Identity and access management

CSN

  • API Reference
    • API function release records
    • Appendix
    • Bandwidth Package Related
      • Bandwidth package price inquiry
      • Bandwidth upgrade-downgrade for the bandwidth package
      • Bind a bandwidth package to a Cloud Smart Network
      • Create bandwidth package
      • Delete bandwidth package
      • Query bandwidth package list
      • Query the specified bandwidth package details
      • Unbind a bandwidth package from a Cloud Smart Network
      • Update bandwidth package
    • Cloud Smart Network Related
      • Create a Cloud Smart Network
      • Delete a Cloud Smart Network
      • Network instances loaded by the Cloud Smart Network
      • Network instances unloaded by the Cloud Smart Network
      • Query Cloud Smart Network details
      • Query Cloud Smart Network instance list
      • Query the list of Cloud Smart Network
      • Update a Cloud Smart Network
    • Common Headers and Error Responses
    • General Description
    • Ingress Management Related Interfaces
      • Add a routing entry
      • Create affiliation
      • Create learning relationship
      • Delete a learning relationship
      • Delete a routing entry
      • Delete an association relationship
      • Query association relationships
      • Query learning relationships
      • Query route table list
      • Query routing entries
    • Interface Overview
    • Region Bandwidth Related Interfaces
      • Create cross-region bandwidth
      • Delete cross-region bandwidth
      • Query cross-region bandwidth
      • Query the cross-region bandwidth of the specified Cloud Smart Network
      • Update cross-region bandwidth
    • Service domain
    • TGW Related Interfaces
      • Query routing entries of a TGW
      • Query TGW list
      • Update TGW information
  • FAQs
    • Consultation
  • Function Release Records
  • Operation guide
    • Cross-Account Authorization Management
      • Cancel Authorized Network Instance
      • Create Authorized Network Instance
      • Delete Authorized Network Instance
      • View Authorized Network Instance
    • Cross-Region Bandwidth Package Management
    • CSN Instance
      • Create CSN Instance
      • Delete CSN Instance
      • Modify CSN Instance
    • Identity and access management
    • Monitor and Operations
      • CSN Instance Diagnosis
    • Network instance
      • Add Cross-Account Network Instance
      • Add Local Account Network Instance
      • Adjust Network Instance Bandwidth
      • Uninstall Network Instance
    • Region Bandwidth Management
      • Adjust Region Bandwidth
      • Create cross-region bandwidth
      • Delete cross-region bandwidth
    • Route management
      • Association Relationship
        • Create affiliation
        • Delete affiliation
      • Custom route tables
        • Create custom route table
        • Delete custom route table
        • View Custom Route Table
      • Learning Relationship
        • Add Custom Route Entry
        • Create learning relationship
        • Delete Custom Route Entry
        • Delete learning relationship
        • Publish and Revoke Network Instance Route
        • View Route Entry
    • Tag Management
  • Product Description
    • Application scenarios
    • Introduction
    • Usage restrictions
  • Product pricing
  • SDK
    • GO-SDK
      • Bandwidth package
      • CSN Instance
      • Exception handling
      • Initialization
      • Install
      • Overview
      • Region Bandwidth
      • Route management
      • TGW
    • Java-SDK
      • CSN
      • Exception handling
      • Initialization
      • Install the SDK Package
      • Overview
      • Version history
    • Python-SDK
      • Bandwidth package
      • CSN Instance
      • Initialization
      • Region Bandwidth
      • Route management
      • TGW
  • Service Level Agreement (SLA)
    • Cloud Smart Network Service Level Agreement SLA
  • Typical Practices
    • CSN supports VPC custom route tables for secure traffic access
    • Multi-IDC Disaster Recovery via Cloud Smart Network
    • Multi-IDC Interconnection via Cloud Smart Network
    • Private Network VPC Interconnection with Edge Network
All documents
menu
No results found, please re-enter

