Identity and Access Management
Introduction
Identify and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identify and access management.
Suitable for the following usage scenarios:
- Medium and large enterprise customers: Authorized management of multiple employees in the company;
- Technical vendors or SAAS vendors: Resource and authority management for agency clients;
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
1.After the master account user logs in, select "Identify and Access Management" on the console to enter the user management page.
2.Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
3.In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.
Configure Policy
At present, CCE supports system policy and realizes product level authority control of CCE.
- System policy: A set of privileges predefined by cloud platform system to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
System policy
The system policy includes three policies: privilege for full control and management of CCE, privilege for operation and maintenance management of CCE and privilege for development management of CCE. The scope of authority is detailed as follows:
| Policy name | privilege description | Scope of privilege |
|---|---|---|
| CCEFullControlPolicy | privilege for full control of CCE management: The sub-user has full administrative rights for CCE resources and full administrative rights for CCE applications. You can create and delete clusters, manage nodes in clusters and other resources, deploy and delete applications in clusters through Kubernetes. applicable for global administrators. |
Resource Management create cluster delete cluster change cluster node add node delete node edit automatical scale up/down policy Application management Download cluster configuration file enter Kubernetes console create/delete namespace create/delete deployment, service, configuration dictionary, secret dictionary and other Kubernetes applications |
| CCEOperatePolicy | privilege for CCE operation and maintenance management: sub-users have partial management privilege of CCE resources and full management privilege of CCE applications. You cannot create a new cluster or delete an existing cluster, but you can manage the node resources within the cluster. is suitable for operation and maintenance personnel who need to carry out resource operation and capacity expansion. |
Resource Management change cluster notes add node delete node edit automatical scale up/down policy Application management Download cluster configuration file enter Kubernetes console create/delete namespace create/delete deployment, service, configuration dictionary, secret dictionary and other Kubernetes applications |
| CCEDevelopPolicy | privilege for development and management of CCE: subusers do not have CCE resource management rights, but can manage deployed applications in the cluster by Kubernetes. is applicable for developers who need to publish and change their applications. |
Application management Download cluster configuration file enter Kubernetes console create/delete namespace create/delete deployment, service, configuration dictionary, secret dictionary and other Kubernetes applications |
User Authorization
Select "Add Privilege" in the "Action" column of the corresponding sub-user in the "User Management > Sub-User Management List Page", and select system privileges or user-defined policies for users to authorize.
Note: You can only delete existing policies and add new policies to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.
Sub-user Login
After the master account authorizes the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
For other detailed operation, please see "Identify and Access Management".