Identity and Access Management
SCS Identity and Access Management refers to the operation privilege of assigning related products or instances to the master account taking the original user as the sub-account to achieve granular privilege management. For example, the product-level or instance-level SCS OPS operation privilege is assigned to DBA and other front-line operators, and the product-level or instance-level SCS viewing privilege is assigned to other personnel other than the operator.
The IAM is applicable to the following scenarios:
- Medium and large-sized enterprises: Perform the authorization management of multiple employees in the enterprise;
- Technology-based vendor or SAAS platform providers: Perform resource management and access control for proxy customers;
- Small and medium developers or small-sized enterprises: Add project members or collaborators to perform resource management.
Create Sub-user
- After the primary account user logs in to the account, the user selects the "Identity and Access Management" in the console to enter the user administration page.
- Click the "User Administration" in the left navbar, and then click the "New User" on the "Sub-User Administration List" page.
- In the pop-up "New User" dialog box, enter and confirm the "User Name", and return to the "Sub-User Administration List" area to show the created sub-user.
Configuration Policy
SCS supports both system policy and user-customizable policy to realize privilege control of SCS at product and instance levels, respectively.
System Policy
The system policy is a SCS product-level privilege, including SCS product-level OPS privileges and SCS product-level read-only privileges. The detailed scope of privileges is explained as follows:
| Privilege | Privilege name | Instance list | Privilege scope |
|---|---|---|---|
| Product line OPS | ScsOperateAccessPolicy | Display and operation of all SCS instance resources | All operation privileges for all SCS instances (excluding instance creating, configuration change, renewal, tag, billing change, release instance) |
| Product line read only | ScsReadAccessPolicy | All SCS instance resources (no privilege in the operation column) | View and monitor the details of all SCS instances |
Custom Policy
The custom policy is authorized from the instance dimension. Unlike the system policy, it is only effective for the selected instances.
The user should enter the policy name and select the service type as SCS. By default, the policy is generated by the policy generator, without modification. The user can add the custom policy by selecting instance operation privilege and configuring resource area in the policy generator. After clicking the “Complete”, the created policy is displayed in the custom policy list.
Note: Currently, for each policy, only a single region can be selected for instance configuration.
SCS custom instance-level privilege scope is explained in detail as follows:
| Privilege | Instance list | Privilege scope |
|---|---|---|
| Instance OPS | Display and operation of all SCS instance resources | All operation privileges for all SCS instances (excluding instance creating, configuration change, renewal, tag, billing change, release instance) |
| Instance read-only | All SCS instance resources (no privilege in the operation column) | View and monitor the details of all SCS instances |
User Authorization
Select "Add the privilege" in "Operation" column of the corresponding sub-user in the "User Management-> Sub-User Management List Page", and select and authorize the system privileges or custom policy for users.
Note: If you modify the privileges of a sub-user without modifying the existing policy rules, you can only delete the existing policy and add a policy, but you cannot cancel selection of the added policy privileges.
Sub-user Login
After the master account has authorized the sub-user, the link can be sent to the sub-user; the sub-user can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources based on the authorized policy.
Note: The master user account and the sub-user account are configured with instance quotas, separately. If you want to increase the sub-user's instance quota, provide the sub-user account and other information in the ticket.
For other detailed operation, please see: Identity and Access Management.