Identity and Access Management
Introduction
The Identity and Access Management (IAM) is mainly used to help users manage resource access privileges under cloud accounts. The IAM is applicable to different roles in the enterprise and can grant different employees different privileges of using products. If any resources need multi-user collaborative operation in your enterprise, you are highly recommended to use the IAM.
The IAM is applicable to the following scenarios:
- Medium and large-sized enterprises: Grant multiple employees the authorization for management in the enterprise;
- Technology-based vendors or SAAS platform providers: Perform resource management and access control for proxy customers;
- Small and medium developers or small-sized enterprises: Add project members or collaborators to perform resource management.
Create a User
-
After the primary account user logs in to its account, it selects the "Identity and Access Management" in the console to enter the user administration page.
- Click the "User Administration" in the left navbar, and then click the "New User" on the "Sub-User Administration List" page.
- In the pop-up "New User" dialog, enter and confirm the "User Name", and then return to the "Sub-User Administration List" area to view the created sub-user.
Configure a Policy
DCC supports both the system privilege policy and user-customized privilege policy to realize privilege control of DCC at product and instance levels respectively.
- System privilege policy: A set of privileges predefined by the Baidu AI Cloud system for resource management. This policy enables the system to grant sub-users privileges directly, and users can only use them without modification.
- Custom privilege policy: A set of privileges created by users for the refined resource management. This policy enables the system to configure single instances to flexibly manage different user privileges required by different accounts.
System privilege policy
The system policies are divided into two categories, that is, the privilege operation policy and read-only privilege policy. The detailed privilege scope is as follows:
Operation Type | Privilege Scope |
---|---|
Read-only operation | Only view the BCC instances, and the installed CDS disks, snapshots and security group list. |
OPS operation |
|
The custom privilege policy is authorized from the instance dimension. Unlike the system privilege policy, it is only effective for the selected instances.
The sub-user first enter 【Policy Management】 from the left navbar, and then click "Create a Policy". Afterwards, the user needs to enter a policy name and select the service type for the BCC. By default, the policy is generated by the policy generator without any modification.
The custom privilege scope is explained in details as follows:
Privilege description of BCC:
Operation Type | Privilege Scope |
---|---|
Read-only operation | Only view the BCC instances, and the installed CDS disks, snapshots and security group list. |
OPS operation |
|
Select "Add a Privilege" in the "Operation" column of the corresponding sub-user in the "User Administration -> Sub-User Administration List Page", and then select and authorize a system privilege policy or a custom privilege policy for users.
Note: If you modify the privilege of a sub-user without modifying the existing policy rules, you can only delete the existing policy and add a policy, but you cannot unselect the privilege policy which has been added.
Sub-user Login
After the primary account has authorized the sub-user, the link can be sent to the sub-user. In addition, the sub-user can log in to the management console of the primary account through the IAM user login link, and operate and view the primary account resources based on the authorized policy.
For more information on detailed operations, please see Identity and Access Management.