The page has been translated by Gen AI.

Configuration

In the configuration module, PM and PL group users can manage projects, and tenant administrators can set approval routes and organizational charts.

Project

In the Project menu, users can view all projects they belong to. The project details are initially registered by the PM, and can be edited by the PM or PL group users as needed.

Create Project

To create a project, click the Create Project button and enter the project information.

  1. Project Name: Assign a name to the project.
  2. PM: Assign a project manager who can manage the project’s related information and permissions. Note that if you assign someone other than yourself, you will no longer be able to manage the project after creation.
  3. Organization: Choose the organization that will carry out the project.
  4. Description: Enter a description of the project.

View project

On the Project View screen, PM or PL group users manage project information and can add CSP accounts and users to the project.

  1. General Information: Project Creation screen displays the registered project information.
  2. Edit: Click the Edit button to modify the project’s general information.
  3. Delete: Click the Delete button to delete this project.
  4. User: Displays a list of users registered in the project.
  5. Cloud Account: Shows the list of accounts registered in the project.

Cloud Account Management

PM and PL group users can add new accounts to a project or delete accounts that are no longer used.

Add AWS account

CAM supports a keyless method to enhance security when connecting cloud accounts. To register an account, you must create a new role in the AWS IAM service with the policy required by CAM. You can create the role in AWS by following the steps below.

  1. Access AWS IAM service
  2. Click Create Role in the Roles menu
    • After accessing Access Management > Roles, click Create to go to the Create Role screen.
  3. Create Role > Step 1: Trusted Entity selection This step is for entering CAM account information.
    • Select AWS account and Another AWS account in order, then enter the CAM account ID 022499039571 in the account ID.
  4. Create Role > Step 2: Add Permission Assign the CAM policy to the newly created role.
guide

Search for the item, select the relevant policy, and proceed to the next step.

  • IAMFullAccess
  • AmazonEC2FullAccess
  • AmazonRDSFullAccess
  • AWSCloudTrail_FullAccess
  • AmazonS3FullAccess
  • AmazonEventBridgeFullAccess
  1. Create Role > Step 3: Name, Confirm, Create Enter the role name and click the Create Role button to complete role creation. ※ This role name is used as Role Name when registering an account in CAM.
guide

When role creation in IAM is complete, return to the Project View screen in CAM and register an account in CAM. Click the Add button above the account list and enter account information to register the account to the project. Completing account registration requires an approval process. To proceed with the approval process, press the Create Approval button to initiate approval, which is sent to an approval system such as Knox for processing. Once approval is complete, you can see the newly registered account in the account list.

  1. CSP: Select CSP.
  2. Environment: Select the service environment.
  3. Account Name: Assign a name to the account.
  4. Account ID: Enter the account ID registered in AWS and click the ‘Verify’ button to confirm.
  5. AWS type: Set to ON if the account is a China account.
  6. Role Name: Enter the role name created in AWS IAM.
Reference
Account registration policies vary by tenant. Depending on the tenant’s policy, an account may be restricted to registration in only one project.
  1. Title : It is automatically entered by the system and cannot be edited.
  2. Approver: The system automatically adds an approval line, and you can add approvers and co‑signers according to the approval guide.
  3. Content: Account information is entered automatically by the system and cannot be edited.

Add SCP account

PM and PL group users can add a new SCP account to a CAM project via the Add Account button on the View Project page. CAM supports a keyless connection method to enhance security, so credentials are not exchanged directly when registering an account. Before you begin, verify that the required settings have been completed in the SCP console.

Reference
SCP includes both the SCP for Samsung and SCP for Enterprises environments. Depending on the user’s CSP permissions or choices, the prerequisites and steps for adding an account are the same for both environments.

Step 1. Pre-configuration (One-time trust setup for CAM account) Before adding an SCP account to CAM, verify that the following configuration has been completed on the SCP side. This setting enables CAM to securely access the target project and validate the account information.

