Back to Details

iam-specialist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

IAM Specialist

IAM专家

When to Use

适用场景

  • Design workforce and machine identity lifecycle — joiner/mover/leaver, contractors, service principals
  • Model RBAC, ABAC, or PBAC entitlements, roles, and permission sets with least privilege
  • Run access reviews and recertification — campaigns, risk-based sampling, manager attestation
  • Architect SSO federation — SAML, OIDC, SCIM provisioning, app onboarding patterns
  • Implement privileged access — PAM vaulting, JIT elevation, session recording, break-glass policy
  • Author cloud IAM roles, policies, permission boundaries, trust relationships (AWS/GCP/Azure)
  • Govern service accounts and secrets — naming, rotation, no human keys, workload identity
  • Define separation of duties matrices and toxic-combination detection
  • Align IAM controls to audit and risk narratives (with GRC partners)
  • 设计员工与机器身份生命周期 —— 入职/调岗/离职、承包商、服务主体
  • 基于最小权限原则建模RBAC、ABAC或PBAC权限、角色与权限集
  • 开展访问审核与重新认证 —— 审核活动、基于风险的抽样、经理确认
  • 架构SSO联邦认证 —— SAML、OIDC、SCIM自动配置、应用上线模式
  • 实施特权访问管理 —— PAM存储、JIT权限提升、会话录制、应急权限政策
  • 编写云IAM角色、策略、权限边界、信任关系(AWS/GCP/Azure)
  • 管控服务账户与密钥 —— 命名规范、轮换机制、禁止人工密钥、工作负载身份
  • 定义**职责分离(SoD)**矩阵及风险组合检测
  • 协同GRC合作伙伴,使IAM控制措施符合审计与风险要求

When NOT to Use

不适用场景

  • Multi-BU landing zone, CCoE, EA, or executive cloud governance → 
    enterprise-cloud-architect
  • Org SCPs, CSPM, network segmentation, KMS program, detective controls → 
    cloud-security-engineer
  • Access ticket fulfillment, key rotation runbooks, patching, restores → 
    cloud-system-administrator
  • VPC/RDS/serverless build without IAM as primary deliverable → 
    cloud-engineer
  • SIEM/EDR deployment, WAF, broad security tooling → 
    information-security-engineer
  • SOC 2 evidence pipelines and automated control checks → 
    compliance-engineer
  • CI OIDC and pipeline scan gates only → 
    devsecops
  • Inherent/residual risk scoring and risk register → 
    security-risk-analyst
  • Authorized exploitation or pentest validation → 
    penetration-tester
  • Legal interpretation, employment policy, or contract redlines → 
    commercial-counsel
  • 多业务单元着陆区、云卓越中心(CCoE)、企业架构(EA)或高管云治理 → 
    enterprise-cloud-architect
  • 组织SCP、云安全态势管理(CSPM)、网络分段、KMS方案、检测控制 → 
    cloud-security-engineer
  • 访问工单处理、密钥轮换手册执行、补丁修复、数据恢复 → 
    cloud-system-administrator
  • 未将IAM作为核心交付物的VPC/RDS/无服务器构建 → 
    cloud-engineer
  • SIEM/EDR部署、WAF、广泛安全工具部署 → 
    information-security-engineer
  • SOC 2证据流水线与自动化控制检查 → 
    compliance-engineer
  • 仅涉及CI OIDC与流水线扫描关卡 → 
    devsecops
  • 固有/剩余风险评分与风险登记 → 
    security-risk-analyst
  • 授权渗透或渗透测试验证 → 
    penetration-tester
  • 法律解读、雇佣政策或合同修订 → 
    commercial-counsel

Related skills

相关技能

NeedSkill
Cloud org guardrails, CSPM, network/KMS security
cloud-security-engineer
Cloud resource build and workload identity wiring
cloud-engineer
Day-2 IAM tickets, rotation, break-glass execution
cloud-system-administrator
Enterprise landing zone and CCoE governance
enterprise-cloud-architect
SIEM, EDR, encryption, security-as-code guardrails
information-security-engineer
GRC program, framework scope, audit coordination
compliance-specialist
Audit evidence automation from IdP and cloud APIs
compliance-engineer
CI/CD OIDC federation and pipeline least privilege
devsecops
Risk register, treatment, and executive heat maps
security-risk-analyst
Cloud framework evidence and residency packages
cloud-compliance-specialist
Security program strategy
cybersecurity
需求技能
云组织防护、CSPM、网络/KMS安全
cloud-security-engineer
云资源构建与工作负载身份配置
cloud-engineer
日常IAM工单处理、密钥轮换、应急权限执行
cloud-system-administrator
企业着陆区与CCoE治理
enterprise-cloud-architect
SIEM、EDR、加密、安全即代码防护
information-security-engineer
GRC方案、框架范围、审计协调
compliance-specialist
从身份提供商(IdP)与云API自动获取审计证据
compliance-engineer
CI/CD OIDC联邦认证与流水线最小权限
devsecops
风险登记、处理与高管热力图
security-risk-analyst
云框架证据与驻留包
cloud-compliance-specialist
安全方案战略
cybersecurity

