From f7530b0738f3307933812d82a5f91297bca12029 Mon Sep 17 00:00:00 2001
From: SG <212444234+sg-writer@users.noreply.github.com>
Date: Fri, 17 Oct 2025 13:07:33 -0700
Subject: [PATCH 1/2] initializing
---
iam/index.mdx | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/iam/index.mdx b/iam/index.mdx
index 10000708a5..101adc566d 100644
--- a/iam/index.mdx
+++ b/iam/index.mdx
@@ -14,7 +14,7 @@ IAM functionality enables you to:
- Configure single sign-on (SSO) to federate identity and SCIM to enable provisioning from your own IdP
- Administrate multiple ngrok accounts with a single user
-## Concepts
+## Features
Before diving into ngrok's IAM system, it's helpful to be acquainted with the
terminology and concepts ngrok uses to describe its IAM primitives.
@@ -40,5 +40,12 @@ terminology and concepts ngrok uses to describe its IAM primitives.
email address to an Account.
- [**RBAC**](/iam/rbac/): Role Base Access Control is used to limit the permissions of what
actions a User may take within your account.
-- [**Account Domain Controls**](/iam/domain-controls/): Account Domain Controls are used to create
- policy on Users who log in or sign up with a given email domain.
+- [**Account Domain Controls**](/iam/domain-controls/): Account Domain Controls are used to create policy on Users who log in or sign up with a given email domain.
+
+## Use cases
+
+TK
+
+## What's next
+
+TK
From 17d47bdc8b40ceb1dc88d810a1150116d92f199c Mon Sep 17 00:00:00 2001
From: SG <212444234+sg-writer@users.noreply.github.com>
Date: Wed, 5 Nov 2025 13:58:36 -0800
Subject: [PATCH 2/2] match UG rewrite structure
---
iam/index.mdx | 95 ++++++++++++++++++++++++++++++---------------------
1 file changed, 57 insertions(+), 38 deletions(-)
diff --git a/iam/index.mdx b/iam/index.mdx
index 101adc566d..d5aeb150b3 100644
--- a/iam/index.mdx
+++ b/iam/index.mdx
@@ -1,51 +1,70 @@
---
-title: Identity and Access Management
-sidebarTitle: IAM
+title: Identity and Access Management Overview
+sidebarTitle: Overview
+description: Learn about ngrok's identity and access management system for managing credentials, enforcing access controls, and federating identity.
---
-## Overview
+ngrok includes a robust identity and access management (IAM) system that enables you to:
-ngrok includes a robust identity and access management (IAM) system. ngrok's
-IAM functionality enables you to:
-
-- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process).
+- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process)
- Enforce least-privilege access for each principal acting within your ngrok account
- Attribute all mutations to distinct principals in your ngrok account recorded in audit logs
- Configure single sign-on (SSO) to federate identity and SCIM to enable provisioning from your own IdP
- Administrate multiple ngrok accounts with a single user
-## Features
-
-Before diving into ngrok's IAM system, it's helpful to be acquainted with the
-terminology and concepts ngrok uses to describe its IAM primitives.
-
-- **Accounts**: ngrok Accounts are the containers in which you create and consume ngrok services.
-- [**Users**](/iam/users/): An Account contains one or more **Users**. Users are members of
- the Account who can take actions within it, like creating objects, start agents
- or making API requests. Users may be members of multiple accounts and are not owned by any single account.
-- [**Service Users**](/iam/service-users): Accounts also contain **Service Users** which are like Users but
- meant to be used for automated processes. Other systems may call these 'Service
- Accounts'.
-- [**Principals**](/obs/events/#principal-object): A principal is either a User or Service User. Principals are
- members of an Account that may take actions inside of it.
-- [**Credentials**](/iam/users/#credentials): These are the keys and tokens that Principals use to
- authenticate with the ngrok service. Types of Credential include Authtokens,
- API Keys, and SSH Public Keys.
-- [**Authtokens**](/agent/#authtokens): Principals begin Agent sessions and create Endpoints by
- authenticating with Authtoken.
-- [**API Keys**](/api/#authentication): Principals make API Requests by authenticating with an API Key.
-- [**SSH Public Keys**](/agent/ssh-reverse-tunnel-agent/#authentication): Principals create Endpoints via the SSH Reverse Tunnel
- Agent with an SSH Public Key.
-- [**Invitations**](/iam/users/#invitations): Invitations are a mechanism to add a new User with a given
- email address to an Account.
-- [**RBAC**](/iam/rbac/): Role Base Access Control is used to limit the permissions of what
- actions a User may take within your account.
-- [**Account Domain Controls**](/iam/domain-controls/): Account Domain Controls are used to create policy on Users who log in or sign up with a given email domain.
+## Concepts
-## Use cases
+Here are the core elements you should familiarize yourself with to make the most of ngrok's IAM system:
-TK
+
+
+ Manage human users who can log into the dashboard, start agents, create endpoints, and access the API.
+
+
+ Create dedicated credentials for automated processes that interact with your ngrok account programmatically.
+
+
+ Enforce least-privilege access by restricting what actions each user can take within your account.
+
+
+ Federate identity with your IdP and enable SSO authentication for dashboard access.
+
+
+ Enforce organization-wide account usage by requiring users with your email domain to use your account.
+
+
+
+## Use cases
-## What's next
+Here are some of the most common use cases for ngrok's IAM system:
-TK
+
+
+ Create Service Users for isolated agent management with authtokens and ACL restrictions.
+
+
+ Restrict developer permissions with RBAC and create user-specific authtokens with ACL rules.
+
+
+ Create Service Users and authtokens with ACL restrictions for secure remote access to edge gateways and servers.
+
+
+ Create Service Users and authtokens with ACL restrictions for secure remote access to IoT devices and services.
+
+