Identity and Access Management
Introduction
Identity and access management is mainly used to help users manage the access rights of resources under the cloud account. It is applicable to different roles in the enterprise. Different workers can be given different privileges to use the product. It is recommended that you use identity and access management.
Suitable for the following usage scenarios:
- Modify the redis instance parameter values: Authorized management of multiple employees in the company;
- Technical vendors or SAAS vendors: Resource and authority management for agency clients;
- Small and medium developers or small businesses: Add project members or collaborators for resource management.
Create User
-
After the master account user logs in, select "Identity and Access Management" on the console to enter the user management page.
- Click "User Management" on the left navigation bar, and click "Create User" on the "Subuser Management List" page.
- In the pop-up "Create User" dialog box, fill in the "User Name" and confirm, and return to the "Subuser Management List" region to view the newly created subuser.
Configuration Strategy
The VPC of private network supports system policy and user custom policy, which respectively realizes product-level privilege and instance-level privilege control of VPC.
- System policy: A set of privilege predefined by Baidu AI Cloud System to manage resources. They can directly authorize subusers. Users can only use them and cannot modify them.
- Custom policy: A more detailed set of privileges created by users themselves to manage resources. They can be configured for a single instance so as to more flexibly meet the account's differentiated privileges management for different users.
Note
- The VPC includes multiple sub-products, and the privileges of each sub-product can be divided into three kinds: read-only, operation and maintenance, and management (Some sub-products have no management privilege).
- The custom policy is assigned to a specific instance, and can only be effective in these instances, so custom policy does not have creation privilege.
Extent of Privilege
The correspondence between name of system policy of each product and three-level privilege is as follows:
| Production name | Read only | Operation and maintenance | Management |
|---|---|---|---|
| VPC | VpcReadOnlyAccessPolicy | VpcOperateAccessPolicy | VpcFullControlPolicy |
| subnet | SubnetReadOnlyAccessPolicy | SubnetOperateAccessPolicy | SubnetFullControlPolicy |
| Routing table | RouteReadOnlyAccessPolicy | RouteOperateAccessPolicy | None |
| Security group | SecurityGroupReadOnlyAccessPolicy | SecurityGroupOperateAccessPolicy | SecurityGroupFullControlPolicy |
| ACL | AclReadPolicy | AclOperatePolicy | None |
| Elastic network interface card | ENICReadOnlyAccessPolicy | ENICOperateAccessPolicy | ENICFullControlPolicy |
| Service network interface card | SNICReadOnlyAccessPolicy | SNICOperateAccessPolicy | SNICFullControlPolicy |
| NAT gateway | NATReadPolicy | NATOperateAccessPolicy | NATFullControlPolicy |
| IPv6 gateway | IPV6ReadPolicy | IPV6OperateAccessPolicy | IPV6FullControlAccessPolicy |
| VPN gateway | VPNReadPolicy | VPNOperatePolicy | VPNFullControlPolicy |
| Peer-to-peer connection | PEERCONNReadPolicy | PEERCONNOperatePolicy | PEERCONNFullControlPolicy |
| Dedicated line gateway | DedicatedConnReadPolicy | DedicatedConnOperatePolicy | DedicatedConnFullControlPolicy |
The policy privilege of each product is detailed as follows:
| Product | Read only | Operation and maintenance | Management |
|---|---|---|---|
| VPC | Query VPC list, query specified VPC | Query VPC list, query specified VPC, modify VPC name/description | Query VPC list, query specified VPC, modify VPC name and description, create/delete VPC |
| subnet | Query subnet list, query specified subnet | Query subnet list, query specified subnet, modify subnet name/description | Query subnet list, query specified subnet, modify subnet name/description, create/delete subnet |
| Routing table | Query a route table | Query routing table, create/delete routing rules | |
| Security group | Query security group list, view security group details | Query security group list, view security group details, add/delete security group rules, bind/unbind instance | Query security group list, view security group details, add/delete security group rule, bind/unbind instance, create/delete security group |
| ACL | Query ACL list, query specified ACL | Query ACL list, query specified ACL, add/delete ACL rules | |
| Elastic network interface card | View instance list, view instance details | View the list and details of instance, change the name/description of instance, mount/uninstall the CVM server, add/release the secondary IP and associate with security groups | View the list and details of instance, change the name/description of instance, mount/uninstall the CVM server, add/release the secondary IP and associate with ENIC |
| Service network interface card | View instance list, view instance details | View instance list, view instance details, modify NIC name/description, view monitoring, configure alarm | View instance list, view instance details, modify NIC name/description, view monitoring, configure alarm, create/release instance |
| NAT gateway | Query instance list, view instance details | Query instance list, view instance details, bind/unbind public network IP, view monitoring, configure alarm | Query instance list, view instance details, bind/unbind public network IP, view monitoring, configure alarm, create/release instance, gateway upgrade, renewal, billing change |
| IPv6 Gateway | Query instance list, view instance details | Query the list and details of instance, configure the out-only policy and IP speed limit policy, view the monitoring and configuration alarms. | Query the list and details of instance, configure the out-only policy and IP speed limit policy, view the monitoring and configuration alarms, create/release the instance, bandwidth upgrading, renewal and billing change. |
| VPN gateway | Query instance list, view instance details | Query instance list, view instance details, bind/unbind public network IP, configure VPN tunnel, view monitoring, configure alarm | Query instance list, view instance details, bind/unbind public network IP, configure VPN tunnel, view monitoring, configure alarm, create/release instance, renew |
| Peer-to-peer connection | Query peer instance list, view instance details, view cross-account connection application | Query peer instance list, view instance details, view cross-account connection application, modify instance name/description/local interface name, view monitoring, configure alarm | Query peer instance list, view instance details, view cross-account connection application, modify instance name/description/local interface name, view monitoring, configure alarm, create/release peer-to-peer connection, upgrade bandwidth, manage cross-account connection applications |
| Dedicated Line Gateway | View instance list, view instance details | View instance list, view instance details, modify name/description/outlet bandwidth/cloud network, bind/unbind physical express tunnel, view monitoring, configure alarm | View instance list, view instance details, modify name/description/outlet bandwidth/cloud network, bind/unbind physical express tunnel, view monitoring, configure alarm, create/release express tunnel gateway |
User Authorization
Select "Add Privilege" in the "Action" column of the corresponding subuser in the "User Management > Subuser Management List Page", and select system privileges or custom policies for users to authorize.
Note You can only delete existing policies and add new policies to modify the privileges of a subuser without modifying the existing policy rules. You cannot uncheck the policy privileges that have been added.
Sub-user Login
After the master account authorizes the subuser, the link can be sent to the subuser; the subuser can log in to the management console of the master account through the IAM user login link, and operate and view the master account resources according to the authorized policy.
For other detailed operation, please see Identity and Access Management.