Core Workflows

核心工作流程

1. Scope and governance model

1. 范围与治理模型

Identity domains, RACI, and boundaries vs cloud security and ops.
See 
references/iam_specialist_scope.md
.
身份域、RACI矩阵、以及与云安全和运维的边界划分。
详见 
references/iam_specialist_scope.md

2. Identity lifecycle and access governance

2. 身份生命周期与访问治理

Joiner/mover/leaver, provisioning, reviews, and exceptions.
See 
references/identity_lifecycle_and_governance.md
.
入职/调岗/离职、权限配置、审核与例外处理。
详见 
references/identity_lifecycle_and_governance.md

3. Entitlements and authorization models

3. 权限与授权模型

RBAC/ABAC/PBAC design, role engineering, and SoD.
See 
references/rbac_abac_and_entitlements.md
.
RBAC/ABAC/PBAC设计、角色工程与职责分离(SoD)。
详见 
references/rbac_abac_and_entitlements.md

4. Federation and SSO protocols

4. 联邦认证与SSO协议

SAML, OIDC, SCIM, and SaaS onboarding.
See 
references/federation_sso_and_protocols.md
.
SAML、OIDC、SCIM与SaaS应用上线。
详见 
references/federation_sso_and_protocols.md

5. Privileged access and PAM

5. 特权访问与PAM

JIT, vaulting, break-glass, and session controls.
See 
references/privileged_access_and_pam.md
.
JIT权限提升、密钥存储、应急权限与会话控制。
详见 
references/privileged_access_and_pam.md

6. Cloud IAM and least privilege

6. 云IAM与最小权限

Cross-cloud IAM patterns, policy review, and machine identity.
See 
references/cloud_iam_and_least_privilege.md
.
跨云IAM模式、政策审核与机器身份管理。
详见 
references/cloud_iam_and_least_privilege.md

Outputs

交付成果

  • Entitlement catalog — roles, permissions, owners, review cadence
  • Access review campaign — scope, attestations, remediation tracker
  • Federation design — trust, claims, MFA, provisioning flow
  • PAM policy — elevation paths, approval, monitoring, break-glass
  • Cloud IAM policy set — least-privilege JSON with trust boundaries documented
  • SoD matrix — incompatible duties, compensating controls, exceptions
  • Service account standards — creation, rotation, audit queries
  • 权限目录 —— 角色、权限、所有者、审核周期
  • 访问审核活动 —— 范围、确认记录、整改跟踪器
  • 联邦认证设计 —— 信任关系、声明、多因素认证(MFA)、配置流程
  • PAM政策 —— 权限提升路径、审批流程、监控机制、应急权限
  • 云IAM政策集 —— 遵循最小权限原则的JSON政策,并记录信任边界
  • SoD矩阵 —— 不相容职责、补偿控制、例外情况
  • 服务账户标准 —— 创建流程、轮换机制、审计查询规则

Principles

原则

  • Identity is the perimeter — authenticate strongly; authorize minimally
  • No standing privilege — prefer JIT and time-bound elevation for admin
  • Prove every grant — reviews, logs, and SoD checks on sensitive entitlements
  • Humans ≠ machines — separate lifecycle, credentials, and audit trails
  • Federation fails closed — misconfigured trust denies access; monitor sync errors
  • Break-glass is rare, logged, and reviewed — not a daily admin shortcut
  • 身份即边界 —— 强认证、最小授权
  • 无永久特权 —— 优先使用JIT与限时权限提升进行管理
  • 权限需验证 —— 敏感权限需经过审核、日志记录与SoD检查
  • 人与机器分离 —— 身份生命周期、凭证与审计轨迹相互独立
  • 联邦认证默认拒绝 —— 配置错误的信任关系将拒绝访问;监控同步错误
  • 应急权限应罕见、可追溯、需审核 —— 不可作为日常管理捷径