Centralized authorization and authority decentralization access control

IAM centrally manages all resource permissions on Baidu AI Cloud, and can grant different resources in your cloud account to members of your enterprise or team according to the features, so as to share the resources and control the decentralization of authority.

Fine-grain permission management

IAM includes system policy and Custom Policy. The permission granularity that the system can control is at the product level, that is, all resource instances within the product; for the products that have already supported the customized policies, its permission granularity can be controlled finely to instance level; for example, you can grant read-only permission to one BCC server for a user, or grant the administrative permission to a specific BOS storage bucket for another user.

Cross-account resource access

In some business scenarios, such as outsourced Operations scenarios, you need to cross account to access the resources of the other cloud account, IAM provides the feature Role Management, which supports the user to obtain the access permission of other cloud account under the premise that the user obtains the display licensing temporarily, so as to support and complete the access to resources of other cloud accounts.

Two Factor Authentication

The Two Factor Authentication (MFA) is used to ensure the security of identity access to cloud account, and IAM supports the use of SMS and virtual MFA App for secondary identity verification for the users who need to access the AI Cloud; meanwhile, it protects the key operations within your cloud account to keep your cloud account secure.

Federated identity

The clients of large- and medium-sized corporates usually have the identity management system inside IT, and has opened other services inside the corporate; meanwhile, when the corporate customers use the Baidu AI Cloud, they expect the AI Cloud could serve as one of their service providers (SP) to realize the joint authentication of the identity, and the corporate itself acts as an identity service provider (SP). IAM provides the joint identity management feature that supports SAML 2.0 standard protocol, and you can connect the internal identity management system of the corporate and the account system of Baidu AI Cloud by simple configuration. Please refer to the External Account Access for detailed features.

Audit support

The key user operations of IAM have been included in Baidu Cloud Trail, you can query the operational records of the user in the account within 90 days, and can also create tracking to store the audit records for a long term.