# Security

Lenses includes a built-in IAM model. Use it to control what users and service accounts can do.

Permissions are assigned through groups and roles. Policies define which actions are allowed or denied on specific resources.

## How IAM works

Use this flow to grant access:

1. Create a group.
2. Add one or more roles to that group.
3. Add policies to each role.
4. Add users or service accounts to the group.

{% hint style="info" %}
Users and service accounts inherit permissions from their group membership. You cannot assign roles directly to an individual account.
{% endhint %}

## Managing IAM resources

Open **IAM** from the left navigation to create and manage groups, roles, users, and service accounts.

Use the navigation tree to browse resources. Open items in tabs to inspect, update, or delete them.

You can create from either the listing or by the nav tree actions buttons.

<figure><img src="/files/9cqixRdLKW7pYqLJKP2K" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eo15ppf3lPsfENFRVwJ9" alt=""><figcaption></figcaption></figure>

## Groups

Groups are containers for:

* users
* service accounts
* roles

A group does not hold permissions by itself. Permissions come from the roles attached to that group.

## Roles

Roles collect permissions that you want to reuse.

Add one or more policies to a role. Then attach that role to a group.

Use roles to keep access consistent across teams and services.

### Policies

Policies define what a user or service account can do on a resource.

Each policy combines:

* one or more `action` values
* a `resource` scope
* an `effect`

#### Actions

An action is the operation a user or service account can perform.

Use the format:

```
service:operation
```

Example:

```yaml
policy:
  - action:
      - kafka:ListTopics
```

Use `*` to match all actions.

For the full action list, see [Permission Reference](https://docs.lenses.io/latest/user-guide/iam/iam-reference).

#### Resource

A resource limits a policy to a specific entity or set of entities.

For example, to scope access to topics that start with `red`, use the `resource` field with a matching value.

Use `*` to match all resources.

For supported resource formats, see [Permission Reference](https://docs.lenses.io/latest/user-guide/iam/iam-reference).

#### Effect

The effect decides whether a policy grants or blocks access.

Supported values are:

* `allow`
* `deny`

If an action is not explicitly allowed, it is denied by default.

If any matching policy sets `deny`, that deny takes precedence.

#### Example policy

This example shows the common policy shape:

```yaml
policy:
  - name: red-topic-reader
    effect: allow
    resource: red*
    action:
      - kafka:ListTopics
```

Check the permission reference for the exact schema and supported values.

For a full reference, see [IAM Reference](/latest/user-guide/using/security/iam-reference.md)

For example policies, see [Example Policies](/latest/user-guide/using/security/example-policies.md)

## Users

Users are human accounts that sign in to Lenses.

Assign each user to one or more groups. The user inherits the permissions of those groups.

## Service Accounts

Service accounts are non-human identities for applications and automation.

Assign service accounts to groups in the same way as users. They inherit the permissions of those groups.

Use service accounts for integrations, scheduled jobs, and CI/CD workflows.

{% hint style="info" %}
Use separate service accounts per application or workload. This keeps permissions scoped and makes access easier to review.
{% endhint %}

### API Calls <a href="#api-calls" id="api-calls"></a>

When calling the Lenses APIs, send the service account token in the `Authorization` header:

```
Authorization: Bearer <service_account_token>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/user-guide/using/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.