First, if the policy has not already been created according to the steps described in the manual, you need to set it up. Then approve the CAM account through the permission group and add members.

  1. Create policy for CAM access
  • Go to the SCP console.
  • After logging in, navigate to the IAM > Policies section in the SCP console.
  • Create a policy with the name ‘CAM_Linked_Policy’.

Create a new policy that includes the permissions required for CAM operation according to the table below.

IDActionReason
[Platform] Permission ManagementList, Read, Create, Delete, Update PermissionCreate/Delete Policy, Assign Policy to Role
[Platform] Resource ManagementList, ReadView List, SCP Details
[Platform] Tag ManagementList, ReadView Tag List/Information, etc.
[Platform] Project ManagementList, ReadAssigned Project List/Information
Table. Policy creation items for CAM access

  • Or you can also add policy requirements in JSON mode.
  • Since you can link permission groups and roles later, complete the policy creation without checking anything.
  1. CAM account approval through permission groups
  • After a policy is created, link it to the CAM system account using a permission group.
  • Step-by-step:
    • IAM > Go to Permission Groups.
    • Create a new permission group (e.g., CAM-Access-Group).
    • Create a permission group named ‘CAM_Linked_Group’.
    • Attach the CAM policy created above to this group.
    • When adding a user to a project, the user is linked to a permission group, so you can complete the creation of the permission group without verifying the user at this time.
  1. Assign permission group to CAM service account
  • Go to the project members section of the SCP console.
  • Add the required account as a member of the target project.
  • This account represents CAM and is used for integration.
  • Select the target project for addition > Identity and Access Management > Add User > Add Project Member > Proceed to add an SCP user to the target project.
  • Proceed with adding project members.
    • Search for a CAM user using the email address cam.app@samsung.com.
    • Click the ADD button to select a cam.app user.
    • Add an available user from the list, or you can also search for a user using the search function.
  • Search for users to add as project members.
    • Select the permission group called ‘CAM_Linked_Group’ that you created above and complete the project member addition task.
  • Connect a permission group to complete adding project members.
  • After completing the above steps, return to the project view screen in CAM and add an SCP account.

Step 2. Add an account in the CAM console

  • In CAM, go to View Project > Manage Accounts.
  • Click the Add Account button.
  • Enter the following information in the popup window that opens:
    • CSP and Environment Selection
      • CSP: Choose either SCP for Enterprises or SCP for Samsung.
      • Environment: Select the environment to which this account belongs (e.g., DEV, STG, PRD, or ETC).
    • Enter account information
      • Account name:
        • Enter a name to identify this account within CAM.
        • You can enter up to 50 characters.
        • Only English letters and numbers are allowed.
      • Project ID (in the SCP console):
        • Enter the project ID of the SCP project you prepared earlier.
        • Allowed characters: only English alphabet letters, numbers, and hyphens.
        • Maximum: 30 characters
    • Enter the project ID and click the Confirm button. CAM checks the following:
      • Whether the project exists in SCP.
      • Check if the required roles (cam-Administrator, cam-Operator, cam-Developer) exist.
      • Ensure that the project is not already registered in another CAM project or awaiting approval.
      • If any of the above conditions is not met, a validation message will be displayed.

Step 3. Create Approval When the project ID is verified and the other information is completed, the Create Approval button becomes active.

Click this button to send the account addition request as an approval request. Depending on the CAM settings, you can manually select an approver or have the system automatically route it to the default approver.

Once approval is completed, the SCP account will appear in CAM’s project account list.

Add Azure account

Before adding an Azure account to CAM, you must complete the following configuration steps in Microsoft Entra ID and the Azure Portal. These steps must be performed by the tenant administrator.

Step 1. Prerequisite setup (One-time trust configuration and domain configuration for CAM accounts) This step ensures that CAM is trusted within the target Azure tenant and has the necessary access permissions. This step must be completed by the tenant administrator before adding an Azure account to CAM.

