IAM Identity & Access Center
Build an enterprise unified identity authentication and fine-grained permission governance system, achieving “One Account, One Authentication, Access Anywhere”
Core Positioning
In a nutshell: IAM is the “Identity and Access Hub” for all business systems, centrally managing user authentication, authorization, and data permissions so that each subsystem no longer operates in isolation.
What Problems It Solves
| Pain Point | Traditional Approach | RuoYiPlus IAM Solution |
|---|---|---|
| Repeated logins across systems | Each system has independent login | SSO single sign-on, one authentication for all systems |
| Scattered permission management | Each system builds its own permissions | Unified RBAC + data permission engine |
| Uncontrollable security risks | Inconsistent password policies | MFA multi-factor + password policy + remote login detection |
| Incomplete compliance auditing | Scattered logs | Unified audit event collection, connected to Audit Center |
Suitable Users
- Medium-to-large enterprises with multiple business systems requiring unified identity management
- Organizations needing Level 3 Information Security Protection certification
- Platforms needing to integrate with third-party systems (OAuth/OIDC/SAML)
User Roles
graph TB
subgraph "IAM User Roles"
ADMIN["System Administrator
Configure authentication policies, manage users"] SECURITY["Security Administrator
Configure MFA, password policies"] DEV["Application Developer
Integrate SSO, connect OAuth"] USER["Regular User
Login authentication, access applications"] end ADMIN -->|Manage| USER_POOL["User Pool"] SECURITY -->|Configure| AUTH_POLICY["Authentication Policies"] DEV -->|Integrate| SSO_PROTOCOL["SSO Protocols"] USER -->|Use| LOGIN["Unified Login"]
Configure authentication policies, manage users"] SECURITY["Security Administrator
Configure MFA, password policies"] DEV["Application Developer
Integrate SSO, connect OAuth"] USER["Regular User
Login authentication, access applications"] end ADMIN -->|Manage| USER_POOL["User Pool"] SECURITY -->|Configure| AUTH_POLICY["Authentication Policies"] DEV -->|Integrate| SSO_PROTOCOL["SSO Protocols"] USER -->|Use| LOGIN["Unified Login"]
Core Capabilities
SSO Single Sign-On Flow
sequenceDiagram
participant User as User
participant App1 as App A
participant IAM as IAM Auth Center
participant App2 as App B
User->>App1: Access App A
App1->>IAM: Not authenticated, 302 redirect
User->>IAM: Enter username/password
IAM->>IAM: Verify + MFA
IAM->>App1: Issue JWT Token
User->>App2: Access App B
App2->>IAM: Verify Token
IAM->>App2: Token valid
App2->>User: Direct access, no re-login required
Supported Protocols
| Protocol | Description | Use Case |
|---|---|---|
| OAuth 2.0 | Authorization framework | Third-party app authorization |
| OIDC | Identity layer based on OAuth 2.0 | Modern app SSO |
| SAML 2.0 | Enterprise federated identity | Traditional enterprise apps |
| LDAP | Lightweight directory access | Enterprise directory integration |
Multi-Factor Authentication (MFA)
| Authentication Method | Security Level | Description |
|---|---|---|
| Password + SMS OTP | ⭐⭐⭐ | Dynamic SMS verification code |
| Password + Email OTP | ⭐⭐⭐ | Email verification code |
| Password + TOTP | ⭐⭐⭐⭐ | Time-based one-time password |
| Password + Hardware Key | ⭐⭐⭐⭐⭐ | FIDO2/U2F highest security |
Permission Model
graph TB
A["User"] --> B["Role"]
B --> C["Menu Permission"]
B --> D["Operation Permission"]
B --> E["Data Permission"]
A --> F["Post"]
F --> G["Role Inheritance"]
F --> H["Data Scope"]
subgraph "Data Permission Hierarchy"
E1["User Level (Highest)"]
E2["Role Level"]
E3["Post Level"]
E4["Dept Level (Lowest)"]
end
E --> E1
E --> E2
E --> E3
E --> E4
Technical Architecture
graph TB
subgraph "IAM Module"
AUTH["Auth Service
Login/MFA/SSO"] USER_MGR["User Management
Users/Departments/Posts"] ROLE_MGR["Role Management
Roles/Permissions/Menus"] PERM_ENGINE["Permission Engine
Data Permissions/Field Permissions"] AUDIT_CLIENT["Audit Client
Event Reporting"] end subgraph "External Dependencies" REDIS["Redis
Session/Token Storage"] DB["MySQL
User/Permission Data"] SMS["SMS Service
OTP Codes"] MAIL["Email Service
OTP Codes"] end AUTH --> REDIS USER_MGR --> DB ROLE_MGR --> DB PERM_ENGINE --> DB AUTH --> SMS AUTH --> MAIL
Login/MFA/SSO"] USER_MGR["User Management
Users/Departments/Posts"] ROLE_MGR["Role Management
Roles/Permissions/Menus"] PERM_ENGINE["Permission Engine
Data Permissions/Field Permissions"] AUDIT_CLIENT["Audit Client
Event Reporting"] end subgraph "External Dependencies" REDIS["Redis
Session/Token Storage"] DB["MySQL
User/Permission Data"] SMS["SMS Service
OTP Codes"] MAIL["Email Service
OTP Codes"] end AUTH --> REDIS USER_MGR --> DB ROLE_MGR --> DB PERM_ENGINE --> DB AUTH --> SMS AUTH --> MAIL
Business Value
| Value Point | Description |
|---|---|
| One Authentication | SSO single sign-on, reducing repeated logins |
| Security Enhancement | MFA multi-factor + password policy + remote detection |
| Unified Permissions | RBAC + data permission engine, fine-grained control |
| Compliance Ready | Connected to Audit Center, meeting Information Security Protection requirements |