百度智能云
All Product Document

          DNS

          • DNS
          • >
          • Operation Guide
          • >
          • Identity and Access Management

          Identity and Access Management

          Last Updated2020-09-09

          Introduction

          Identity and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.

          Suitable for the following usage scenarios:

          • Medium and large enterprise customers: Authorized management of multiple employees in the company;
          • Technical vendors or SAAS vendors: Resource and authority management for agency clients;
          • Small and medium developers or small businesses: Add project members or collaborators for resource management.

          Create User

          1. After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.

            image.png

          2. Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
          3. In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.

          Configure Policy

          The public network DNS supports system policy and user customized policy, which respectively realizes product-level privilege and instance-level privilege control of DNS.

          • System policy: A set of privileges predefined by Baidu AI Cloud System to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
          • Custom policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single instance so as to more flexibly meet the account's differentiated privileges management for different users.

          System policy

          The system policy has three types: management privileges, operation and maintenance privileges, and read-only privileges. The scope of privileges is as follows:

          Policy name Privilege description Scope of privilege
          DNSReadPolicy Read-only access to the public network DNS service Query domain name list, view resolution record
          DNSOperatePolicy Privilege for operation and maintenance of public network DNS services Query domain name list, view resolution records, resolution settings
          DNSFullControlPolicy Privilege for full control and management of public DNS services Query the list of domain names, view resolution records, resolve settings, add/delete domain names, renew, and upgrade
          LDReadPolicy Read-only access to the intranet DNS services Query the list of domain names and view instance details
          LDOperatePolicy O&M operation permission of intranet DNS service Query the list of domain names, view instance details, resolve settings, and associate VPC
          LDFullControlPolicy Privilege for full control and management of the intranet DNS services Query the list of domain names, view instance details, resolve settings, associate VPC, add/delete domain names

          Custom policy

          Custom policy authorizes from the instance dimension. Unlike system policies, they only take effect on selected instances.

          The sub-user enters [Policy Management] through the left navigation bar, and then clicks "Create Policy". The user fills in the policy name and selects the service type, the public network DNS selects "Baidu AI Cloud Resolution", and the internal network DNS selects "Local DNS Service". The policy generation method defaults to the policy generator and does not need to be modified.

          image.png

          The details of custom privileges are as follows:

          Production name Read only Operation and maintenance Management
          Public network DNS service Query domain name list, view resolution record Query domain name list, view resolution records, resolution settings Query the list of domain names, view resolution records, resolve settings, delete domain names, renew, and upgrade
          Intranet DNS service Query the list of domain names and view instance details Query the list of domain names, view instance details, resolve settings, and associate VPC Query the list of domain names, view instance details, resolve settings, associate VPC, delete domain names

          User Authorization

          Select "Add Privilege" in the "Action" column of the corresponding sub-user in the "User Management > Sub-User Management List Page", and select system privileges or custom policy for users to authorize.

          Note: You can only delete existing policies and add new policies to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.

          Previous
          Intranet DNS Service
          Next
          Service Level Agreement (SLA)