Managed Policy Sets¶

DotID provides managed policy sets — pre-defined, platform-provided collections of policies with well-known names. They cannot be modified or deleted by users.

Managed policy sets provide common permission bundles that can be attached to IAM users and groups, similar to AWS managed policies.

Naming Convention ¶

{Service}FullAccess — all actions in a namespace (e.g. IAMFullAccess)
{Service}ReadOnlyAccess — read and list actions only
AdministratorAccess — global wildcard (all actions, all resources)

Managed policy set names are reserved. Custom policy sets must not use these names.

Permission Sets ¶

Permission sets are bundles of one or more managed IAM policies. They are assigned to IDC users through account assignments and define what the user can do within a given account.

Platform-Core Permission Sets ¶

Permission Set	Bundled IAM Policies
`AdministratorAccess`	`AdministratorAccess`, `NotificationsFullAccess`
`ReadOnlyAccess`	`IAMReadOnlyAccess`, `OrganizationReadOnlyAccess`, `AuditReadOnlyAccess`, `QuotaCenterReadOnlyAccess`, `NotificationsReadOnlyAccess`
`IAMFullAccess`	`IAMFullAccess`
`OrganizationFullAccess`	`OrganizationFullAccess`
`SCPFullAccess`	`SCPFullAccess`
`AuditReadOnlyAccess`	`AuditReadOnlyAccess`
`QuotaCenterFullAccess`	`QuotaCenterFullAccess`
`QuotaCenterReadOnlyAccess`	`QuotaCenterReadOnlyAccess`
`NotificationsFullAccess`	`NotificationsFullAccess`
`NotificationsReadOnlyAccess`	`NotificationsReadOnlyAccess`
`DeveloperAccess`	`LicensingEndUserAccess`, `MarketplaceDeveloperAccess` (cross-service bundle for Dev2M/OTAForge developers)

Service-Registered Permission Sets ¶

Registered by consumer services at startup.

Permission Set	Service	Bundled IAM Policies
`DeviceManufacturerAccess`	TrustMint	`LicensingEndUserAccess`
`LicenseApprovalPartnerAccess`	TrustMint	`LicensingApprovalAccess`
`MarketplaceDeveloperAccess`	Bazaar	`MarketplaceDeveloperAccess`
`MarketplaceConsumerAccess`	Bazaar	`MarketplaceReadOnlyAccess`

Managed SCP Templates ¶

Platform-managed SCP templates are registered by services. They are attached to partner accounts when a platform operator approves a partner registration request.

SCP Template	Service	Allowed Actions
`ManufacturerScope`	TrustMint	`licensing:Device:`, `licensing:Certificate:`, `licensing:Event:Replay`, `licensing:License:Read`, `licensing:License:Request`
`LicenseManagerScope`	TrustMint	`licensing:Approval:*`, `licensing:Device:Read/List`, `licensing:License:Read`, `licensing:License:Deactivate`
`MarketplaceDeveloperScope`	Bazaar	`marketplace:Product:*`
`MarketplaceConsumerScope`	Bazaar	`marketplace:Product:Read/List`, `marketplace:Acquisition:*`

Managed IAM Policies ¶

Full access to all actions and resources.

Use case: Management account root user, platform superadmin.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "AdministratorAccess",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }]
}

Full access to IAM operations: users, groups, policies, credentials, permission boundaries, and resource policies.

Use case: Account administrator managing IAM resources within their account.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "IAMFullAccess",
    "Effect": "Allow",
    "Action": "iam:*",
    "Resource": "*"
  }]
}

Read-only access to IAM resources.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "IAMReadOnlyAccess",
    "Effect": "Allow",
    "Action": [
      "iam:User:Read", "iam:User:List",
      "iam:Group:Read", "iam:Group:List",
      "iam:Policy:Read", "iam:Policy:List",
      "iam:InlinePolicy:Read", "iam:InlinePolicy:List",
      "iam:ResourcePolicy:Read", "iam:ResourcePolicy:List",
      "iam:PermissionBoundary:Read",
      "iam:Credentials:Read"
    ],
    "Resource": "*"
  }]
}

Full access to organization management: org lifecycle, OUs, and member accounts.

