Baidu AI Cloud
中国站

百度智能云

Virtual Private Cloud

Identity and Access Management

Introduction

Identity and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.

Suitable for the following usage scenarios:

  • Modify the redis instance parameter values: Authorized management of multiple employees in the company;
  • Technical vendors or SAAS vendors: Resource and authority management for agency clients;
  • Small and medium developers or small businesses: Add project members or collaborators for resource management.

Create User

  1. After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.

  2. Click "User Management" on the left navigation bar, and click "Create User" on the "Subuser Management List" page.
  3. In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Subuser Management List" region to view the newly created subuser.

Configuration Strategy

The VPC of private network supports system policy and user custom policy, which respectively realizes product-level privilege and instance-level privilege control of VPC.

  • System policy: A set of privilege predefined by Baidu AI Cloud System to manage resources. They can directly authorize subusers. Users can only use them and cannot modify them.
  • Custom policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single instance so as to more flexibly meet the account's differentiated privileges management for different users.

Note

  • The VPC includes multiple sub-products, and the privileges of each sub-product can be divided into three kinds: read-only, operation and maintenance, and management (Some sub-products have no management privilege).
  • The custom policy is assigned to a specific instance, and can only be effective in these instances, so custom policy does not have creation privilege.

Extent of Privilege

The correspondence between name of system policy of each product and three-level privilege is as follows:

Production name Read only Operation and maintenance Management
VPC VpcReadOnlyAccessPolicy VpcOperateAccessPolicy VpcFullControlPolicy
subnet SubnetReadOnlyAccessPolicy SubnetOperateAccessPolicy SubnetFullControlPolicy
Routing table RouteReadOnlyAccessPolicy RouteOperateAccessPolicy None
Security group SecurityGroupReadOnlyAccessPolicy SecurityGroupOperateAccessPolicy SecurityGroupFullControlPolicy
ACL AclReadPolicy AclOperatePolicy None
Elastic network interface card ENICReadOnlyAccessPolicy ENICOperateAccessPolicy ENICFullControlPolicy
Service network interface card SNICReadOnlyAccessPolicy SNICOperateAccessPolicy SNICFullControlPolicy
NAT gateway NATReadPolicy NATOperateAccessPolicy NATFullControlPolicy
IPv6 gateway IPV6ReadPolicy IPV6OperateAccessPolicy IPV6FullControlAccessPolicy
VPN gateway VPNReadPolicy VPNOperatePolicy VPNFullControlPolicy
Peer-to-peer connection PEERCONNReadPolicy PEERCONNOperatePolicy PEERCONNFullControlPolicy
Dedicated line gateway DedicatedConnReadPolicy DedicatedConnOperatePolicy DedicatedConnFullControlPolicy

The policy privilege of each product is detailed as follows:

Product Read only Operation and maintenance Management
VPC Query VPC list, query specified VPC Query VPC list, query specified VPC, modify VPC name/description Query VPC list, query specified VPC, modify VPC name and description, create/delete VPC
subnet Query subnet list, query specified subnet Query subnet list, query specified subnet, modify subnet name/description Query subnet list, query specified subnet, modify subnet name/description, create/delete subnet
Routing table Query a route table Query routing table, create/delete routing rules
Security group Query security group list, view security group details Query security group list, view security group details, add/delete security group rules, bind/unbind instance Query security group list, view security group details, add/delete security group rule, bind/unbind instance, create/delete security group
ACL Query ACL list, query specified ACL Query ACL list, query specified ACL, add/delete ACL rules
Elastic network interface card View instance list, view instance details View the list and details of instance, change the name/description of instance, mount/uninstall the CVM server, add/release the secondary IP and associate with security groups View the list and details of instance, change the name/description of instance, mount/uninstall the CVM server, add/release the secondary IP and associate with ENIC
Service network interface card View instance list, view instance details View instance list, view instance details, modify NIC name/description, view monitoring, configure alarm View instance list, view instance details, modify NIC name/description, view monitoring, configure alarm, create/release instance
NAT gateway Query instance list, view instance details Query instance list, view instance details, bind/unbind public network IP, view monitoring, configure alarm Query instance list, view instance details, bind/unbind public network IP, view monitoring, configure alarm, create/release instance, gateway upgrade, renewal, billing change
IPv6 Gateway Query instance list, view instance details Query the list and details of instance, configure the out-only policy and IP speed limit policy, view the monitoring and configuration alarms. Query the list and details of instance, configure the out-only policy and IP speed limit policy, view the monitoring and configuration alarms, create/release the instance, bandwidth upgrading, renewal and billing change.
VPN gateway Query instance list, view instance details Query instance list, view instance details, bind/unbind public network IP, configure VPN tunnel, view monitoring, configure alarm Query instance list, view instance details, bind/unbind public network IP, configure VPN tunnel, view monitoring, configure alarm, create/release instance, renew
Peer-to-peer connection Query peer instance list, view instance details, view cross-account connection application Query peer instance list, view instance details, view cross-account connection application, modify instance name/description/local interface name, view monitoring, configure alarm Query peer instance list, view instance details, view cross-account connection application, modify instance name/description/local interface name, view monitoring, configure alarm, create/release peer-to-peer connection, upgrade bandwidth, manage cross-account connection applications
Dedicated Line Gateway View instance list, view instance details View instance list, view instance details, modify name/description/outlet bandwidth/cloud network, bind/unbind physical express tunnel, view monitoring, configure alarm View instance list, view instance details, modify name/description/outlet bandwidth/cloud network, bind/unbind physical express tunnel, view monitoring, configure alarm, create/release express tunnel gateway

User Authorization

Select "Add Privilege" in the "Action" column of the corresponding subuser in the "User Management > Subuser Management List Page", and select system privileges or custom policies for users to authorize.

Note You can only delete existing policies and add new policies to modify the privileges of a subuser without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.

Sub-user Login

After the master account authorizes the subuser, the link can be sent to the subuser; the subuser can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.

image.png

For other detailed operation, please see Identity and Access Management.

Previous
Use IPv6
Next
Tag Management