IAM and Access
IAM controls who and what can access Infuse resources in an organisation.
Most access management starts in the Infuse console under Access:
- Members for invitations and organisation membership
- Groups for collecting members that need the same access
- Roles for reviewing available organisation roles and assigning them to members
- API Keys for creating machine principals, issuing credentials, and assigning roles to integrations
/admin/developer.For organisation administration, see Admin Center.
What You Can Manage
| Area | Console support | Use it for |
|---|---|---|
| Members and invitations | Yes | Invite people, accept invitations, remove members, and manage organisation membership. |
| Groups | Yes | Create named groups, add or remove member principals, and delete groups that are no longer needed. |
| Roles | Yes | Review organisation-scoped roles, inspect their permissions, assign roles to members, and revoke assignments. |
| API-key principals | Yes | Create integration identities, issue API-key credentials, assign roles, and revoke credentials. |
| Permissions catalogue | Read-only | Understand the permissions included in roles. |
| Service-account principals | API-managed | Create and rotate service-account secrets through the IAM API when your integration is built for that principal type. |
System roles are not managed from the tenant console. The console shows organisation access that belongs to the organisation you are currently using.
Recommended Model
Use roles as the normal unit of access. Assign the narrowest role that allows the workflow to succeed.
Use groups when several people need the same access pattern. Update the group membership as people join or leave the team instead of recreating individual assignments.
Use API-key principals for backend integrations that need to call Infuse APIs. Keep issued API keys in server-side secret storage and rotate them when operators, environments, or risk changes.