Introduction

Identity and Access Management (IAM) is used to help users manage resource access privileges under cloud accounts. The IAM applies to different roles in the enterprise and can grant different employees different privileges of using products. If any resources need multi-user collaborative operation in your enterprise, you are highly recommended to use the IAM.

The IAM applies to the following scenarios:

• Medium and large-sized enterprises: Grant multiple employees the authorization for management in the enterprise;
• Technology-based vendors or SAAS platform providers: Perform resource management and access control for proxy customers;
• Small and medium developers or small-sized enterprises: Add project members or collaborators to perform resource management.

Create a User

1. After the primary account user logs in to its account, it selects the "Identity and Access Management" in the console to enter the user administration page.

2. Click the "User Administration" in the left navbar, and then click the "New User" on the "Sub-User Administration List" page.
3. In the pop-up "New User" dialog, enter and confirm the "User Name", and then return to the "Sub-User Administration List" area to view the created sub-user.

Configure a Policy

DCC supports both the system privilege policy and user-customized privilege policy to realize privilege control of DCC at product and instance levels respectively.

• System privilege policy: A set of privileges predefined by the Baidu AI Cloud system for resource management. This policy enables the system to grant sub-users privileges directly, and users can only use them without modification.
• Custom privilege policy: A set of privileges created by users for the refined resource management. This policy enables the system to configure single instances to flexibly manage different user privileges required by different accounts.

System privilege policy

The system privilege policies are divided into three categories, that is, the privilege management policy, privilege operation policy and read-only privilege policy. The detailed privilege scope is as follows:

Policy Name	Privilege Description	Privilege Scope
DCCFullControlPolicy	Privilege for full control and management of DCC	The management privilege includes the following operations, such as creating, deleting, managing, enabling and disabling products. Meanwhile, all product management APIs need to be managed uniformly in terms of finance.
DccOperateAccessPolicy	Privilege to operate the DCC	The operation privilege includes the following operations, such as creating, deleting, managing, enabling and disabling products.
DccReadAccessPolicy	Privilege to only read the DCC	The read-only privilege mainly include listing resources and displaying resource details and status.

Custom privilege policy

The custom privilege policy is authorized from the instance dimension. Unlike the system privilege policy, it is only effective for the selected instances.

The first enter "Policy Management" from the left navbar, and then click "Create a Policy". Afterwards, the user needs to enter a policy name and select the service type for the DCC. By default, the policy is generated by the policy generator without any modification.

The custom privilege scope is explained in details as follows:

The privilege of the DCC is described as follows:

Operation Type	Privilege Scope
Read-only operation	View and download the DCC list and its tag
OPS operation	DCC: Modify a name Edit a tag Clear resources vCPU settings Create a dedicated instance

The instance privilege is described as follows:

Operation Type	Privilege Scope
Read-only operation	Only view the DCC instances, and the installed CDS disks, snapshots and security group list.
OPS operation	DCC instance: Enable, disable and restart an instance Modify a name Associate with a security group Create a snapshot Create a custom image Reinstall the operating system Remote control through VNC CDS disk installed on the DCC instance with the privilege: System disk: Create an image and create a snapshot; High-performance cloud disk storage: create a snapshot; General cloud disk storage: Create a snapshot. Create a custom image from the snapshot created through the installed CDS disk. The security group list and image list only support the read-only operation. Creating, releasing and adjusting a configuration can be separated from BCC, and included in the OPS privilege of the DCC. The financial privilege is only applicable to the DCC hosts.

User Authorization

Select "Add a Privilege" in the "Operation" column of the corresponding sub-user in the "User Administration -> Sub-User Administration List Page", and then select and authorize a system privilege policy or a custom privilege policy for users.

Note: If you modify the privilege of a sub-user without modifying the existing policy rules, you can only delete the existing policy and add a policy, but you cannot unselect the privilege policy which has been added.

Sub-user login

After the primary account has authorized the sub-user, the link can be sent to the sub-user. In addition, the sub-user can log in to the management console of the primary account through the IAM user login link, and operate and view the primary account resources based on the authorized policy.

For more information on detailed operations, please see Identity and Access Management.