GuidesAPI Reference
Guides
  1. HERE Identity and Access Management

Manage authorization

HERE IAM provides features to manage authorization for users, apps, or groups within your organization. When you access any HERE service or a resource, the requesting identity must have proper authorization.

Any access request to HERE services or resources which created with an identity that doesn't have the proper authorization is denied with an HTTP response status code 403 Forbidden.

HERE IAM provides features to enable easy authorization management. For more information, see the Identity and Access Management Authorization API v1.1 API Reference.

Organization/realm membership management

An organization (org/realm) scopes all IAM entities, and HERE services and resources within the same security namespace.

As an org admin, you can view all authorization information for all members of your organization. Often, a few HERE services and resources are made available to your HERE platform account through IAM policies and plans.

IAM role management

IAM roles are entities which define a specific permission set that can assign to an identity (user or app).

As an org admin, you can assign and revoke roles to any identity (user or app). For more information, see the Identity and Access Management Authorization API v1.1 API Reference.

Group membership management

A group is a collection of identities (user or app).

As an org admin or a group admin, you can manage group membership. For more information, see the Identity and Access Management Authorization API v1.1 API Reference.

Accessing resources outside of projects

Although HERE recommends that customers create and manage access to HERE services and resources through a project, some resources don't yet belong to any project and are available with unscoped access.

Permission statements define access to this set of resources. This can be either directly attached to the user, app, group, or be available through IAM Policy attachments.

Once you have the correct permission set assigned to an identity either directly or indirectly, you can access resources using an unscoped access token. For more information, see Unscoped Access Token.

IAM permission statement

A permission allows you to define detailed access control on HERE services and resources. For more information, see Permissions.

Managing permissions and grants

A Permission can assign to a user, app, or group. You can grant access to a resource you manage, to an IAM entity of your choice through the Share options in the HERE platform resource detail page, HERE IAM APIs, or tools like the HERE IAM CLI. For more information, see the Identity and Access Management Authorization API v1.1 API Reference.

Accessing project resources

HERE recommends that customers create and manage access to HERE services and resources through a project. A project is a container for securely managing HERE platform resources to build location technology. A project enables you to manage which users, apps, and groups can access the resources created or linked in the project. We recommend that you use projects to manage all your platform resources.

Specify access to resources created or linked to a project through project membership and project policies. Once you have the set the correct Project policies for the project members, you can access resources created or linked to a project using a project Scoped access token. For more information, see Manage Projects, Project workflows, and Project scoped access token.

Manage project membership

Grant access to project resources through project membership. An org admin, or a project admin can manage membership for a project. A user, app, or a group can be a member of project. For more information, see Manage Project Access.

Manage project policies

HERE IAM provides features to manage detailed access among project members, and provides a set of HERE managed policies that you can assign to a project member. For more information, see Project policy and Project workflows.

Accessing resources from other organizations

HERE IAM enables complex organizational setups by allowing trust establishment between multiple organizations. If your organization has multiple HERE platform accounts, and you would like to share resources and data across accounts, you need to establish a Cross Org trust. Once you establish a trust, you can then link a resource from another organization.

📘

Note

You can only create cross realm trusts for project resources. For more information, see the Org Trust.

Updated 28 days ago