CSN

  • API Reference
    • API function release records
    • Appendix
    • Bandwidth Package Related
      • Bandwidth package price inquiry
      • Bandwidth upgrade-downgrade for the bandwidth package
      • Bind a bandwidth package to a Cloud Smart Network
      • Create bandwidth package
      • Delete bandwidth package
      • Query bandwidth package list
      • Query the specified bandwidth package details
      • Unbind a bandwidth package from a Cloud Smart Network
      • Update bandwidth package
    • Cloud Smart Network Related
      • Create a Cloud Smart Network
      • Delete a Cloud Smart Network
      • Network instances loaded by the Cloud Smart Network
      • Network instances unloaded by the Cloud Smart Network
      • Query Cloud Smart Network details
      • Query Cloud Smart Network instance list
      • Query the list of Cloud Smart Network
      • Update a Cloud Smart Network
    • Common Headers and Error Responses
    • General Description
    • Ingress Management Related Interfaces
      • Add a routing entry
      • Create affiliation
      • Create learning relationship
      • Delete a learning relationship
      • Delete a routing entry
      • Delete an association relationship
      • Query association relationships
      • Query learning relationships
      • Query route table list
      • Query routing entries
    • Interface Overview
    • Region Bandwidth Related Interfaces
      • Create cross-region bandwidth
      • Delete cross-region bandwidth
      • Query cross-region bandwidth
      • Query the cross-region bandwidth of the specified Cloud Smart Network
      • Update cross-region bandwidth
    • Service domain
    • TGW Related Interfaces
      • Query routing entries of a TGW
      • Query TGW list
      • Update TGW information
  • FAQs
    • Consultation
  • Function Release Records
  • Operation guide
    • Cross-Account Authorization Management
      • Cancel Authorized Network Instance
      • Create Authorized Network Instance
      • Delete Authorized Network Instance
      • View Authorized Network Instance
    • Cross-Region Bandwidth Package Management
    • CSN Instance
      • Create CSN Instance
      • Delete CSN Instance
      • Modify CSN Instance
    • Identity and access management
    • Monitor and Operations
      • CSN Instance Diagnosis
    • Network instance
      • Add Cross-Account Network Instance
      • Add Local Account Network Instance
      • Adjust Network Instance Bandwidth
      • Uninstall Network Instance
    • Region Bandwidth Management
      • Adjust Region Bandwidth
      • Create cross-region bandwidth
      • Delete cross-region bandwidth
    • Route management
      • Association Relationship
        • Create affiliation
        • Delete affiliation
      • Custom route tables
        • Create custom route table
        • Delete custom route table
        • View Custom Route Table
      • Learning Relationship
        • Add Custom Route Entry
        • Create learning relationship
        • Delete Custom Route Entry
        • Delete learning relationship
        • Publish and Revoke Network Instance Route
        • View Route Entry
    • Tag Management
  • Product Description
    • Application scenarios
    • Introduction
    • Usage restrictions
  • Product pricing
  • SDK
    • GO-SDK
      • Bandwidth package
      • CSN Instance
      • Exception handling
      • Initialization
      • Install
      • Overview
      • Region Bandwidth
      • Route management
      • TGW
    • Java-SDK
      • CSN
      • Exception handling
      • Initialization
      • Install the SDK Package
      • Overview
      • Version history
    • Python-SDK
      • Bandwidth package
      • CSN Instance
      • Initialization
      • Region Bandwidth
      • Route management
      • TGW
  • Service Level Agreement (SLA)
    • Cloud Smart Network Service Level Agreement SLA
  • Typical Practices
    • CSN supports VPC custom route tables for secure traffic access
    • Multi-IDC Disaster Recovery via Cloud Smart Network
    • Multi-IDC Interconnection via Cloud Smart Network
    • Private Network VPC Interconnection with Edge Network
  • Document center
  • arrow
  • CSN
  • arrow
  • Operation guide
  • arrow
  • Identity and access management
Table of contents on this page
  • Introduction
  • Create User
  • Configuration Policy
  • User Authorization
  • Sign in as IAM User

Identity and access management

Updated at:2025-11-11

Introduction

Identity and Access Management helps users efficiently manage resource access permissions under cloud accounts. It accommodates various enterprise roles by assigning different product permissions to employees. When your enterprise requires multi-user collaboration for resource operations, using Identity and Access Management is highly recommended.

It is applicable to the following usage scenarios:

  • Medium and large enterprise customers: Authorization management for multiple employees in the enterprise;
  • Technology-oriented vendor or SAAS platform provider: Resource and permission management for proxy clients;
  • Small and medium-sized developers or small enterprises: Add project members or collaborators for resource management.

Create User

  1. After logging into the root account, select Identity and Access Management from the console to access the user management page.

