Scenarios Description

If you are an administrative personnel of Company A, you register a cloud account Company-A when establishing the company and buy multiple cloud resources (such as BCC, BOS, CDN and RDS, etc.). Supposed that the personnel structure of Company A is shown as follows: the Company has multiple employees who need to operate these cloud resources; for example, some are responsible for procurement, some are responsible for Operations and some are responsible for viewing and using resources. The job duties of employees in different positions are different, and the required permissions are different.

The above-mentioned scenarios have the following requirements:

• For the sake of security or trust, Company A does not want to disclose the key of the cloud account directly to the employees, but wants to create separate account and permission for employees.
• The operations of all employee accounts are subject to audit.
• Without the need to calculate the cost of each operation separately, all expenses incurred are calculated into the bill of root account.

Solution

For the above scenario, let's look at how you can use IAM to help you allocate the user management and resource permission.

Step 1: Enable Login Protection for the Root Account

Given that you may have shared an account with others previously, the risk of the account leakage is high. You are recommended to enable the account Login Protection.

When you log in for operation, it will give the user addition protection. The protection measures need to enter the credentials that can prove the identity under the premise of inputting the account and key correctly. In such case, even if others steal the user password, they cannot log in the user account, which can guarantee the account security to maximum extent.

Step 2: Create IAM User and Group

Based on the above business scenarios, you need to create different IAM user accounts for User A, B, C, D, E and F respectively, and then create corresponding product management group, financial group, Operations group and read-only group, and then add all the users involved to corresponding organizations. Please refer to User Management and Group Management for detailed information about creation.

Step 3: Enable the Two Factor Authentication for the IAM user

In view that the operations related to management and finance are generally more sensitive, you may worry that the leakage of the administrator account password will lead to huge risk, you can [Enable Two Factor Authentication](IAM/Operation Guide/User/Two Factor Authentication) for these IAM users, and the give the account password and the Two Factor Authentication device to different personnel for storage, so that you can complete the account login and a certain sensitive operations when these two persons are present at the same time.

Step 4: Allocate Permission to Different Group

IAM provides multiple system policies for you to choose from. Based on the above scenario, the following permissions can be allocated:

• Director A of Company: Grant the permission of the system administrator, and have the permission to manage the resources of Baidu AI Cloud;
• Product manager B: Grant the management permission of the products, have the creation, deletion instances, and have the permission to conduct relevant operations;
• Financial personnel C: Grant the financial permission (FCFullControlPolicy), and have the permission to manage the financial center;
• Operations personnel D and E: Grant the Operations permission of relevant product for relevant configuration of and viewing the resources, but cannot create, purchase and delete the resources;
• Read-only personnel F: Grant HR or other participants the read-only permission to view the resource list and logs, etc. of the relevant products, but without operation permission.

If you think the system policy provided by IAM cannot meet your fine-grained requirements, you can Set Custom Policy to set the fine-grained resources and instance-level permission. For example, you grant the management permission of a certain BCC instance to a IAM user, but not the management permission of all BCC instances, etc.

Operation Audit of IAM User

In order to understand the use of resources, Director A of Company can view the operation access of each IAM user via the operation records, so as to master the operation records of the IAM user for the resource instances for security analysis, resource change and compliance audit. Please refer to Operation Record.

Changes in Employee's Position

If an employee transfers the position and wants to change the permission, the employee is changed to the group to be transferred; if an employee leaves the office or has any problem, the account of the employee shall be disabled, IAM disables all the permissions of the IAM user automatically; if a new employee joins the company, a IAM user account is enabled for the new employee, with corresponding permission granted.