These pre-configurations are divided into two sections:

  • Trust configuration
  • Domain configuration

Trust configuration for CAM accounts This step ensures that the CAM is trusted within the target Azure tenant and has the necessary access permissions. It must be performed by the tenant administrator of the target Azure tenant. The purpose is to grant the CAM the required permissions to access features within Microsoft Entra ID.

To enable CAM to integrate with Azure, the tenant administrator must open the CAM Admin Consent URL. This URL triggers the consent dialog in the Microsoft Entra Admin Center, where the administrator can approve the permissions requested for CAM.

  • Retrieve the tenant ID.

The CAM Admin Consent URL includes the App Client ID associated with a specific tenant. Before using it, you must verify the tenant ID of the target Azure tenant.

  • How to find the tenant ID:
    • Log in to the Azure Portal.
    • From the left navigation menu, go to Microsoft Entra ID.
    • Find the tenant ID field on the Overview tab (first screen).
    • Copy the tenant ID to use for the Admin Consent URL.
  • Access the CAM Admin Consent URL.

    • Open the CAM Admin Consent URL in a web browser. (https://login.microsoftonline.com/{Your_Tenant_ID}/adminconsent?client_id=39613ae7-2fd4-4f3c-9471-aba2391da0b5)

      Replace the {Your_Tenant_ID} placeholder in the URL with the actual tenant ID you copied earlier.

    • When the prompt appears, select the Global Administrator account of the target tenant.

    • This account must have the highest administrative privileges in the tenant.

    • Please review the displayed consent agreement. This agreement specifies the exact authority that will be granted to CAM.

    • If you agree, click “Accept” to approve the integration.

    • By completing this step, CAM can access tenant-level features in Microsoft Entra ID.

    • No Subscription Access Yet: In this step, CAM does not receive access permissions to the Azure subscription. Subscription-level access permissions are configured separately in later steps (creating management group roles and assigning subscription roles).

  • After granting consent, verify the CAM application registration.
    • In Azure Portal, go to Microsoft Entra ID → Enterprise Applications.
    • Search for the CAM application.
    • Verify that the CAM app appears in the list and is correctly registered.
Reference
It provides tenant-level recognition to CAM when granting admin consent.

CAM Account Domain Settings In Azure, a domain connection is required so that users can authenticate via email and integrate with CAM’s Keycloak authentication. The domain configuration process consists of the following two main steps:

ProcessExecutorfrequency
Domain creationTenant admin or PM/PLOnce per tenant (may be repeated for a new domain as needed)
Register a domain in an Azure tenantTenant adminOnce per tenant (unless additional domains are added later)
Table. CAM account domain configuration steps

Create Domain You can create a public domain using a DNS service that can create TXT records (e.g., AWS Route 53, SCP DNS). This guide uses SCP DNS as an example.

  • Tasks before creating a domain
    • Log in to SCP DNS.
      • After accessing the SCP console, navigate to the DNS menu.
    • Starting public domain purchase.
      • Click the product request button.
      • This action opens the purchase form.
    • Enter the details for the domain purchase form.
      • Usage type: select ‘Public’.
      • Domain name: Enter the desired public domain name.
      • Registrant information: Enter name, email, address, and phone number.
      • Description and designated fields
      • Payment information is displayed before purchase confirmation.
    • Purchase Confirmation
      • Confirm the final payment amount.
      • Click the following to verify.
    • Check DNS status
      • After creation, the domain appears in the SCP DNS list.
      • Wait until the status shows “active”. This indicates that it is now publicly available.
      • Now there is an activated public domain, and you can connect it to an Azure tenant to perform user authentication.

Register domain in Azure tenant

Now that we have a public domain, we need to connect it to Microsoft Entra ID for authentication.

  • Pre-domain configuration tasks (Azure tenant)

    • Log in to the Azure Portal with a tenant administrator account.
    • Microsoft Entra ID → Go to custom domain name.
    • Click +Add Custom Domain.
    • Enter the public domain name (created in SCP).
    • Click Add Domain.

