GRC Store

Search / finos-ccc/ccc.iam.cp / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.IAM.CP Capability Catalog

FINOS-CCC/CCC.IAM.CP

Capabilities for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.iam.cp --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.iam.cp:v2026.06-rc5
Manifest digest
sha256:d11f7329bab26ae974ada8ce9593f504d14fa4fb07d469dec884d9a9bc65e623

Provenance

1 layer
Digest Media type Size
66f5309e22be… application/vnd.gemara.artifact.v1+yaml 6.4 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.IAM.CP",
            "type": "CapabilityCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.iam.cp",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/identity/iam/capabilities.yaml",
            "uri": "file://artifacts/identity/iam/capabilities.yaml",
            "digest": {
              "sha256": "66f5309e22be2486be8f25828c0520fbbc20510a2603b0c2cde5642c77e8bd64"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:47:57.993179811Z",
          "finishedOn": "2026-06-01T17:47:58.104791751Z"
        },
        "byproducts": [
          {
            "name": "capabilities.yaml",
            "digest": {
              "sha256": "66f5309e22be2486be8f25828c0520fbbc20510a2603b0c2cde5642c77e8bd64"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "capabilities.yaml",
      "type": "CapabilityCatalog",
      "id": "CCC.IAM.CP",
      "role": "artifact"
    }
  ]
}

CCC Identity and Access Management Capabilities

Capabilities for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.IAM.CP
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.IAM.CP01 Global Identities

    IAM identities are global across all regions. They are created and managed from a single global namespace.

  2. CCC.IAM.CP02 IAM Users

    Ability to create, manage, list and delete IAM users. IAM user represents a single person or application.

  3. CCC.IAM.CP03 Long-Term Credentials

    Ability to create, manage, list and delete long-term credentials such as access keys and service account keys.

  4. CCC.IAM.CP04 Password Management

    Ability to create, change and delete IAM user passwords.

  5. CCC.IAM.CP05 IAM Groups

    Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups.

  6. CCC.IAM.CP06 IAM Roles / Service Principals

    Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources.

  7. CCC.IAM.CP07 Managed Identities

    Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor.

  8. CCC.IAM.CP08 Federated Identity - SAML

    Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles.

  9. CCC.IAM.CP09 Federated Identity - OIDC

    Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles.

  10. CCC.IAM.CP10 Custom Roles

    Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed.

  11. CCC.IAM.CP11 Resource-Level Access

    Ability to restrict where actions are allowed, rather than the entire service. Defines the scope of the assignment.

  12. CCC.IAM.CP12 Policy Conditions

    Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met.

  13. CCC.IAM.CP13 Temporary Credentials

    Ability to grant short-lived security credentials that provide access to resources for a limited period of time. These credentials are typically issued for a specific session or task and expire after a predefined duration.

  14. CCC.IAM.CP14 Multi-Factor Authentication (MFA)

    Support for enforcing MFA on user accounts and roles. Essential for securing root/admin users.

  15. CCC.IAM.CP15 Role Assumption / Delegation

    Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation.

  16. CCC.IAM.CP16 Access Boundaries

    Ability to define a boundary around the maximum effective permissions allowed for an identity at a higher level.

  17. CCC.IAM.CP17 Deny Permissions by Default

    By default, no identity (user, group, role, service) has access to any resource, unless explicit permissions are granted.

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.IAM.CP18 Audit Tooling

    Provide tools to simulate or analyze permission used by a roles, and ability to export reports of who has access and whether it's being used, etc. These tools will increase the visibility, auditability and compliance of identities.