Organization vs Identity and Access Management
Organization
Organization: It is applicable to the organizations, agents and customers, etc., and each subject is a separate account (with a separate bill); all of these separate accounts have organizational hierarchy, the upper layer of which can manage the finance and resources of the lower layer, and control the operational permission of the accounts at the lower layer.
Scenario 1: Company A has multiple subsidiaries, with the same subject, and Company A and its subsidiaries are not only interrelated as a whole associated with each other, but also operate relatively independently.
Scenario description:
- Both Company A and its subsidiaries want to have separate user accounts, which can be used separately on Baidu AI Cloud.
- Company A and its subsidiaries manage resources independently, and Company A has the right to supervise the subsidiaries and to manage the resources of the subsidiaries.
- Company A and its subsidiaries share the same subject, and Company A pays the bills of Company A and its subsidiaries uniformly.
Scenario 2: Agent B has multiple customers, and the agent has the need to manage these customers; meanwhile, the agent and each customer have the need to manage the resources independently;
Scenario description:
- For the sake of security, Agent B wants the customer to have a separate account for use.
- Agent B has the permission to supervise the use of the customer's resources.
- If Agent B terminates the contract with the customer, Agent B can terminate the authorization of the customer at any time.
Identity and Access Management
Identity and access management: It is applicable to different roles within the organization, and may grant different permissions to the different working staff to use the products, such as read-only, Operations as well as management, which can be refined to resource level; also, the IAM user does not need to pay for the costs generated by operation separately. When your enterprise operates the resources collaboratively by multiple users, you are recommended to use identity and access management.
Application scenario: Account A of an enterprise has bought multiple cloud resources (such as: Baidu Cloud Compute (BCC), Baidu Object Storage (BOS), Content Delivery Network (CDN), etc.). The enterprise has many employees, including developers, testing personnel, Operations personnel, etc., as each employee has different job responsibilities, the permission required is also different; also, the employees do not need to pay for the operation costs separately.
Scenario description:
- Account A of an enterprise may grant different permissions to the different working staff to use the products, such as read-only, Operations as well as management; meanwhile, it can refine the control permission to resource level, such as operation permission of a certain instance of BCC.
- The enterprise employees use the IAM user account for login and use, and do not need to pay for the operation costs separately.
Difference
Difference | Organization | Identity and Access Management |
---|---|---|
Resource affiliation | The resources belong to each account, and it belongs to the account that opens/buys. | The resources belong to the root account, but does not belong to IAM user. |
Fund and bill affiliation | Each account in the organization is the owner of the fund, and can issue bill separately; meanwhile, the root account may apply for opening financial management permission, and pay the bills of all IAM accounts in the organization by means of fund transfer uniformly. | The account is the carrier of fund and billing, and the IAM user will not issue the bill separately, and the resource costs generated by all the IAM users in the account are recorded in the root account. |
Usage Scenarios | It is applicable to the organizations, and each subject is a separate account (with a separate bill); all of these separate accounts have organizational hierarchy, the upper layer of which can manage the finance and resources of the lower layer, and control the operational permission of the accounts at the lower layer. | It is applicable to different roles within the organization, and may grant different permissions to the different working staff to use the products, such as read-only, Operations as well as management, which can be refined to resource level; also, the IAM user does not need to pay for the costs generated by operation separately. When your enterprise operates the resources collaboratively by multiple users, you are recommended to use identity and access management. |
Difference | Company A has multiple subsidiaries, with the same subject, and Company A and its subsidiaries are not only interrelated as a whole associated with each other, but also operate relatively independently. Scenario description: 1. Both Company A and its subsidiaries want to have separate user accounts, which can be used separately on Baidu AI Cloud. 2. A Company A and its subsidiaries manage resources independently, and Company A has the right to supervise the subsidiaries and to manage the resources of the subsidiaries. 3. Company A and its subsidiaries share the same subject, and Company A has the overall financial settlement right, and Company A pays the bills of Company A and its subsidiaries uniformly. |
Account A of an enterprise has bought multiple cloud resources (such as: Baidu AI Cloud Compute� BCC), object storage BOS, content delivery network CDN, etc.). The enterprise has many employees, including developers, testing personnel, Operations personnel, etc., as each employee has different job responsibilities, the permission required is also different; also, the employees do not need to pay for the operation costs separately. Scenario description: 1. Account A of an enterprise may grant different permissions to the different working staff to use the products, such as read-only, Operations as well as management; meanwhile, it can refine the control permission to resource level, such as operation permission of a certain instance of BCC. The enterprise employees use the IAM user account for login and use, and do not need to pay for the operation costs separately. |