{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-guides/machine/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Manage access for machine identities","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"manage-access-for-machine-identities","__idx":0},"children":["Manage access for machine identities"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can manage the access of machine identities using the access controls described below."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["See the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/machine/quick_start_jwt_auth"},"children":["Quickstart"]}," for how to integrate your workload with MIM services."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"tag","__idx":1},"children":["Tag"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A Tag is an arbitrary string with no metadata nor ID, used to manage access to secrets. Entities are assigned tags in a one-to-many association. I.e. a single Ticket/Secret/Workload is associated with several Tags. Each entity is associated with at least one Tag. A Workload can retrieve a Secret’s value only if the Client is associated with every Tag the Secret is associated with."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"role","__idx":2},"children":["Role"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A Role is a system-assigned permission for the ticket. For example, this is used to determine whether the ticket can be used to register a client as a Ticket Factory (which can issue tickets to enroll new clients ad-hoc). This role is assigned by selecting the Orchestrator role."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"network-access-ranges","__idx":3},"children":["Network Access Ranges"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In order to access / utilize an entity, a Workload must authenticate with an IP address that matches at least one of the Network Access Ranges associated with the entity."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"expiry-date","__idx":4},"children":["Expiry Date"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["An entity cannot be used/accessed past its expiration date."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"status","__idx":5},"children":["Status"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["One of Active/Deactivated/Expired. Entities are created as “Active” by default, yet its activation status can at any point be manually changed. Deactivated entities cannot be used/accessed until they are reactivated."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"workload-ttl","__idx":6},"children":["Workload TTL"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For a Ticket, this defines an upper limit for the amount of time between a Workload authentication with this Ticket until it expires."]}]},"headings":[{"value":"Manage access for machine identities","id":"manage-access-for-machine-identities","depth":1},{"value":"Tag","id":"tag","depth":2},{"value":"Role","id":"role","depth":2},{"value":"Network Access Ranges","id":"network-access-ranges","depth":2},{"value":"Expiry Date","id":"expiry-date","depth":2},{"value":"Status","id":"status","depth":2},{"value":"Workload TTL","id":"workload-ttl","depth":2}],"frontmatter":{"title":"Managing access controls","excludeFromSearch":true,"markdown":{"toc":{"depth":2}},"seo":{"title":"Manage access for machine identities"}},"lastModified":"2025-11-18T11:57:52.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/machine/manage_access_controls","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}