Identity and Access Management
Overview
Identity and Access Management (IAM) means that the original primary user account as the sub-account can assign the operation privileges of relevant products or instances to sub-accounts to achieve fine-grained privilege management.
For example, you can assign the Data Transmission Service (DTS) OPS privileges at the product level or the instance level to DBA and other front-line operators, and Data Transmission Service (DTS) only-read privileges at the product level or the instance level to other non-operators.
Application Scenarios
- Medium- and large-enterprise customers: Perform the authorization management of multiple employees in the company;
- The platform providers of technology-based “vendor” or “SAAS”: Manage the resources and privileges of the proxy clients;
- Small and medium developers or small-size enterprises: Add project members or collaborators to perform resource management.
Create a Subuser
- After you log in to the account, select the "Identity and Access Management" in the console to enter the user administration page.
- Click “User Administration” in the navbar on the left side, and then the “Create a Subuser” on the “Subuser” page.
- In the pop-up “Create a Subuser” dialog, enter “User Name” and click OK to return the “Subuser Administration List” section where you can view the created sub-user.
Configure Policy
Data Transmission Service (DTS) supports system policies and user-defined policies, achieving privilege control at the product and task levels.
System policies
The system policies are the Data Transmission Service (DTS) product-level privileges, including the product-level management privileges, the product-level OPS privileges, and the product-level only-read privileges. The instructions for the privilege scope are as below:
| Policy Name | Privilege Description | Privilege Scope |
|---|---|---|
| DTSFullControlPolicy | The management privileges of Data Transmission Service (DTS) | Create tasks, release tasks, modify tasks, query the task list, query tasks, start tasks, pause tasks, and terminate tasks |
| DTSOperateAccessPolicy | The OPS privileges of Data Transmission Service (DTS) | Modify tasks, query the task list, query tasks, start tasks, pause tasks, and terminate tasks |
| DTSReadOnlyAccessPolicy | The only-read privileges of Data Transmission Service (DTS) | Query the task list and query tasks |
Custom Policies
By clicking “Policy Management>Custom Policy”, you can add the custom policy to control the task-level privilege. You can add the custom policy in two ways: “Create by Policy Builder” and “Create by Policy Syntax”, and can modify the policy according to the privilege setup. For the configuration method, see Create Custom Policy.
The scope of the custom privileges: Details are as below
| Privileges Description | Privilege Scope |
|---|---|
| Management privileges | Release tasks, modify tasks, query the task list, query tasks, start tasks, pause tasks, and terminate tasks |
| OPS privileges | Modify tasks, query the task list, query tasks, start tasks, pause tasks, and terminate tasks |
| Read-only privilege | Query the task list and query tasks |
User Authorization
- Choose “Add Privilege” in the “Operation” column of the corresponding sub-user of “User Administration->Subuser”.
- In this pop-up window, you can choose “All Policies”, “System Policies”, or “Custom Policies” for authorization.
Note: If you modify the privileges of a sub-user without modifying the existing policy rules, you can only delete the existing policies and add new policies but not unselect the added policy privileges.
Subuser Login
After you authorize the sub-user with the primary account, you can send a login link to the sub-suers. Then, the sub-user can log in to a Management Console with the primary account to operate and view primary account resources according to the authorized policies.
Documentation
For other operations, see Identity and Access Management (IAM).