Stats
Actions
Tags
From platform-design
Define the core IAM groups and roles for the platform team itself — the groups that govern access to platform-owned sectors (e.g., Platform, Security). Produces a machine-readable IAM definition document covering `Role("operator")`, `Role("admin")`, `Role("contributor")`, and `Role("reader")` groups per (Sector, Tier) combination, with JIT escalation policies and Workload Identity requirements. Use before provisioning cloud IAM resources or configuring a JIT tool.
How this skill is triggered — by the user, by Claude, or both
Slash command
/platform-design:define-core-iamThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Design
Design
Produce a core IAM definition document — a declarative record of all groups and roles the platform team needs to operate the platform-owned sectors. This document is the input for the cloud-specific IAM provisioning skills (manage-azure-iam, manage-aws-iam, manage-gcp-iam) and the Kubernetes RBAC skill (manage-k8s-iam).
The output must be concrete: every group named, its membership policy stated, its access level and scope defined, and its JIT escalation behaviour specified.
When writing configurations or documentation, you MUST strictly adhere to the structural notation and types defined in the book. Before proceeding, read the following reference files:
references/notation.mdreferences/types.mdBefore proceeding, ask the user (or infer from context):
design-segmentation skill.)Sector("platform")s in scope: Typically Platform (CI/CD, monitoring, identity tooling) and optionally Security (SIEM, log archives, audit systems). Confirm which are present.Role("operator") roles.Role("admin"), Role("contributor"), Reader). At minimum, identify who holds Role("admin") access.If the user cannot answer all questions, proceed with available information and note assumptions explicitly in the output.
For each platform-owned sector and each tier, derive the standard four groups from the role taxonomy:
| Group Name Pattern | Role | Target | Membership Policy |
|---|---|---|---|
{sector}-{tier}-operator | Role("operator") | Non-human | CI/CD runner identity only — no human members |
{sector}-{tier}-admins | Role("admin") | Human | JIT-only. Justification required. Approval may be required for Tier("live"). |
{sector}-{tier}-contributors | Role("contributor") | Human | JIT for Tier("live"). Standing in Tier("sandbox") for platform engineers. |
{sector}-{tier}-readers | Role("reader") | Human | Standing access — granted to all platform team members |
Apply this pattern to each (Sector, Tier) combination. Example output for a Sector("platform") with Tier("sandbox") and Tier("live"):
platform-sandbox-operatorplatform-sandbox-adminsplatform-sandbox-contributorsplatform-sandbox-readersplatform-live-operatorplatform-live-adminsplatform-live-contributorsplatform-live-readersIf a Sector("security") exists, generate the equivalent set. Sector("security") Tier("live") groups should have stricter escalation policies — Role("admin") access requires two-party approval.
Role("operator") Identity RequirementsFor each {sector}-{tier}-operator group, define the Workload Identity Federation trust policy:
repo:*.Document the claim conditions that will be used in the cloud trust policy (subject, audience, issuer).
For each Role("admin") and Role("contributor") group, define the escalation policy:
Role("reader") group.)Tier("sandbox") Role("contributor")).Role("contributor"), 2 hours for Role("admin").Tier("live"). Optional for Tier("sandbox").Tier("sandbox") Role("contributor"): self-approveTier("live") Role("contributor"): self-approve with justificationTier("sandbox") Role("admin"): peer approvalTier("live") Role("admin"): peer approval + mandatory justificationSector("security") Tier("live") Role("admin"): two-party approvalMap these policies to the JIT tooling in use (Azure PIM eligible assignments, AWS Identity Center permission sets, Teleport access requests).
For each human-facing group (Role("admin"), Role("contributor"), Reader), record the initial members:
Role("reader") access to all platform sectors and tiers.Role("contributor") escalation.Role("admin") escalation.Always list individuals by email or username — never add a group to another group. This preserves the audit trail and makes least-privilege enforceable.
The platform sector's monitoring and observability tooling often requires read access to business sector resources (e.g., reading metrics from the Sector("ecommerce")). Define any cross-sector read grants:
Role("reader") access outside their own sector?Document these as explicit grants — do not assume cross-sector access is implicit.
Review the draft against the core IAM principles:
Role("operator") groupTier("live") (Role("contributor") and Role("admin") are JIT-only in Live)Role("operator") trust conditions are scoped to the minimum necessary CI/CD identityFlag any violation and propose a remediation.
Present the complete group matrix to the user. Ask:
Role("operator") trust condition correctly reflect the CI/CD system in use?Iterate until the user is satisfied, then produce the final document.
Produce a YAML document named core-iam.yaml with this structure:
``yaml
identity_provider: entra-id # or: okta, google-workspace, other jit_tool: azure-pim # or: aws-identity-center, teleport, none
sectors:
cross_sector_reads:
Accompany the YAML with a brief human-readable summary (a Markdown section) explaining the group matrix, the escalation policy, and any assumptions made.
Role("reader") by default: Every platform team member receives standing Role("reader") access. Write access is never standing in the Tier("live").Role("operator") groups are non-human: If a human is listed in an Role("operator") group, it is a misconfiguration, not a feature.Role("operator") identities must use federated tokens. Long-lived keys are an anti-pattern.This skill is grounded in Chapter 5: Identity and Access Management of Crafting Platforms.
npx claudepluginhub craftingplatforms/ai --plugin platform-designBuilds least-privilege IAM setups: roles, policies, service accounts for cloud services. Generates IaC using Terraform, Pulumi, CloudFormation.
Design and implement least-privilege IAM policies for cloud and on-premise environments.
Build IAM from scratch — roles, policies, service accounts with least privilege. Use when asked to "set up IAM", "create roles", "service accounts", or "access control".