Identity and Access Management
Introduction
Identity and Access Management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.
Suitable for the following usage scenarios:
- Medium and large enterprise customers: Authorized management of multiple employees in the company;
- Technical vendors or SAAS vendors: Resource and authority management for agency clients;
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
-
After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.
- Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
- In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.
Configure Policy
EIP supports system policy and user Custom Policy, which respectively realize EIP product-level privilege and instance-level privilege control.
- System policy: A set of privileges predefined by Baidu AI Cloud System to manage resources. They can directly authorize sub-users. Users can only use them and cannot modify them.
- Custum policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single instance so as to more flexibly meet the account's differentiated privileges management for different users.
Note:
- EIP contains multiple sub-products, the privilege of each of which can be classified into read only, Operations and management.
- For each product, the Operations privilege completely overwrites read only privilege, and management privilege completely overwrites read only and Operations privileges. The following tables only display the part of superior privilege different from the subordinate privilege.
- The Custom Policy is assigned to a specific instance, and can only be effective in these instances, so Custom Policy does not have creation privilege.
Scope of privilege
The correspondence between name of system policy of each product and three-level privilege is as follows:
Product | Read only | Operations | Management |
---|---|---|---|
EIP | EipReadOnlyAccessPolicy | EipOperateAccessPolicy | EIPFullControlPolicy |
EIP_BP | EIP_BPReadOnlyAccessPolicy | EIP_BPOperateAccessPolicy | EIP_BPFullControlPolicy |
EIPGROUP | EipGroupReadOnlyAccessPolicy | EipGroupOperateAccessPolicy | EIPGROUPFullControlPolicy |
The policy privilege of each product is detailed as follows:
Product | Read only operation | Operations operation | Management operation |
---|---|---|---|
EIP instance | Query EIP list | Binding | Create EIP |
Unbinding | Release EIP | ||
Monitoring | renew | ||
Alarm | Bandwidth capacity expansion and shrinkage | ||
Billing change | |||
Cancel billing change | |||
Shared bandwidth (EIPGROUP) | Query instance list | Monitoring | Create shared bandwidth |
Query instance details | Alarm | renew | |
Bandwidth upgrading | |||
IP number upgrading | |||
Bandwidth packet (EIP_BP) | Query instance list | Monitoring | Create bandwidth packet |
Query instance details | Alarm | renew | |
Bandwidth upgrading |
User Authorization
Select "Add privilege" in the "Action" column of the corresponding sub-user in the "User Management > Sub-User Management List Page", and select system privileges or custom policy for users to authorize.
(Screenshot of corresponding product policy authorization)
Note: You can only delete existing policy and add new policy to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.
Sub-user Login
After the master account authorizes the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
For other detailed operation, please see Identity and Access Management.