百度智能云

All Product Document

          Dedicated Cloud Compute

          Identity and Access Management

          Introduction

          Identity and Access Management (IAM) is used to help users manage resource access privileges under cloud accounts. The IAM applies to different roles in the enterprise and can grant different employees different privileges of using products. If any resources need multi-user collaborative operation in your enterprise, you are highly recommended to use the IAM.

          The IAM applies to the following scenarios:

          • Medium and large-sized enterprises: Grant multiple employees the authorization for management in the enterprise;
          • Technology-based vendors or SAAS platform providers: Perform resource management and access control for proxy customers;
          • Small and medium developers or small-sized enterprises: Add project members or collaborators to perform resource management.

          Create a User

          1. After the primary account user logs in to its account, it selects the "Identity and Access Management" in the console to enter the user administration page.

          image.png

          1. Click the "User Administration" in the left navbar, and then click the "New User" on the "Sub-User Administration List" page.
          2. In the pop-up "New User" dialog, enter and confirm the "User Name", and then return to the "Sub-User Administration List" area to view the created sub-user.

          Configure a Policy

          DCC supports both the system privilege policy and user-customized privilege policy to realize privilege control of DCC at product and instance levels respectively.

          • System privilege policy: A set of privileges predefined by the Baidu AI Cloud system for resource management. This policy enables the system to grant sub-users privileges directly, and users can only use them without modification.
          • Custom privilege policy: A set of privileges created by users for the refined resource management. This policy enables the system to configure single instances to flexibly manage different user privileges required by different accounts.

          System privilege policy

          The system privilege policies are divided into three categories, that is, the privilege management policy, privilege operation policy and read-only privilege policy. The detailed privilege scope is as follows:

          Policy Name Privilege Description Privilege Scope
          DCCFullControlPolicy Privilege for full control and management of DCC The management privilege includes the following operations, such as creating, deleting, managing, enabling and disabling products. Meanwhile, all product management APIs need to be managed uniformly in terms of finance.
          DccOperateAccessPolicy Privilege to operate the DCC The operation privilege includes the following operations, such as creating, deleting, managing, enabling and disabling products.
          DccReadAccessPolicy Privilege to only read the DCC The read-only privilege mainly include listing resources and displaying resource details and status.

          Custom privilege policy

          The custom privilege policy is authorized from the instance dimension. Unlike the system privilege policy, it is only effective for the selected instances.

          The first enter "Policy Management" from the left navbar, and then click "Create a Policy". Afterwards, the user needs to enter a policy name and select the service type for the DCC. By default, the policy is generated by the policy generator without any modification.

          image.png

          The custom privilege scope is explained in details as follows:

          The privilege of the DCC is described as follows:

          Operation Type Privilege Scope
          Read-only operation View and download the DCC list and its tag
          OPS operation DCC:
        • Modify a name
        • Edit a tag
        • Clear resources
        • vCPU settings
        • Create a dedicated instance
        • The instance privilege is described as follows:

          Operation TypePrivilege Scope
          Read-only operationOnly view the DCC instances, and the installed CDS disks, snapshots and security group list.
          OPS operation
          • DCC instance:
            • Enable, disable and restart an instance
            • Modify a name
            • Associate with a security group
            • Create a snapshot
            • Create a custom image
            • Reinstall the operating system
            • Remote control through VNC
          • CDS disk installed on the DCC instance with the privilege:
            • System disk: Create an image and create a snapshot;
            • High-performance cloud disk storage: create a snapshot;
            • General cloud disk storage: Create a snapshot.
          • Create a custom image from the snapshot created through the installed CDS disk.
          • The security group list and image list only support the read-only operation.
          • Creating, releasing and adjusting a configuration can be separated from BCC, and included in the OPS privilege of the DCC. The financial privilege is only applicable to the DCC hosts.

          User Authorization

          Select "Add a Privilege" in the "Operation" column of the corresponding sub-user in the "User Administration -> Sub-User Administration List Page", and then select and authorize a system privilege policy or a custom privilege policy for users.

          Note: If you modify the privilege of a sub-user without modifying the existing policy rules, you can only delete the existing policy and add a policy, but you cannot unselect the privilege policy which has been added.

          Sub-user login

          After the primary account has authorized the sub-user, the link can be sent to the sub-user. In addition, the sub-user can log in to the management console of the primary account through the IAM user login link, and operate and view the primary account resources based on the authorized policy.

          image.png

          For more information on detailed operations, please see Identity and Access Management.

          Previous
          Recycle Bin
          Next
          API Reference