  2. Click on User Management in the left navigation bar, then click New User on the IAM User Management List page.
  3. In the New User dialog box that appears, enter the username, confirm the details, and return to the IAM User Management List to view the newly created IAM user.

Configuration Policy

CSN supports both system policies and custom policies, allowing for product-level and instance-level permission control, respectively.

  • System policy: A pre-defined set of permissions provided by the Baidu AI Cloud system for resource management. These can be directly assigned to IAM users, but users cannot modify them.
  • Custom policy: A user-created, more granular set of permissions for resource management, allowing specific permissions to be configured for single instances. This provides flexibility to address the unique permission management needs of different users.

Description:

  • All CSN product permissions are categorized into three types: read-only, O&M, and administration.
  • For each product, O&M permissions encompass all read-only permissions. Administration permissions, in turn, include both read-only and O&M permissions. The table below highlights only areas where upper-level permissions deviate from lower-level permissions.
  • Custom policies apply to specific individual instances and only take effect for those instances. As a result, they do not include permissions for instance creation.

System Policy

The system policy includes 3 types of policies: management permission, operation and maintenance permission and read-only permission. The scope of permission is as follows:

Policy name Permission Permission scope
CSNFullControlPolicy Full control permission for Cloud Smart Network (CSN) management Query CSN instance list, view CSN instance details, view bandwidth package instance list, query cross-region bandwidth, view authorized network instances, view authorized network instances, modify name, edit description, add/unload network instances, create/delete association relationships, create/delete learning relationships, add/delete routes, bandwidth package configuration adjustment, change bandwidth package charge type, create/modify/delete cross-region bandwidth, add/delete authorization rules, create/delete CSN instances, create/release bandwidth packages
CSNOperateAccessPolicy Permission for operation and maintenance of Cloud Smart Network (CSN) Query CSN instance list, view CSN instance details, view bandwidth package instance list, query cross-region bandwidth, view authorized network instances, view authorized network instances, modify name, edit description, add/unload network instances, create/delete association relationships, create/delete learning relationships, add/delete routes, bandwidth package configuration adjustment, change bandwidth package charge type, create/modify/delete cross-region bandwidth, add/delete authorization rules
CSNReadOnlyAccessPolicy Permission for read-only access to Cloud Smart Network (CSN) Query CSN instance list, view CSN instance details, view bandwidth package instance list, query cross-region bandwidth, view authorized network instances, view authorized network instances

image.png

Custom Policy

Custom policies authorize users at the instance level, differing from system policies as they apply exclusively to selected instances.

To create a policy, users navigate to Policy Management via the left navigation bar, click on Create Policy, provide a policy name, and select Cloud Smart Network (CSN) as the service type. The default policy creation method is the Visual Editor, which does not require any modifications.

image.png

The scope of custom permission is detailed as follows:

Products Read-only operation Operation and maintenance operations Management operations
Cloud Smart Network Query CSN instance list, view CSN instance details, view authorizing network instances, view authorized network instances Query CSN instance list, view CSN instance details, view authorized network instances, view authorized network instances, modify name, edit description, add/unload network instances, create/delete association relationships, create/delete learning relationships, add/delete routes, add/delete authorization rules Query CSN instance list, view CSN instance details, view authorized network instances, view authorized network instances, modify name, edit description, add/unload network instances, create/delete association relationships, create/delete learning relationships, add/delete routes, add/delete authorization rules, create/delete CSN instance
Bandwidth package View bandwidth package instance list, query cross-region bandwidth View bandwidth package instance list, query cross-region bandwidth, modify name, edit description, bandwidth package configuration adjustment, change bandwidth package charge type, create/modify/delete cross-region bandwidth View bandwidth package instance list, query cross-region bandwidth, modify name, edit description, bandwidth package configuration adjustment, change bandwidth package charge type, create/modify/delete cross-region bandwidth, create/release bandwidth packages

User Authorization

On the User Management -> IAM User management list page, find the desired IAM user and click Add Permission in the Operations column. Then, authorize the user using either a System Policy or a Custom Policy.

Sign in as IAM User

After the root account authorizes the IAM user, it can share the login link with the IAM user. The IAM user can then access the root account's management console via this link and operate or view the root account's resources based on the granted policies.

For other detailed operations, refer to: Identity and Access Management.

Previous
CSN Instance
Next
Monitor and Operations