Identity and Access Management
Introduction
Identity and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.
Suitable for the following usage scenarios:
- Medium and large enterprise customers: Authorized management of multiple employees in the company;
- Technical vendors or SAAS vendors: Resource and authority management for agency clients;
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
-
After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.
- Click "User Management" on the left navigation bar, and click "Create User" on the "Sub User Management List" page.
- In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Sub User Management List" region to view the newly created sub user.
Configure Policy
Certificate Management supports system policies and custom policy to implement the control of Certificate Management with product-level privileges and instance-level privileges, respectively.
- System policy: Baidu AI Cloud system has a predefined set of privileges for managing resources. It has read-only and operation and maintenance privileges at the product level. Such policies can directly authorize sub-users. Users can only use it and cannot modify it.
- Custom policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single certificate so as to more flexibly meet the account's differentiated privileges management for different users.
System policy
The system policy is the certificate product level privilege, which includes two system policies: product level operation and maintenance privilege and product level read-only privilege.
| Policy name | privilege description | Scope of privilege |
|---|---|---|
| CASWritePolicy | Product-level operation and maintenance authority | Including privileges to upload certificates, modify certificate names, get certificate details list, get certificate list, get certificate information, get certificate details, get certificate-related service list, get the number of resources associated with the certificate, and get the certificate domain name list. |
| CASReadPolicy | Product-level read-only privileges | Including privileges to get the certificate details list, get the certificate list, get the certificate information, get the certificate details, get the service list associated with the certificate, get the number of resources associated with the certificate, and get the list of certificate domain names. |
Custom policy
Custom policy authorize from the instance dimension. Unlike system policy, they only take effect on selected instances.
Sub-users click "Create Policy", fill in the policy name and select the service type as "SSL Certificate Service CAS" to add a custom policy for instance-level privilege control. The policy generation method defaults to the policy generator. No modification is required. Users can modify the content of the policy according to the specific privilege settings; after selecting the privileges, check the operational certificate to create it.
The details of custom privileges are as follows:
| privilege description | Scope of privilege |
|---|---|
| Instance-level administrative privileges | Including privileges to delete certificate, modify certificate name, get certificate list, get certificate information, get certificate details, get certificate-related service list, get the number of resources associated with the certificate, and get the certificate domain name list. |
| Instance-level operation and maintenance privileges | Including privileges to modify the certificate name, get the certificate list, get the certificate information, get the certificate details, get the service list associated with the certificate, get the number of resources associated with the certificate, and get the list of certificate domain names. |
| Instance-level read-only privileges | Including privileges to get the certificate list, get the certificate information, get the certificate details, get the service list associated with the certificate, get the number of resources associated with the certificate, and get the list of certificate domain names. |
Note:
- Instance-level privileges cannot upload certificates because they are privileges for a specific certificate.
- Since some users have too many certificates (thousands), the interface for get a certificate list does not perform batch authentication, but lists the entire amount at a time.
- Only people with product-level privileges can access the list of certificate details; people with instance-level privileges can only access the certificate list and individual certificate details.
User Authorization
-
Select "Add privilege" in the "Action" column of the corresponding sub-user in the "User Management > Sub-User Management List Page", and select system privileges or custom policies for users to authorize.
Note: You can only delete existing policies and add new policies to modify the privileges of a sub-user without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.
Sub-user Login
After the master account authorizes the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
For other detailed operation, please see Identity and Access Management.