  • Create a TXT record for the domain (Azure → SCP DNS).

    • After adding a domain in Azure:
      • Azure displays the TXT record value that must be added to the DNS settings to verify domain ownership.
      • Copy the TXT record value in Azure.

  • Add TXT record to SCP/Domain Host

    • After accessing SCP DNS, select the active public domain.
    • Click Add Record.
    • Record Type: Select TXT.
    • Value: Paste the TXT record value copied from Azure.
    • TTL(Time to Live): Select according to preference.
    • Click Confirm.
    • Check whether the record appears in the domain’s DNS list.

  • Domain verification in Azure

    • Return to the Azure Portal, select Microsoft Entra ID, and then select Custom Domain Names.
    • Initially, the domain status is shown as “Unverified”.
    • Click the domain, then click the “Verify” button.
    • When Azure detects the TXT record (propagation may take a few minutes), the status changes to “Verified”.
    • The public domain is now officially linked to the Azure tenant.

Step 2. Add an account in the CAM console

  • In CAM, go to View Project > Manage Accounts.
  • Click the Add Account button.
  • Enter the following information in the popup window that opens:
    • CSP and environment selection
      • CSP: Select Azure.
      • Environment: Select the environment to which this account belongs (e.g., DEV, STG, PRD, or ETC).
    • Enter account information
      • Account name:
        • Enter a name to identify this account within CAM.
        • You can enter up to 50 characters.
        • Only English letters and numbers are allowed.
      • Tenant ID (in Azure portal):
        • Enter the tenant ID.
        • Allowed characters: only English letters, numbers, and hyphens.
        • You can enter up to 36 characters.
        • When you click Verify, CAM checks the following:
          • Check that the subscription ID format is correct.
          • Validate Azure to confirm that it actually exists.
          • The subscription ID field is enabled only after the tenant ID has been validated.
      • Subscription ID (in Azure portal):
        • Please enter the subscription ID.
        • Only English letters, numbers, and hyphens are allowed.
        • You can enter up to 36 characters.
        • When you click Verify, CAM checks the following.
          • Check that the subscription ID format is correct.
          • Check whether the subscription ID is already linked to another CAM project.
          • Check if the subscription ID is already registered or if an approval request is pending.
          • The federation domain field is enabled only after the subscription ID has been verified.
      • Federation domain (in Azure portal):
        • Please enter the federation domain.
        • Only English letters, numbers, hyphens, and periods are allowed.
        • You can enter up to 48 characters.
        • When you click Verify, CAM checks the following.
          • Check whether the federation domain format is correct.
          • Verify that it matches the existing validated domain registered in the Azure domain configuration.

Step 3. Create Approval When all fields are validated and the details are completed, the Create Approval button becomes active.

Click this button to submit an account addition approval request. Depending on the CAM settings, you can manually select an approver or have the system automatically route it to the default approver.

When approval is complete, the Azure account will appear in CAM’s project account table.

Delete account

Click the Delete button in the View Account section to delete accounts that are no longer in use.

User Management

PM and PL group users can add or remove users from a project. Only users registered in the project can be granted and managed console and resource access within that project, so users who need console or resource access must be registered as project users.

Add user

Click the Add button above the user list to add a user to the project.

  1. Name: Search by the user name registered in CAM.
  2. Group: Select the user’s group.
  3. PL : can manage project-related information and have the same permissions as the project manager.
  4. Operator, Developer: Users who can view project-related information and request resource permissions; they are categorized for role management within the project, but in the CAM portal they have identical permissions.

Delete User

Select the user to delete from the user list and click the Delete button. After a user is deleted, the deleted user can no longer view project-related information.

Notice

The announcements section allows tenant administrators to create and manage notices for users within the tenant. These notices are displayed in the GNB announcement panel. Multiple notices can be active simultaneously. Each notice may include a title, detailed description, optional attachment, and a specified display period.

