Identity and Access Management
Overview
Multi-user access control is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different permissions to use the product. It is recommended that you use multi-user access control.
Usage Scenarios
- Medium and large enterprise customers: Authorized management of multiple employees in the company;
- Technical vendors or SAAS vendors: Resource and authority management for agency clients;
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
-
After the master account user logs in, select "Multi-user Access Control" on the console to enter the user management page.
- Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
- In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.
Configuration Policies
CDN supports system policy and user customized policy, which respectively realize CDN product-level permission and domain name level permission control.
- System policies: A set of permissions predefined by Baidu AI Cloud System to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
- Custom policies: A more detailed set of permissions created by users themselves to manage resources. They can be configured for a single domain name so as to more flexibly meet the account's differentiated permissions management for different users.
System policies
CDN has CdnReadAccessPolicy, CdnOperateAccessPolicy and CdnFullAccessPolicy, three system policies, with the privilege scopes shown as follows:
| Policy name | Description | Comments |
|---|---|---|
| CdnReadAccessPolicy | Access the privilege of Baidu AI Cloud content distribution network (CDN) by read-only | CDN read-only policy: -View CDN domain name -View the Domain Name Configuration -View the Operation Records -Data in Statistical Analysis(“WAF protection” and “monthly service report” features excluded) |
| CdnOperateAccessPolicy | The operation and maintenance personnel handle the privileges to operate the Content Delivery Network (CDN) of Baidu AI Cloud, and the operation and maintenance privileges include read-only privilege. | CDN operation and maintenance policy -CDN Domain Name Configuration Modification -Cache Purging -Log Download and Dump -IP Detection and other operations |
| CdnFullAccessPolicy | For the privilege for managing Baidu AI Cloud CDN, the management privilege only covers read-only and operation and maintenance. | CDN management policy: -All operation privileges of CDN -Billing Change -Add a Domain Name -Stop the Domain Name Acceleration: -Delete a domain name |
Note The steps to operate the features supported by the sub-account are the same as those to operate the features of corresponding primary account.
Custom policies
In Policy Management > Customized Policy, you can define the customized policy of relevant business for your account, so as to realize fine-grained permission control.
You can also build a customized policy based on the label for the resource of the same type (the resources added with same label) quickly, which is often used to solve the licensing problems for a large number of different products or service combination.
The adding methods of the customized strategies are “creating according to strategy generator”, “creating according to tags” and “creating according to strategic grammar”, and the user can set to change the content of strategy based on the specific privileges. Please refer to Create Customized Policy for concrete configuration methods.
API Use Authorization
Sub-users use the API to have more fine-grained authorization control, and need to create a policy syntax to assign to the sub-users. The APIs that require authorization are listed below. Below is an example of policy syntax (domain/* means all domain names, domain/{domainName} means a certain domain name).
| Port name | API | Policy syntax permission | Policy syntax resource |
|---|---|---|---|
| Query domain name list | GET /v2/domain | QueryDomainList | domain/* |
| Query all domain names under the username | GET /v2/user/domains | QueryDomainList | domain/* |
| Create the acceleration domain name | PUT /v2/domain/{domain} | CreateDomain | domain/* |
| Enable the acceleration domain name | POST /v2/domain/{domain}?enable | StartDomain | domain/{domainName} |
| Deactivate the acceleration domain name | POST /v2/domain/{domain}?disable | StopDomain | domain/{domainName} |
| Delete the accelerated domain name | DELETE /v2/domain/{domain} | DeleteDomain | domain/{domainName} |
| Query the accelerated domain name details | GET /v2/domain/{domain}/config | QueryDomainConfig | domain/{domainName} |
| Domain name configuration settings change | PUT /v2/domain/{domain}/config?xxx | UpdateDomain | domain/{domainName} |
| Add & modify domain name certificate | PUT /v2/{domain}/certificates | UpsertDomainCerts | domain/{domainName} |
| Query domain name certificates | GET /v2/{domain}/certificates | QueryDomainCerts | domain/{domainName} |
| Delete the domain name certificate | DELETE /v2/{domain}/certificates | DeleteDomainCerts | domain/{domainName} |
| Statistic interface | POST /v2/stat/query | QueryStat | domain/* |
| Purge cache | POST /v2/cache/purge | PurgeCache | domain/* |
| Cache preloading | POST /v2/cache/prefetch | PrefetchCache | domain/* |
| Query purge status | GET /v2/cache/purge | QueryCacheTasks | domain/* |
