Identity and Access Management
Introduction
Identity and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.
Suitable for the following usage scenarios:
- Medium and large enterprise customers: Authorized management of multiple employees in the company.
- Technical vendors or SAAS vendors: Resource and authority management for agency clients.
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
1.After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.
2.Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
3.In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.
Configuration Policy
At present, CCE supports system policy and realizes product level authority control of CCE.
- System policy: A set of privileges predefined by cloud platform system to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
System policy
The system policy includes three policies: privilege for full control and management of CCE, privilege for operation and maintenance management of CCE and privilege for development management of CCE. The scope of authority is detailed as follows:
| Policy name | Permission description | Scope of permission |
|---|---|---|
| CCEFullControlAccessPolicy | Permission for full control of CCE management: The sub-user has the full managing privileges over CCE resources and CCE application. You can create and delete clusters, manage nodes in clusters and other resources, deploy and delete applications in clusters through Kubernetes. Applicable to the global administrator. |
Resource Management: Create cluster Delete cluster Change cluster remark Add node Delete Node Edit automatic capability expansion and reduction strategy Application management: Download cluster configuration file Enter the Kubernetes Console Create/delete namespace Create/delete Kubernetes applications such as Helm instance, workload, traffic access, configuration storage, etc. |
| CCEOperateAccessPolicy | Privilege of operating and maintaining CCE: The sub-user has part of managing privileges over CCE resources and CCE application. You cannot create a new cluster or delete an existing cluster, but you can manage the node resources within the cluster. It is applicable to the operation and maintenance staff who need to carry out resource operation and maintenance as well as capacity expansion and reduction. |
Resource Management: Change cluster remark Add node Delete Node Edit automatic capability expansion and reduction strategy Application management: Download cluster configuration file Enter the Kubernetes Console Create/delete namespace Create/delete Kubernetes applications such as Helm instance, workload, traffic access, configuration storage, etc. |
| CCEDevelopPolicy | Permission for development and management of CCE: Subusers do not have CCE resource management rights, but can manage deployed applications in the cluster by Kubernetes. It is applicable to developers who need to release and modify applications. |
Application management: Download cluster configuration file Enter the Kubernetes Console Create/delete namespace Create/delete Kubernetes applications such as Helm instance, workload, traffic access, configuration storage, etc. |
User Authorization
Select "Add Privilege" in the "Action" column of the corresponding sub-user in the "User Management > Sub-User Management List Page", and select system privileges or custom policy for users to authorize.
Note: You can only delete existing policies and add new policies to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.
Sub-user Login
After the master account authorizes the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
For other detailed operation, please see "Identity and Access Management".