Identity and Access Management
Introductions
Identity and Access Management (IAM) is mainly used to help users manage resource access privileges under the cloud account. The IAM is applicable to different roles in the enterprise and can grant different employees different privileges of using products. If any resources need a multiuser collaborative operation in your enterprise, you are highly recommended to use the IAM.
It is applicable for the following scenarios:
- Medium- and large-enterprise customers: Perform the authorization management of multiple employees in the company;
- Technology-intensive vendors or “SAAS” platform providers: Manage the resources and privileges for the proxy clients;
- Small- and medium-sized developers or small-size enterprises: Add project members or collaborators to perform resource management.
Create a User
-
After the primary account user logs in to the account, select the "Identity and Access Management" in the console to enter the user administration page.
- Click "User Management" in the left Navbar, and click "Create User" on the “SubUser Management List" page.
- In the pop-up "New User" dialog, enter and confirm the "User Name", and then return to the "Sub-User Management List" area to view the created sub-user.
Configure a Policy
The cloud database DocDB for MongoDB supports both the system policy and user-defined policy, respectively achieving the product-level permission and instance-level permission control.
- System policy: A set of privileges predefined by the Baidu AI Cloud system to manage resources. Such policies can authorize sub-users directly, and users can only use rather than modify them.
- Custom policy: A set of privileges created by users for refined resource management. This policy enables the users to configure single instances and more flexibly manage different user privileges required by different accounts.
System policy
The system policies are divided into three categories, that is, the privilege management policy, privilege operation policy, and read-only privilege policy. The detailed privilege scope is as follows:
| Policy Name | Privilege Description | Privilege Scope |
|---|---|---|
| MongodbFullAccessPolicy | DocDB for MongoDB product-level management privileges | The management privileges include instance creation, instance release, package upgrade or degrade, instance renewal, instance restart, instance name modification, account password modification, query instance list, query instance details, and access to the list of available areas. |
| MongodbOperateAccessPolicy | DocDB for MongoDB product-level operation and maintenance privileges | The operations privileges include instance restart, instance name modification, account password modification, query instance list, query instance details, and access to the list of available areas. |
| MongodbReadAccessPolicy | DocDB for MongoDB product-level read-only privileges | The read-only permissions include querying the instance list, querying the instance details, and obtaining the list of availability zones. |
Notes:
If the sub-user wants to go through the process of changing, releasing, and renewing the cloud database DocDB for MongoDB instance, the sub-user needs to grant the order management permission (FCOrderAccessPolicy), in addition to granting the sub-user cloud database DocDB for MongoDB product-level management permission (MongodbFullAccessPolicy); If the sub-user wants to go through the purchase process of cloud database DocDB for MongoDB instance, you need to grant the VPC read-only rights (VpcReadOnlyAccessPolicy), in addition to granting the sub-user cloud database DocDB for MongoDB product-level management permissions (MongodbFullAccessPolicy) and order management permission (FCOrderAccessPolicy).
Custom policy
The custom privilege policy is authorized from the instance dimension. Unlike the system policy, it is only effective for the selected instances.
Users enter the policy name and select the service type as "Documentation database MONGODB", where the policy generation mode is the policy generator by default, without the need to modify it. It supports operation and maintenance and read-only operations on selected instances.
The custom privilege scope is detailed as follows:
| Privilege Description | Privilege Scope |
|---|---|
| Instance-level operations permissions | Includes the restarting of the instance, modification of the instance name, modification of the account password, query of the instance list, query of the instance details, and grant of the privileges for the list of availability zones. |
| Instance-level read-only permissions | Includes the query of the instance list, query of the instance details, and grant of privileges for the list of availability zones. |
User Authorization
Select "Add Privilege" in the "Operation" column of the corresponding sub-user in the "User Management > Sub-user Management List Page", and then select and authorize a system privilege policy or a custom privilege policy for users.
Description: If you modify the privilege of a sub-user without modification of the existing policy rules, you can only delete the existing policy and add a policy, but you cannot unselect the privilege policy which has been added.
Sub-user Login
After the primary account has authorized the sub-user, the link can be sent to the sub-user. In addition, the sub-user can log in to the management console of the primary account through the IAM user login link and operate and view the primary account resources based on the authorized policy.
For more information on detailed operations, see Identity and Access Management.