百度智能云
All Product Document

          Identity and Access Management

          • Identity and Access Management
          • >
          • Operation Guide
          • >
          • Permission Policy
          • >
          • Manage IAM Policy

          Manage IAM Policy

          Last Updated2020-09-23

          View the System Policy

          Log in the Cloud Console, move the mouse to the head portrait at the top right corner, enter the Identity and Access Management > Policy Management, it defaults to display the system policy list; the system policy usually includes the feature policy like system administrator and supports all the policies of the system and financial management, etc.; the product policy defines the set of common policies by product. Please refer to the permission documentation for each product line for specific policy definition. You can click the button View, and view the policy syntax of the system policy.

          Manage Custom Policy

          In Policy Management > Custom Policy, you can define the Custom Policy of relevant business for your account, so as to realize fine-grained permission control. You can also build a Custom Policy based on the label for the resource of the same type (the resources added with same label) quickly, which is often used to solve the licensing problems for a large number of different products or service combination.

          Create Custom Policy

          Currently, IAM supports 2 ways to create customized policies: Create the policy based on policy generator and create the policy based on label. For the mode that creates the policy based on policy generator, generate policies by selecting service, permission and regional instances; for the mode that creates the policy based on label, generate the policies by screening resources according to the label created by you for the service instances.

          Prerequisite
          Have the permission of system administrator of Baidu AI Cloud.

          Operation steps: Generate the policy based on policy generator

          1. Log in the Cloud Console, move the mouse to the head portrait at the top right corner, enter the Identity and access management > Policy Management;
          2. Click Create Policies, and select Create the Policy Based on Policy Generator in the pop up;
          3. Fill in the policy name and description in the basic information;

          4. Fill in the permission configuration: Click the button Add permission to add a permission for the current policy, and fill in the followings in the pop up:

            • Select service: That is, the product name that needs to be selected.
            • Policy generation mode: Depending on the type of service you choose, you can generate the final policy by using the policy generator or editing the policy file; if it is set gray, it defaults to be the policy generator mode. The policy generator is a visualized policy generation tool that is used to generate policy ultimately by configuring operations and resource instances step by step; to edit policy document allows the user to edit the policy document of JSON format according to a certain policy syntax and generates the policy ultimately. Please refer to Policy Syntax. The ultimate policies generated by these two modes are stored in the system by the format of ACL.
            • Permission effect: Allowance is selected out from allowance or deny. It should be noted that the effect of deny permission is stronger than that of allowance, which shall be selected carefully;
            • Permission option: The business-related permission defined by the service type selected supports multiple choices;

            • Select resources: The optional resources under the service type selected can be precise to resource instance.

              • To select All Resource represents any resource in the regions supported by all Baidu AI Clouds, including the resources added in the future, which is described as "*" in policy ACL description;
              • Select Specific Resource, select specific resource instance by screening different regions.
            • Restricted conditions: Select the restricted condition that you need to configure for the current policy. The configuration of restricted conditions represents that, only the access that meets the conditions and satisfies the permission policy is allowed.
          5. Click Completion, return to the page that the policies are created, you can add permission further according to the operating steps specified in Step 4, or you can also click Completion to save the Custom Policy.

          Operation steps: Create the policy based on label

          1. Log in the Cloud Console, move the mouse to the head portrait at the top right corner, enter the Identity and Access Management > Policy Management;
          2. Click Create Policies, select Create the Policy Based on Label in the pop up;
          3. Fill in the policy name and description in the basic information;

          4. Fill in the permission configuration:

            • Select label: Select the key value of label that you need, and in case of no label, select No Label Yet? Click to create a label The link jumps to label management;
            • Select service: Select the service type that has supported label, view which product lines have supported the label-based authorization, and please refer to Product Using IAM;
            • Select operation: The permission operation of selected services is unified to read-only, Operations as well as management permission;
            • Resource scope: Display the resource list of the selected service, and if no real resources are hit, it represents all global resources. In the future time frame, if you associate the current label to the actual resource instance, the resource instance is controlled by the current Custom Policy.
          5. Click completion,and save the configured policies.

          Edit the Custom Policy

          In some scenarios, you can create a brand new Custom Policy or edit an existing Custom Policy if the existing Custom Policy cannot meet your demand. Log in the Cloud Console, move the mouse to the head portrait at the top right corner, enter the Identity and Access Management > Policy Management; locate the customized policies that need editing, click the button Edit to enter the edit page of the policy. Please refer to the Create Custom Policy for the editing of policies.

          Delete the Custom Policy

          For the Custom Policy that is no longer needed for use, you can locate the Custom Policy that needs deleting, click the button Delete, and confirm to complete the deletion of policies.

          Important tips:
          The deletion of online policies may cause your IAM user or service to lose corresponding rights of operation, affect your business use, so make sure that the current policy has been removed from all identities before the policy is deleted.

          Previous
          Policy Type
          Next
          Authorization