
  • licensing — IoT Device Licensing (TrustMint)
  • Summary
• Policy Document Format
  • Schema
  • Fields
  • Example
• Managed Policy Sets
  • Naming Convention
  • Permission Sets
  • Managed IAM Policies
  • Summary
• Programmatic API Credentials
  • Overview
  • 1. Static Credentials (acc-* Users)
  • 2. STS Temporary Credentials (idc-* Users)
  • 3. Using Credentials for API Authentication
  • 4. Access Key Format
  • 5. Security Considerations
  • 6. API Reference Summary

Integration

• Service Quotas
  • Quota Model
  • Account Lifecycle
  • Platform Admin Review
  • API Reference

Audit & Compliance

• TraceBook Access Model
  • Access Scopes
  • Who Can Use TraceBook
  • Access Decision Flow
  • Comparison with AWS CloudTrail
  • Related Topics
• Audit Events
  • Account Lifecycle
  • Organization Management
  • IAM Users
  • Identity Center Users
  • IAM Groups
  • IAM Policies
  • Permission Sets
  • Service Quotas
  • Summary
• DotID Terminology Guide
  • Quick Guide
  • Policy Types in Detail
  • Identity Center Concepts in Detail
  • Relationship Diagram (Text)
  • Authorization Pipeline (10-Step PDP)
  • Account-Scoped vs Global
  • User Types
  • Common Confusion Points

Indices and tables

• Index

• Module Index

• Search Page