百度智能云
All Product Document

          Elasticsearch

          • BES
          • >
          • User Manual
          • >
          • Identity and Access Management

          Identity and Access Management

          Last Updated2020-09-25

          Introduction

          Identity and Access Management (IAM) is mainly used to help users manage access rights to resources under cloud accounts. It is applicable to different roles in the enterprise and can give different rights to different employees to use products. It is recommended that you use Identity and Access Management (IAM) when your enterprise has multi-user collaborative operation resources.

          Applicable to the following scenes:

          • Customers of medium and large enterprises: Perform the authorized management of multiple employees in the company;
          • Technology-based vendor or SAAS platform providers: Manage the resources and rights of the proxy clients;
          • Small and medium developers or small enterprises: Add the project members or collaborators to manage the resources.

          Create Users

          1. After the main account user logs in, selects "Identity and Access Management (IAM)" in the console to enter the user management page.

          image.png

          1. Click "User Administration" in the left navigation bar, and click "New User" on the "Sub-User Management List" page.
          2. In the popped up "New User" dialog box, fill in and confirm "User Name", and return to "Sub-user Administration List" area to view the sub-user created.

          Configuration Policies

          BES supports both system policies and users custom policies to realize product-level and instance-level privilege control of BEC respectively.

          • System policy: A privilege set predefined by Baidu AI Cloud system to manage resources. Such policies can authorize sub-users directly and users can only use rather than modify.
          • Custom policies: Created by users themselves, a more detailed privilege set for managing resources, which can configure privilege for a single instance, and can meet differentiated permission management of accounts to different users more flexibly.

          System Policies

          The system policies includes read-only, OPS and managing privileges. The scope of privileges is as follows:

          Policy name Permission instruction Privilege scope
          BESReadAccessPolicy BES read-only privilege The read-only privilege includes the right to view the cluster details
          BESOperateAccessPolicy The privileges of OPS and operation of BES The OPS privileges include the “read-only” privilege, and the functions of starting, stopping, modifying password, binding and unbinding EIP and other privileges
          BESFullControlPolicy The privileges of full control and management of BES The managing privileges include the “OPS” privilege, and the functions of creating, deleting and cluster scaling

          Custom Policies

          The custom policies are authorized from a single cluster dimension. Unlike system policies, they are only valid for the selected cluster.

          The sub-user first enters【Policy Management】through the left navigation bar, and then clicks “Create Policy”. The user fills in the policy name and selects the service type as “Baidu Elasticsearch BES”. By default, the policy generation method is the policy generator and no modification is required.

          image.png

          User Authorization

          Select "Add Privilege" in "Operation" column of the corresponding sub-user in "User Administration -> Sub-user Management List Page", and select and authorize the system privileges or custom policies for users.

          Note: If you modify the privileges of a sub-user without modifying the existing policy rules, you can only delete the existing policies and add new policies, but you cannot unselect the added policy privileges.

          Relevant Service Authorization

          In order to enable sub-users to use BES services normally, they also need to have the privileges for other relevant services in Baidu AI Cloud. The privilege policies and the influence scope of relevant services are as follows:

          Policy names of relevant services Description Influence scope
          FCOrderAccessPolicy The privileges of full control of order services BES managing, and OPS privileges
          VpcFullControlPolicy The privileges of full control of VPC services BES managing privileges
          SubnetFullControlPolicy The privileges of full control of subnet services BES managing privileges
          EIPFullControlPolicy Privileges of full control and management of EIP BES managing privileges
          SecurityGroupFullControlPolicy The privileges of full control of security group BES managing privileges

          Sub-user Login

          After the main account has authorized the sub-user, it can send the link to the sub-user; sub-user can log in to the management console of the main account through IAM user login link, and operate and view the main account resources based on authorized policies.

          image.png

          For other detailed operations, please see: Identity and Access Management (IAM).

          Previous
          Privilege Management
          Next
          Backup Recovery