Security
IAM
Datamotive's two identity layers — console users, roles, and SAML SSO; and the platform permissions Datamotive holds on VMware, AWS, GCP, and Azure.
- Product
- Datamotive Platform
- Version
- v2.0.3
- Last updated
- Updated
- Reading time
- 1 min read
Datamotive has two distinct identity layers: who can use the console and APIs (users, roles, privileges), and what Datamotive itself is allowed to do on the platforms it orchestrates (vCenter roles, cloud IAM principals).
Console identity
- Authentication is against the Management Server's local user store, with four default users (
Administrator,DRadmin,Guest,SupportAdmin) whose passwords must be changed at first login. - Authorization is role-based: privileges define rights on entities; roles bundle privileges; users hold roles. Default roles are Super Admin, Support Admin, DR Admin, and Read Only.
- SAML 2.0 single sign-on with Azure Active Directory (Microsoft Entra ID) is supported, including mapping IdP roles to Datamotive roles.
User management, role details, password reset, and the full SAML configuration procedure are in RBAC.
Platform identity
Datamotive nodes orchestrate replication, DR, and migration through platform-manager APIs using dedicated principals you create:
| Platform | Principal | Key scoping control |
|---|---|---|
| VMware | Dedicated vCenter role + service user | Privilege list limited to datastore, VM lifecycle, snapshot, replication, and tagging operations. |
| AWS | Dedicated IAM policy + user with access keys | Mutations conditioned on the Protected-By-Datamotive resource tag; launch limited to specific resource ARNs. |
| GCP | Service account with compute permissions | Explicit compute.* permission list plus the Service Account User role. |
| Azure | App Registration (tenant/client/secret) | Contributor and Storage Blob Data Contributor assigned at subscription or resource-group level. |
The complete privilege lists and setup steps are in Permissions. Credentials are entered when creating sites; sensitive values are encrypted before storage.
Related docs
Was this page helpful?