From eb6e8e32ea609beda1401ab456d21af6c437b977 Mon Sep 17 00:00:00 2001
From: shirady <57721533+shirady@users.noreply.github.com>
Date: Mon, 24 Nov 2025 13:45:11 +0200
Subject: [PATCH] IAM | Block OBC Accounts From IAM API

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
---
 src/endpoint/iam/iam_rest.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/endpoint/iam/iam_rest.js b/src/endpoint/iam/iam_rest.js
index 5b1bd1c0df..97b16d73b0 100644
--- a/src/endpoint/iam/iam_rest.js
+++ b/src/endpoint/iam/iam_rest.js
@@ -223,6 +223,12 @@ function authenticate_request(req) {
 async function authorize_request(req) {
     await req.account_sdk.load_requesting_account(req);
     req.account_sdk.authorize_request_account(req);
+    // we want to block OBC accounts from IAM API related to user management
+    // bucket_claim_owner is a property that we have only in OBC account in containerized deployments
+    if (req.account_sdk.requesting_account.bucket_claim_owner) {
+        dbg.error('OBC accounts are not allowed to perform IAM API actions');
+        throw new IamError(IamError.AccessDeniedException);
+    }
 }
 
 function parse_op_name(req, action) {