Introduction

Identify and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identify and access management.

Suitable for the following usage scenarios:

• Medium and large enterprise customers: Authorized management of multiple employees in the company;
• Technical vendors or SAAS vendors: Resource and authority management for agency clients;
• Small and medium developers or small businesses: Add project members or collaborators for resource management.

Create the Child Users

1.After the master account user logs in, select "IAM" on the console to enter the user management page.

2.Click "User Management" in the navbar on the left, and click "Create Child User" through "User Management > Child User".

3.In the pop-up "Create Sub account" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.

Configure Policy

Policy type

BOS supports both system strategy and custom strategy.

• System policy: A set of privileges predefined by Baidu AI Cloud System to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
• Custom policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single instance so as to more flexibly meet the account's differentiated privileges management for different users.

System policy

The system strategy includes two types, BosFullAccess and BosListAndReadAccess. The scope of privileges is as follows:

Policy name	Privileges description	Scope of privilege
BosFullAccess	BOS Managing Privileges	Management privileges include the APIs corresponding to READ, WRITE, and LIST, as well as PutbucketACL, GetbucketACL, PutbucketCors, GetbucketCors, DeleteBucketCors, PutbucketLogging, GetbucketLogging, and DeleteBucketLogging.
BosListAndReadAccess	BOS read-only privileges	privileges include Listobjects, ListMultipartUploads, GetbucketLocation, Headbucket, Getobject, GetobjectMeta, ListParts interfaces.

User-defined policies

The master user can add customized policy by click "Policy Management>Create Policies to control the instance level privileges. There are three ways to add customized policies "Create by Policy Generator", "Create by Tag" and "Create by Policy Syntax", and the user can set and modify the contents of the policy through specific privileges. Please refer to Create Custom Policy for concrete configuration methods.

Policy creation process

1. Click Create Policy

Select "Policy Management" on the left of the page, and click "Create Policies" in the new page.

2. Select the Mode TO Create Policies

You can select "Create by Policy Generator" or "Create by Tag". If you need to create policies for the instance under a certain tag, please select 'Create by Tag'. If you do not need to create policies for the tag, please select to create by policy generation mode.

3. Enter basic policy information

In the page of creating policies, enter the name of the policy to be created, and enter the notes to the policy in the description, such as the instance of the policy application, the use scenario you want to assign to the child user or policy, so as to avoid the policy from confusing with other policies.

4. Enter the policy privilege configuration

After entering the basic policy information, you need to enter the use privileges contained in the policy.

• At first, you need to enter the product service for which the policy is valid. If you want the policy to take effect in BOS services, you should select "Baidu Object Storage (BOS)" in the service;
• Select the configuration mode of the policy. Among them, the policy generator mode allows you to configure the privileges generated already in the system; while the policy files require you to edit ACL privilege policy, and please refer to the policy syntax documentation for Detailed Syntax.
• If you select the mode of policy generator, you need to define the validity of the privilege to be allowed or denied. If you choose to allow it, the privilege selected in the policies will allow the authorized user to operate; if you choose to deny it, the privilege selected in the policy will prohibit the authorized user from operating;
• To select privilege, you need to select the privileges contained in the policies as read-only privilege or management privilege. For the difference and description of these two privileges, please refer to the description in "System Policies" on the top of the page;
• You can also select the resources corresponding to the policy. In BOS services, you can specify the specific Bucket that the policy takes effect on. If no selection is made, it will take effect on all Buckets;
• Finally, you need to select the restrictions on the effective time of the policy. You can specify the policy to take effect after or before a certain time.

User Authorization

After you create the child user and generate policies, you can authorize the policy to the child user. After authorization, when the child user accesses the resources of master user, it will be restricted by the privileges configured in the policy.

Select "Add Privileges" in the "Action" bar behind the child user you hope to authorize in the page of "User Management->Child User", and authorize the generated policy to the user.

In the authorization page, select the privilege you want to authorize to the child user, so as to authorize the child user the access privilege. The policy list on the left includes all the system policies and the customized policies you have created. You can search relevant policy name in the search box, check the policy and then click OK to complete the authorization.

Note: You can only delete existing policies and add new policies to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.

It should be noted that, the priority granted to the child user by the master sub-account is inferior to the Bucket ACL authentication priority of BOS itself. Bucket ACL authorization is to authorize based on the master user's UserId. If the system detects that the "effect" field in Bucket ACL rules is "Deny", and the "UserId" field is matched with the wildcard character “*“or the UserId of the primary account to which the child user belongs, BOS will first follow the privilege configuration of Bucket ACL in the primary account; at this point, the privileges granted by the sub-account under the primary account will be invalid.

When the Bucket is created, Bucket ACl may contain a default rule, indicating that the creator of the Bucket has the FULL-CONTROL privilege. Please refer to Bucket Privilege Control for the setup of Bucket ACL

Sub-user Login

After adding sub-user privileges, sub-users can use the BOS service in the following two ways.

• Clicking the sub-user name to check detailed information about IAM users, including the privileges of AKSK and sub-users. The child user can use AKSK to use BOS services through BOS peripheral tools, SDK and API.
• Send the user login link on the top of the console to the child user, who can log in the console through the link. After logging in, the child user can operate and view the resources of the primary account according to the authorized policies.

Relevant Document

Please refer to IAM for other operations.