Identity and Access Management
Introduction
Identity and Access Management(IAM) is mainly used to help the user manage access rights to resources under the Baidu AI Cloud account. It is applicable to different roles in the enterprise and can give different rights to different employees to use products. It is recommended that you should use Identity and Access Management(IAM) when your enterprise has multi-user collaborative operation resources.
Applicable to the following scenes:
- Customers of medium and large enterprises: Perform authorized management of multiple employees in the company;
- The platform providers of technology-based "vendor" or SAAS: Manage the resources and rights of the proxy clients;
- Small and medium developers or small enterprises: Add project members or collaborators to manage resources.
Create a User
-
After the master account user logs in, select "Identity and Access Management(IAM)" in the console to enter the user management page.
- Click "User Management" in the left navigation bar, and click "New User" on the "Sub-User Management List" page.
- In the pop-up "New User" dialog box, enter the "User Name" and confirm, and return to the "Sub-user Management List" area to view the sub-user just created.
Configuration Policies
The cloud database DocDB for MongoDB supports two kinds of system policy and user-defined policy, respectively realizing product-level privilege and instance-level privilege control.
- System policy: A privilege set predefined by Baidu AI Cloud system to manage resources. Such policies can authorize sub-users directly. The user can only use rather than modify it.
- Custom policies: Created by the user, a more detailed privilege set for managing resources, which can configure privileges for a single instance, and can meet differentiated privilege management of accounts to different users more flexibly.
System Policies
There are three kinds of system policies: Management privilege, operation, and maintenance privilege, and read-only privilege. The scope of the privilege is as follows:
| Policy name | Privileges Description | Privilege Scope |
|---|---|---|
| MongodbFullAccessPolicy | Cloud database DocDB for MongoDB product-level management rights | Management privileges include instance creation, instance release, package upgrade or degrade, instance renewal, instance restart, instance name modification, account password modification, query instance list, query instance details, and access to the list of available areas. |
| MongodbOperateAccessPolicy | Cloud database DocDB for MongoDB product-level operation and maintenance privileges | Operation and maintenance privileges include instance restart, instance name modification, account password modification, query instance list, query instance details, and access to the list of available areas. |
| MongodbReadAccessPolicy | Cloud database DocDB for MongoDB product-level read-only privileges | Read-only privileges include querying the instance list, querying the instance details, and obtaining the list of available zones. |
Note:
If the sub-user wants to go through the process of changing, releasing and renewing the cloud database DocDB for MongoDB instance, in addition to granting the sub-user cloud database DocDB for MongoDB product-level management privilege (MongodbFullAccessPolicy), the subuser also needs to grant the order management privilege (FCOrderAccessPolicy);
If the sub-user wants to go through the purchase process of cloud database DocDB for MongoDB instance, in addition to granting the sub-user cloud database DocDB for MongoDB product-level management rights (MongodbFullAccessPolicy) and order management rights (FCOrderAccessPolicy), it is also required to grant the VPC read-only rights (VpcReadOnlyAccessPolicy).
Custom Policies
The custom policies are authorized from the instance dimension. Unlike system policies, they are only valid for the selected instances.
The user enters the policy name and select the service type as "document database MONGODB", where the policy generation mode is the policy generator by default, without having to be modified. It supports operation and maintenance and read-only operations on selected instances.
Details of the scope of custom privilege are as follows:
| Privilege Description | Privilege Scope |
|---|---|
| Instance-level operation and maintenance privileges | This includes restarting the instance, changing the instance name, changing the account password, querying the instance list, querying the instance details, and obtaining the privileges for the list of available zones. |
| Instance-level read-only privileges | This includes querying the list of instances, querying the instance details, and obtaining privileges for the list of available zones. |
User authorization
Select "Add Privilege" in the "Operation" column of corresponding sub-user of "User Management -> Sub-user Management List Page", and then the system privileges or custom policies for the user for authorization.
Note: If you modify the privileges of a sub-user without modifying the existing policy rules, you can only delete the existing policies and add new policies to realize. You cannot cancel the added policy privileges.
Sub-user Login
After the master account has authorized the sub-user, it can send the link to the sub-user. The sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to authorized policies.
For other detailed operations, please see: Identity and Access Management(IAM)