About Global IAM
Use Global IAM in App Management when a Global Administrator needs to review identity and API access across the AlloyScan instance.
This is different from Site Settings IAM, which manages users, app registrations, and SSO providers for one current Site.
Note: This page covers instance-level administration in App Management. It is used by Global Administrators.
Menu path
Admin Center > App management > IAM
The IAM group contains:
- Users
- App registrations
- SSO providers
Scope
| Surface | Scope | Typical actor |
|---|---|---|
| Site Settings > IAM | One current Site | Site Administrator |
| App management > IAM | Whole instance | Global Administrator |
Global IAM is primarily useful in multi-site deployments where the same instance hosts many tenant Sites.
Global Users
The global Users page lets a Global Administrator review users at the instance level. On deployments that expose all-site visibility, the page includes a mode such as Show site users.
When all-site visibility is enabled, the grid adds a Site column so the administrator can see which Site each user belongs to and navigate back to the Site-level context.
Global App registrations
The global App registrations page works the same way for API clients. When all-site visibility is available, a control such as Show site registrations exposes site-scoped registrations and adds a Site column.
Use this view for cross-tenant diagnostics, for example when an expired API client triggers banners or notification events and the owning Site must be identified.
Global SSO providers
Global SSO provider visibility is deployment-dependent. Treat this page as an instance-scope administration surface, but configure day-to-day SSO for a tenant at Admin Center > Site Settings > IAM > SSO providers unless your deployment explicitly directs global management.
Important constraints
- Global IAM visibility is not a third role model. The shipped site roles remain Administrator and User.
- Global all-site views are for instance-level oversight. Editing users or app registrations for a specific Site may require opening that Site's Site Settings IAM page.
- Feature flags can hide SSO provider surfaces entirely on deployments where SSO is disabled.