Use case: Management account root user managing org structure.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "OrganizationFullAccess",
    "Effect": "Allow",
    "Action": "org:*",
    "Resource": "*"
  }]
}

Read-only access to organization structure.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "OrganizationReadOnlyAccess",
    "Effect": "Allow",
    "Action": [
      "org:Organization:Read",
      "org:OU:Read", "org:OU:List",
      "org:Account:Read", "org:Account:List"
    ],
    "Resource": "*"
  }]
}

Full access to service control policy management.

Use case: Management account root user defining security guardrails.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "SCPFullAccess",
    "Effect": "Allow",
    "Action": "scp:*",
    "Resource": "*"
  }]
}

Read-only access to audit events.

Use case: Delegated admin for org-wide compliance visibility. The audit namespace is delegable.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "AuditReadOnlyAccess",
    "Effect": "Allow",
    "Action": [
      "audit:Event:Read",
      "audit:Event:List",
      "audit:Event:Export"
    ],
    "Resource": "*"
  }]
}

Full access to service quota operations.

Use case: Delegated admin managing quotas across the organization. The quota namespace is delegable.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "QuotaCenterFullAccess",
    "Effect": "Allow",
    "Action": "quota:*",
    "Resource": "*"
  }]
}

Read-only access to service quotas and increase requests.

{
  "Version": "2024-01-01",
  "Statement": [{
    "Sid": "QuotaCenterReadOnlyAccess",
    "Effect": "Allow",
    "Action": [
      "quota:Quota:Read", "quota:Quota:List",
      "quota:Request:Read", "quota:Request:List"
    ],
    "Resource": "*"
  }]
}

Service-Registered Managed Policies ¶

The following policies are registered at service startup.

NovaBell (notifications): NotificationsFullAccess (notifications:*), NotificationsReadOnlyAccess (read/list/count).

TrustMint (licensing): LicensingFullAccess (licensing:*), LicensingReadOnlyAccess (read/list), LicensingApprovalAccess (approval management), LicensingEndUserAccess (device/license read + request).

Bazaar (marketplace): MarketplaceFullAccess (marketplace:*), MarketplaceDeveloperAccess (product CRUD), MarketplaceReadOnlyAccess (read-only browse), MarketplaceAdminAccess (product management + admin).

Summary ¶

Policy / Permission Set	Scope	Description
`AdministratorAccess`	`*`	All actions, all resources
`ReadOnlyAccess`	read-only	All read/list actions across all namespaces
`IAMFullAccess`	`iam:*`	All IAM operations
`OrganizationFullAccess`	`org:*`	All organization operations
`SCPFullAccess`	`scp:*`	All SCP operations
`AuditReadOnlyAccess`	`audit:Event:*`	Read-only audit events (delegable)
`QuotaCenterFullAccess`	`quota:*`	All quota operations (delegable)
`QuotaCenterReadOnlyAccess`	`quota:*.Read/List`	Read-only quota access
`NotificationsFullAccess`	`notifications:*`	All notification operations
`NotificationsReadOnlyAccess`	`notifications:*.Read/List`	Read-only notification access
`DeveloperAccess`	cross-service	Licensing end-user + marketplace developer (Dev2M/OTAForge)
`DeviceManufacturerAccess`	`licensing`	Device enrollment and license requests (TrustMint)
`LicenseApprovalPartnerAccess`	`licensing`	Approval read/write for license managers (TrustMint)
`MarketplaceDeveloperAccess`	`marketplace`	Product CRUD for marketplace developers (Bazaar)
`MarketplaceConsumerAccess`	`marketplace`	Product browsing and acquisition (Bazaar)