Create Notice

To create a notice, click the Create button on the list page. On the Create Notice page, enter the following details:

  1. Title: Enter the notice title.
  2. Description: Provide the content or message to display.
  3. Attachment(Optional): Upload supporting files (up to 5 files, total size up to 50MB). Empty files cannot be uploaded, and supported file formats are images, documents, .mp4, and .zip.
  4. Display: To show announcements in the GNB, turn the toggle ON. After turning the toggle ON, you can select the period or date range during which the announcement will be displayed to users.

To create an announcement, select *Save. The newly created announcement will appear in the announcement list.

Notice Details

Select a notice title from the list to navigate to the notice detail page. All notice information (title, description, attachment, display period, author, and creation date) is displayed in read-only mode.

In this view:

  1. Use Edit to modify the announcement.
  2. Use Delete to permanently delete the announcement.

Edit Notice

  • Select a notice from the notice list and navigate to its detail view page.
  • Select Edit.
  • Edit the required fields (title, description, attachment, display settings, or date range).
  • To update the notice, select Save.
Reference
Changes to the notice are applied immediately.

Delete Notice

  • On the notice detail page, select Delete.
  • If a prompt appears asking you to confirm deletion, confirm it. The selected announcement will be removed from the list and will no longer appear in the GNB announcements.

Approval Path

The tenant administrator can predefine the approval route that users must specify when creating an approval.

Create Approval Path

To create an approval route, click the Create button and specify the approval case and organization to generate it.

  1. Name: Enter a workflow name for administrative purposes that is not exposed to users.
  2. Target : Select when and which organization to apply it to.
  3. Approver Guide: Enter the responsible person’s information that cannot be automatically assigned by the system but must be included in the approval route. When entered, it will be displayed on the user screen as shown below.
  4. Approver: The system automatically assigns the approver to be displayed; add them by searching for their name.

View approval path

To view detailed information about the approval route, go to the Approval Route menu and click the desired approval route. You can view information for all approval routes, and Edit or Delete them as well.

Edit Approval Path

On the View Approval Route screen, you can click the Edit button to modify the information.

Delete approval path

Click the Delete button to delete the approval route that is no longer used.

organization

In the Organization menu, a tenant administrator can manually manage the tenant’s organization. When a tenant administrator creates an organization, they can manage projects and approval routes at the organization level.

Add organization

To add an organization, click the Add button and, when the Add Organization popup appears, enter the following details.

  1. Parent (Higher-level Organization): Select the name of the higher-level organization. The default is the tenant name.
  2. Name: Enter the name of the organization to create.
  3. Display: To have it appear in the list of organizations shown to the user, set the toggle to ON.

View organization

On the View Organization page, you can see a list of all created organizations. Clicking the organization name you want to view displays detailed organization information on the right. You can expand the entire organization list. When you expand an organization, you can view the entire hierarchy down to the lowest level at once, and when you collapse the organization list, you can see only the top‑level items.

Organization modification

The data entered when creating the organization is displayed, and you can edit all data. After editing, click the Save button.

Delete organization

Click the Delete button on the View Organization screen to delete an Organization that is no longer used.

reference
Organizations that have parent organizations or registered projects cannot be deleted.

Tenant Administrator

In the tenant administrator menu, you can add or remove administrators who manage the tenant. When the system is first opened, the user listed on the service application form is designated as the tenant administrator, and thereafter, users with tenant administrator privileges can directly add, delete, and manage.

Tenant administrators can manage tenant-level information through dedicated menus (Approval Line, Organization, etc.) and can view all content within the tenant.

Add tenant administrator

To add a tenant administrator, click the Add button, and when the tenant administrator addition popup appears, search among the users registered in the tenant and register them.

Delete Tenant Administrator

In the tenant administrator list, select the user to delete, then click the Delete button to remove them.

Monitoring
SingleID Authenticator Manual Overview