Open Telekom Cloud for Business Customers

Identity and Access Management (IAM)

The Identity and Access Management (IAM) service provides granular access control for Open Telekom Cloud services. It is an essential service for cloud environments to identify and authorize cloud users.

IAM helps you securely control access to resources by centrally managing user data and authorizations, making it one of the cornerstones for secure working in the cloud.

With IAM, you can define which users are allowed to access which services and resources under which conditions to ensure the least privilege principle.

One hand types on a laptop with a security lock hovering above it, the other hand holds a smartphone

Reasons for IAM in the Open Telekom Cloud

Light green icon with a security lock behind it a gray cloud with server icon

Security & Compliance

IAM helps you restrict cloud resource access to authorized users and services only. It enables control and monitoring of user access and supports adherence to security policies and compliance regulations.

A gray bordered icon with several users in blue in the center and a gray key behind it


Cloud environments are dynamic and scalable, which means that the number of users and resources can change quickly. IAM makes it possible to quickly add new users or change access rights to support the scalability and agility of the cloud infrastructure.

Turquoise icon of an open application, behind it a gray euro symbol on a sheet of paper

Cost optimization

IAM is integrated into the Open Telekom Cloud and is free of charge. The management of user and resource access rights prevents costs, e.g., due to excessive authorizations or underutilization of resources. In addition, companies achieve their compliance and security goals, avoiding high costs for security breaches or non-compliance.

Key features of IAM

Blue icon with a white security lock

Access control

Create IAM users and groups and use policies to grant or deny access to specific services and resources. IAM also provides an additional isolation layer: projects. This layer controls user access to different projects and grants permissions within the same project.

Light blue icon with a user symbol and a check mark above it


Establish a position of trust between your existing identity system by creating a SAML-based or OpenID Connect-based identity provider. This way, users in your organization can log in to the Open Telekom Cloud via Single Sign-On (SSO).

Green icon with shield symbol and a check mark


Delegate a trusted Open Telekom Cloud account or cloud service to access your resources based on assigned permissions.

Light green icon with shield symbol, inside a gear wheel

Account Security

With IAM, you can configure security settings, including logon authentication policies, password policies, and access control lists.

Structure and function

IAM manages users and permissions for cloud resources in the Open Telekom Cloud. Cloud resources are services or objects, such as the Key Management Service (KMS) or Object Storage Service (OBS) and associated actions on objects, such as creating a key in KMS or deleting a bucket in OBS.

For the management of authorizations, IAM supports three user types:

  • Agency users are users from other Open Telekom Cloud clients who have been granted access to this client.
  • IAM users are users created and managed in the client's IAM system by the administrators. This is the default user type.
  • Federate users are from third-party IAM systems that can log on to the Open Telekom Cloud via a federation, for example from a federated Active Directory or LDAP.
Symbolic representation of access rights management with IAM

With the IAM service, you can define who is allowed to access what. For each access request, the set permissions are evaluated and denied by default. Only an explicit "allow" grants access.

Users are assigned to groups which are in turn assigned permissions. Based on the sum of all assigned permission sets / policies, access is evaluated and granted or denied to the users of that user group.


IAM policies include actions, resources, and conditions. You can either use the system default policies or create new custom policies using JSON or the graphical editor. 

Access can be set up through the Management Console or the API.

Symbolic representation user group authorization

IAM in the Open Telekom Cloud adds an additional isolation layer called projects. Projects can be spanned at the region level (region-based authorization) and serve as isolation to different environments in the same tenant.

The costs of the individual projects are added up on the tenant, so that this can also result in optimized prices (e.g., by jointly achieving higher scales for object storage).

Symbolic representation of project area and user group access

Frequently asked questions about IAM

Does IAM manage all access in the Open Telekom cloud landscape?

What standard IAM permissions are available?

How can I create custom IAM policies according to my needs?


Do you have any questions?

Are you interested in IAM or do you have any questions regarding IAM? I will be happy to answer your questions in a free consultation!

T-Systems International GmbH
Tino Fehnle

Picture of Tino Fehnle

New Features

OBS supports IAM granular access permissions in NLView Details
Identity and Accessmanagement (IAM) Version 2.6 ReleaseView Details
IAM's access permissions for the EVS are now also available in the NL regionView Details
Identity and Access Management (IAM) Version 2.7 ReleaseView Details

Find out more


Book now and claim starting credit of EUR 250* (code: 4UOTC250)

Take advantage of our consulting services!
Our experts will be happy to help you.
We will answer any questions you have regarding testing, booking and usage – free and tailored to your needs. Try it out today!

Hotline: 24 hours a day, seven days a week 
0800 3304477from Germany
+800 33044770from abroad

* Voucher can be redeemed until December 31, 2024. Please contact us when using the voucher for booking. The discount is only valid for customers with a billing address in Germany and expires two months after conclusion of the contract. The credit is deducted according to the valid list prices as per the service description. Payment of the credit in cash is excluded.

  • Communities

    The Open Telekom Cloud Community

    This is where users, developers and product owners meet to help each other, share knowledge and discuss.

    Discover now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

     0800 3304477 (from Germany)

    +800 33044770 (from abroad)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail

  • AI Chat


    Our AI-powered search helps with your cloud needs.