Identity and Access Management (IAM)

Identity and Access Management (IAM)

Identity and access management (IAM) refers to the frameworks and procedures that provide the users of a technology with appropriate access to the technology’s resources (i.e. what a user is allowed to do and access within a system). It includes the processes for validating user identities and establishing the hierarchies they exist in.
IAM plays a critical role in Energy Web tech stack. The IAM components are responsible for creating user identities and defining and enforcing governance structures that identities participate in. These governance structures define criteria that users must have in order to take on roles within an application or organization, and provide the mechanisms to request, verify and issue these roles.

Energy Web's Approach to IAM (Self-Sovereign Identity)

The Energy Web IAM architecture is informed by and implements the principles of self-sovereign identity (SSI). SSI is a paradigm that promotes an individual’s control over their digital identity and how it is used. This is in contrast to traditional, centralized IAM approaches, where a third party is responsible for storing a user's identity and/or their data in a proprietary database.
Self-sovereign identity exists to address the shortcomings and vulnerabilities of centralized identity approaches. Some of these include:
  1. 1.
    Users lack custody over their digital identity and its associated data (what data is shared and with whom).
  2. 2.
    Applications and systems do not provide interoperability or portability of user data. User identifiers and data are typically sequestered within an application and are not accessible to the user outside of that context.
  3. 3.
    Centralized systems are vulnerable to attack, resulting in exposure and dissemination of sensitive user data.
The two fundamental components of SSI (Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) serve as the fundamental components of Energy Web's IAM framework.
  • Similar to a traditional 'username', A DID is a user's primary identifier in the Energy Web ecosystem. A DID is derived from the user's public key, and is anchored on the Energy Web Chain in the DID Registry. See further documentation on DIDs in self-sovereign identity and the IAM stack here.
  • Verifiable credentials are digital credentials that can be verified cryptographically using public-key infrastructure. In the Energy Web ecosystem, verifiable credentials are used to authorize a user's or asset's enrolment into an application or organization. See further documentation on verifiable credentials in self-sovereign identity and the IAM stack here​
DIDs and Verifiable Credentials are used together within a framework of role-based hierarchies to create permissioning systems. You can read more about the role of DIDs and verifiable credentials in our governance framework here.

EW SSI Toolkit Architecture Diagram


Further Documentation

For further documentation on our IAM stacks: