Identity and Access Management
Introduction
Identity and Access Management (IAM) is mainly used to help users manage access rights to resources under cloud accounts. It is applicable to different roles in the enterprise and can give different rights to different employees to use products. It is recommended that you use Identity and Access Management (IAM) when your enterprise has multi-user collaborative operation resources.
Applicable to the following scenes:
- Customers of medium and large enterprises: Perform the authorized management of multiple employees in the company;
- Technology-based vendor or SAAS platform providers: Manage the resources and rights of the proxy clients;
- Small and medium developers or small enterprises: Add the project members or collaborators to manage the resources.
Create Users
- After the main account user logs in, selects "Identity and Access Management (IAM)" in the console to enter the user management page.
- Click "User Administration" in the left navigation bar, and click "New User" on the "Sub-User Management List" page.
- In the popped up "New User" dialog box, fill in and confirm "User Name", and return to "Sub-user Administration List" area to view the sub-user created.
Configuration Policies
BES supports both system policies and users custom policies to realize product-level and instance-level privilege control of BEC respectively.
- System policy: A privilege set predefined by Baidu AI Cloud system to manage resources. Such policies can authorize sub-users directly and users can only use rather than modify.
- Custom policies: Created by users themselves, a more detailed privilege set for managing resources, which can configure privilege for a single instance, and can meet differentiated permission management of accounts to different users more flexibly.
System Policies
The system policies includes read-only, OPS and managing privileges. The scope of privileges is as follows:
Policy name | Permission instruction | Privilege scope |
---|---|---|
BESReadAccessPolicy | BES read-only privilege | The read-only privilege includes the right to view the cluster details |
BESOperateAccessPolicy | The privileges of OPS and operation of BES | The OPS privileges include the “read-only” privilege, and the functions of starting, stopping, modifying password, binding and unbinding EIP and other privileges |
BESFullControlPolicy | The privileges of full control and management of BES | The managing privileges include the “OPS” privilege, and the functions of creating, deleting and cluster scaling |
Custom Policies
The custom policies are authorized from a single cluster dimension. Unlike system policies, they are only valid for the selected cluster.
The sub-user first enters【Policy Management】through the left navigation bar, and then clicks “Create Policy”. The user fills in the policy name and selects the service type as “Baidu Elasticsearch BES”. By default, the policy generation method is the policy generator and no modification is required.
User Authorization
Select "Add Privilege" in "Operation" column of the corresponding sub-user in "User Administration -> Sub-user Management List Page", and select and authorize the system privileges or custom policies for users.
Note: If you modify the privileges of a sub-user without modifying the existing policy rules, you can only delete the existing policies and add new policies, but you cannot unselect the added policy privileges.
Relevant Service Authorization
In order to enable sub-users to use BES services normally, they also need to have the privileges for other relevant services in Baidu AI Cloud. The privilege policies and the influence scope of relevant services are as follows:
Policy names of relevant services | Description | Influence scope |
---|---|---|
FCOrderAccessPolicy | The privileges of full control of order services | BES managing, and OPS privileges |
VpcFullControlPolicy | The privileges of full control of VPC services | BES managing privileges |
SubnetFullControlPolicy | The privileges of full control of subnet services | BES managing privileges |
EIPFullControlPolicy | Privileges of full control and management of EIP | BES managing privileges |
SecurityGroupFullControlPolicy | The privileges of full control of security group | BES managing privileges |
Sub-user Login
After the main account has authorized the sub-user, it can send the link to the sub-user; sub-user can log in to the management console of the main account through IAM user login link, and operate and view the main account resources based on authorized policies.
For other detailed operations, please see: Identity and Access Management (IAM).