Overview

IAM services of Baidu AI Cloud seamlessly Integrates a Great Deal of Cloud Services, and provide access control for resources. When the user accesses the cloud services, the cloud services converts the access behavior into an authentication context and passes it to IAM, which authenticates the permission based on the permission policy owned by the user to return a success or a failure.

The permission policy type of IAM includes the service control policy (SCP) of enterprise organization, resource-based policy and identity-based policy. Please refer to Policy Type for details. Whether a user has the permission to access a specific cloud service depends on the comprehensive judgment results of the permission policy owned by the user. This document introduces the evaluation logic of the policy authentication.

Policy Evaluation Logic

The policy evaluation logic of Baidu AI Cloud follows the following principles:

• By default, all requests are implicitly Denied (only the master account have all the permissions);
• The explicit Allowance in the identity-based or resource-based policy overrides the implicit deny;
• The implicit Deny of the organization SCP overrides the Allowance, that is, if the member account under the enterprise organization needs the permission to a certain service, the service permission must be granted to the organizational unit and itself;
• The explicit Deny in any policy overrides Allowance;