Before using IAM service, you need to understand and get familiar with the key concepts on IAM services, which is critical to your ability to use IAM flexibly in the context of the actual situation of the enterprise. IAM mainly addresses the issues of identity management and access control, and its related concepts also focuses on these two aspects.

Identity System

Account
The minimum resource isolation and billing subject on Baidu AI Cloud is the collection and owner of the resources on the customer's cloud. When the user registers on the console of AI Cloud, the independent space is generated automatically and used for the management of cloud resources and issuance of bills, etc.

Root user
When the customer creates the cloud account, the system creates the user of super administrator automatically. Since the root user has all the rights of the cloud account, in order to ensure the security of the account resources, you are strongly recommended not to use the root user directly to manage your cloud account, and to use the master use to create the IAM user of administrator for subsequent resource management and operation.

IAM user
A kind of user under the IAM identity system is used to share or collaborate with the resource of the root user on the cloud. The username is unique in the account. A IAM user can be a person, a service or an application, that is, a IAM user can log in the console via the account password, or access the cloud resources in the account programmatically by using API.

Contact
A kind of special user under IAM identity system is only used to receive the messages, and cannot access the resources in the cloud account by any means. It is often used by the root user to send special AI Cloud message to the members of his enterprise and team. The IAM user has the attributes of Contact by default.

Group
The set of IAM users or Contact with the same feature. To authorize the group, and the users within the group inherit all the permissions owned by the group automatically. A IAM user can joint multiple groups simultaneously. You can add a new employee to a specific group, so as to gain access to all permission corresponding to features; or you can remove the employee with transferred job from the group directly, so as to remove unnecessary permission.

Role
An IAM role is a virtual identity that, like the user identity, can be associated with permissions to operate on resources, but it does not have a defined identity authentication key and needs to be played by a trusted entity user for proper use.

Federated identity
The enterprise has its own identity system, as the identity service provider (IdP), and serves as service provider (SP) with Baidu AI Cloud, which can be logged in via single sign-on with the identity account of the enterprise. It is often used in conjunction with roles to access the cloud resources within the account.

User credentials
The security credentials associated with the user can be used to verify the user's identity. The user credentials of IAM can be divided into the following three categories at present

• User password: The password is set depending on whether the user needs to log into the console;
• AccessKey: The credentials that the user used to access the console programmatically are used for signature verification when accessing API or using SDK;
• Token: Under the scenario of temporary authorization, Token is provided by STS service to the role-playing user.

Access Management

Permission
Allow or deny a user to execute an operation on a resource. Such as, resource management and control: Creation and deletion of a BCC server; resource Operations: Shut-down and restarting of BCC server, without changing the lifecycle of the resources; read-only: View.

Policy
Set of the user's permission that defines what the user can do with the resources in the cloud account.

Policy syntax
The policy description, with each policy associated with an ACL, a JSON format.

Resource
The cloud service presents an abstraction to the user and the object body that the user interacts with, such as BCC instance, BOS bucket.

Policy and identity
The policy can be associated with users, groups and roles, so as to realize the access control over the cloud resources by policy.