IAM user management can be divided into two parts, namely the management of IAM user and Contact:

• By using the IAM user management, you can create and manage the IAM users under the account, regulate the form that the IAM user accesses the resources in the cloud account, grant necessary resource access permission to the IAM user as well as determine whether to force the IAM user to use Two Factor Authentication by means of MFA. By default, the IAM user has the feature of Contact;
• By using Contact management, you can create and manage the Contacts under the account, and the Contacts need to pass the authentication before receiving the messages from the account to prevent the message from sending in excess;

Manage IAM User

Create IAM User

1. Log in the administrative console of Baidu AI Cloud, and select "Identity and Access Management".

2. Click "Create the IAM users" in the tab "IAM user" of the "User Management".

3. You can choose the mode that the IAM user accesses the resources of cloud account:

• Programmatic access: Authorize the IAM user to access the cloud resources programmatically. The system generates a pair of valid AccessKey and SecretKey for the IAM user by default to call the API of AI Cloud;
• Access the console by password: The authorized IAM user can log into the cloud account through the console, and select to create a new password, generate the password automatically by the system and set the password by binding Baidu Intranet account. You can also choose to ask the user to change the password for the first time he logs in.

In general, you only need to specify one way to access the cloud resource for the IAM user, or you can also specify two access modes for the same IAM user. You can also cancel the access of the IAM user to the account in the subsequent operations.

Set the Password for the IAM User

Set the login password for the new IAM user, and the IAM user has two choices for login:

• Method 1: Recommended mode, use the username + password set to log in;
• Method 2: Bind the Baidu account, and use the Baidu account + corresponding account password for login;

1. In the tab "IAM user" of the "User Management", click "Settings" for the user column with no password, and the pop-up "Set the Password" appears. Upon the successful setting, the user can log in via the "username" and "password".

2. You can check the option that "The user is required to reset the password the next time he logs in", and then the system will ask the IAM user to reset the password the next time he logs in.
3. Also, you can select to "Bind the Intranet Account", and select "Baidu Account"; then, the IAM user logs in with Baidu account and the password of the account when he logs in.

Manage the Information of IAM User

1. Select the IAM user to be managed from the user list on the tab "IAM user" under the "User Management", click the username or "Management" to enter the detail page of the IAM user.

2. Modify the basic information of IAM user.

Two Factor Authentication of IAM User

The Two Factor Authentication is a safe and effective security authentication method. It can provide another layer of protection in addition to the username and the password. Currently, the Two Factor Authentication can provide login and operation protection. Please refer to [Two Factor Authentication](#Two Factor Authentication) for details.

Manage the IAM User's AccessKey

Manage AccessKey: You can delete or create the new AccessKey according to the actual situation. The IAM user can have up to 20 pairs of AccessKey and SecretKey at the same time, but you are recommended to save and use 2 pairs for rotation. You can also delete the last pair of AccessKey to cancel the programmatic access of the IAM user to the cloud resource.

You are recommended to refresh the AccessKey from time to time to ensure the account security.

Authorize the IAM User

Manage the permission information: In the column "permission Information", you can add or delete the permission of the IAM user according to actual situations. You can grant multiple services and different access permissions of resources to the same IAM user.

Operating Logs of IAM User

Operation log: Display the record on the last access to the console by a IAM user.

Delete IAM User

Select the corresponding IAM user in the tab "IAM user" under "User Management", click delete to delete the IAM user.

Note: If you choose to delete a IAM user, the corresponding permission and password of the IAM user are deleted accordingly, so you are recommended to disable the IAM user when you are not clear if the IAM user is not needed.

Forbidden the IAM User

Under some scenarios, you need to disable the access permission of the IAM user to the cloud resource, and you can disable the IAM user at this point. Select the corresponding IAM user in the tab "IAM user" under "User Management", click disabled to disable the IAM user. Subsequently, you can also reactivate the IAM user to restore the access permission.

Note: Select to disable the IAM user, and then the IAM user has no permission to do anything.

Manage Contact

Overview

The Contact is a type of users that cannot log in to the console of Baidu AI Cloud or make programmatic access, but can only set to receive the message from the account through the root user or the IAM user of administrator.

Historical Statement

The original user center Contact Management is moved to Identity and Access Management > User Management > Contacts for unified management.

Create the Contact

1. Log in Administrative Console of Baidu AI Cloud, select Identity and Access Management.

2. Select User Management > Contacts, and click Create the Contact.

   

   Note: The Contact and username of the IAM user are unique under the same account; please fill in the valid mobile phone and email to ensure that the messages and notices can be received to verify the identity of the Contact.

Verify the Contact

Before the Contact receives the messages from the account, the Contact needs to receive the invitation proactively from the account administrator:

1. If the recipient is created successfully, the system sends SMS and email invitation automatically to the corresponding recipient;
2. You can also check the SMS/Email status of the recipient from the list of the Contact to check if the Contact has passed the authentication, and for those who have not passed the authentication, another message can be sent again for authentication;
3. The Contact receives the invitation from the account through SMS or email, click the invitation link to authenticate the contact information.

Subscribe the Message for the Contact

Click Management, select Edit to enter the message center, and set the subscribed messages for the Contact.

Add the Contact into the Group

The Contacts can be added to groups and the users can subscribe to messages uniformly. For example, the members of the group can be set as alarm receivers in the cloud monitoring BCM.

Note: The Contact can be added to the group, and the permission policy does not work for the Contact; if you want a user to have the permission policy and serve as the Contact at the same time, it is recommended to use User Management > IAM User.