| Query preloading status | GET /v2/cache/prefetch | QueryCacheTasks | domain/* |
| View the operation records | GET /v2/cache/records | QueryCacheTasks | domain/* |
| Query the limit | GET /v2/cache/quota | QueryQuota | domain/* |
| Configure switch dynamic acceleration service | PUT /v2/dsa/ | OpenDSA | domain/* |
| Query dynamic acceleration domain name list | GET /v2/dsa/domain | QueryDomainList | domain/* |
| Configure the dynamic acceleration rules of domain name | PUT /v2/domain/{domain}/config?dsa | UpdateDomain | domain/{domainName} |
| Get single domain name log | GET /v2/log/{domain}/log | QueryDomainLogs | domain/{domainName} |
| Access multiple logs of domain name | POST /v2/log/list | QueryDomainsLogs | domain/* |
| Origin IP address segment query | GET /v2/nodes/list | QueryNodeList | domain/* |
API authorization policy syntax example
- Authorize domain name a.mydomain.com, b.mydomain.com configuration change for a sub-user
{
"accessControlList":[
{
"service":"bce:cdn",
"region":"*",
"resource":[
"domain/a.mydomain.com",
"domain/b.mydomain.com"
],
"effect":"Allow",
"permission":[
"UpdateDomain"
]
}
]
} - Authorize a sub-user to refresh and warm up the cache
{
"accessControlList":[
{
"service":"bce:cdn",
"region":"*",
"resource":[
"domain/*"
],
"effect":"Allow",
"permission":[
"PrefetchCache",
"PurgeCache",
"QueryCacheTasks",
"QueryQuota"
]
}
]
} User Authorization
Select "Add Permission" in the "Action" column of the corresponding sub-user in the "User Management -> Sub-User Management List Page", and select system permissions or custom policies for users to authorize.
Note You can only delete existing policies and add new policies to modify the permissions of a sub-user without modifying the existing policy rules. You cannot uncheck the policy permissions that have been added.
Sub-user Login
After the master account authorizes the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
Typical Application Based on Custom Policy of Tag Creation
The master user grants the sub-user A the administrative privilege that the user A can add a domain name and automatically acquire this domain name
1.The master user plans the tag. For example, plan tag Key: department/Value: 123 for user A, and manage it in tag management;
2.The The master user enters IAM Multi-user Access Control>Policy Management, clicks "Create a Policy, and selects the mode to create policies as "Label-based Creation;
3.The master user fills in the basic information of policy. For example, the naming policy is policy_for_user_A_with_tag123, and the label Key: department/Value: 123 is selected in the permission configuration, with the service selected as "Content Delivery Network CDN" and operation as "Management Permission", and the resource scope displays all the resources that have the attribute of such label, and click completion to save;
4.The master user creates a sub-user A, like User A, and grants User A the privilege of policy_for_user_A_with_tag123.
5.User A logs into the console, and enters the CDN, To Sselect the Domain Name Management > Domain Name Addition. If the added domain name is “cloud.test.com”, accept the binding tag Key: department/Value: 123 by default in the “tag” addition, and click “finish” to create the domain name, and also User A has the privilege to manage the domain name cloud.test.com rather than other domain names. If the User A needs to be given the privilege of access to other domain names, the master user should give an additional authorization for this sub-user in IAM.
The master user grants the sub-user A the administration privilege over one type of domain names and also the viewing privilege over another type of domain names
1.The master user plans the tag. For example, plan tag Key: department/Value: 123 for user A, and manage it in tag management;
2.The The master user enters IAM Multi-user Access Control>Policy Management, clicks "Create a Policy, and selects the mode to create policies as "Label-based Creation;
3.The master user fills in the basic information of policy. For example, the naming policy is policy_for_user_A_with_tag123, and the label Key: department/Value: 123 is selected in the permission configuration, with the service selected as "Content Delivery Network CDN" and operation as "Management Permission", and the resource scope displays all the resources that have the attribute of such label, and click completion to save;
4.Master user creates strategy ReadOnlyPolicy_with_tag456, selects tag Key: department/Value: 456 in privilege configuration, select service “content distribution network CDN”, select and operate “read only permission”, the resource range shows all the resources owning the tag attribute by default, and click finish to save;
5.The master user creates a sub-user A, like User A, and grants User A the privilege of policy_for_user_A_with_tag123 and ReadOnlyPolicy_with_tag456;
6.The child user UserA is among the management list of domain name, and then can see the tag Key bound: department/value: Domain name 123, able to be viewed for binding to tag Key department/value: Domain name 456, only able to be modified for binding to tag Key. department/value: Domain name 123, unable to be modified for binding to tag Key; department/value: Domain name 456.
Related File
For other operations, please refer to Identity and Access Management