Identity and access management

DNS

  • API Reference
    • API function release records
    • API Service Domain Name
    • Appendix
    • Common Headers and Error Responses
    • General Description
    • Interface Overview
    • Overview
    • Private DNS Related Interfaces
      • Add resolution record
      • Associate VPC
      • Create a PrivateZone
      • Delete PrivateZone
      • Delete resolution record
      • Disassociate VPC
      • Modify resolution record
      • Query details of a PrivateZone
      • Query PrivateZone list
      • Query resolution record list
      • Set Resolution Record Status
    • Public DNS Related Interfaces
      • Domain Name Related Interfaces
      • Line Group Related Interfaces
      • Resolution Records Related Interfaces
  • FAQs
    • General FAQs
  • Function Release Records
  • Operation guide
    • Identity and access management
    • Local DNS service
      • Add Private Zone
      • Add resolution record
      • Associate VPC
      • Delete Private Zone
      • Resolver
    • Public DNS service
      • Add domain name
      • Add resolution
      • Enable Resolution Service
      • Line Grouping Function
      • Manage Resolution
      • Resolution Line Selection
      • Upgrade Domain Name to Enterprise Edition Operation Guide
    • Resolution Logging Management
  • Product Description
    • Application scenarios
    • Product advantages
    • Product functions
    • Product overview
    • Usage restrictions
  • Product pricing
  • Quick Start
    • Activate Service
    • Use Resolution Service
  • SDK
    • Golang-SDK
      • Exception handling
      • Initialization
      • Install the SDK Package
      • Overview
      • Private DNS
      • Version history
    • Java-SDK
      • Install the SDK Package
      • Overview
      • Private DNS
      • Public DNS
      • Version history
    • Python-SDK
      • Initialization
      • Install the SDK Package
      • Overview
      • Private DNS
      • Public DNS
      • Version history
  • Service Level Agreement (SLA)
    • Internal DNS Service Level Agreement SLA
    • Public DNS Service Level Agreement SLA
  • Typical Practices
    • Implement URL Forwarding via Nginx
    • Local IDC Interconnection with Cloud DNS Service via Resolver
    • Quickly Set Up Private Domain Name Resolution Service Using Terraform
All documents
menu
No results found, please re-enter

DNS

  • API Reference
    • API function release records
    • API Service Domain Name
    • Appendix
    • Common Headers and Error Responses
    • General Description
    • Interface Overview
    • Overview
    • Private DNS Related Interfaces
      • Add resolution record
      • Associate VPC
      • Create a PrivateZone
      • Delete PrivateZone
      • Delete resolution record
      • Disassociate VPC
      • Modify resolution record
      • Query details of a PrivateZone
      • Query PrivateZone list
      • Query resolution record list
      • Set Resolution Record Status
    • Public DNS Related Interfaces
      • Domain Name Related Interfaces
      • Line Group Related Interfaces
      • Resolution Records Related Interfaces
  • FAQs
    • General FAQs
  • Function Release Records
  • Operation guide
    • Identity and access management
    • Local DNS service
      • Add Private Zone
      • Add resolution record
      • Associate VPC
      • Delete Private Zone
      • Resolver
    • Public DNS service
      • Add domain name
      • Add resolution
      • Enable Resolution Service
      • Line Grouping Function
      • Manage Resolution
      • Resolution Line Selection
      • Upgrade Domain Name to Enterprise Edition Operation Guide
    • Resolution Logging Management
  • Product Description
    • Application scenarios
    • Product advantages
    • Product functions
    • Product overview
    • Usage restrictions
  • Product pricing
  • Quick Start
    • Activate Service
    • Use Resolution Service
  • SDK
    • Golang-SDK
      • Exception handling
      • Initialization
      • Install the SDK Package
      • Overview
      • Private DNS
      • Version history
    • Java-SDK
      • Install the SDK Package
      • Overview
      • Private DNS
      • Public DNS
      • Version history
    • Python-SDK
      • Initialization
      • Install the SDK Package
      • Overview
      • Private DNS
      • Public DNS
      • Version history
  • Service Level Agreement (SLA)
    • Internal DNS Service Level Agreement SLA
    • Public DNS Service Level Agreement SLA
  • Typical Practices
    • Implement URL Forwarding via Nginx
    • Local IDC Interconnection with Cloud DNS Service via Resolver
    • Quickly Set Up Private Domain Name Resolution Service Using Terraform
  • Document center
  • arrow
  • DNS
  • arrow
  • Operation guide
  • arrow
  • Identity and access management
Table of contents on this page
  • Introduction
  • Create User
  • Configuration Policy
  • User Authorization

Identity and access management

Updated at:2025-11-11

Introduction

Identity and Access Management helps users manage resource access permissions within cloud accounts. It caters to various enterprise roles by granting different staff levels access to specific product permissions. For enterprises requiring multi-user collaboration for resource operations, using Identity and Access Management is recommended.

It is applicable to the following usage scenarios:

  • Medium and large enterprise customers: Authorization management for multiple employees in the enterprise;
  • Technology-oriented vendor or SAAS platform provider: Resource and permission management for proxy clients;
  • Small and medium-sized developers or small enterprises: Add project members or collaborators for resource management.

Create User

  1. After logging in with root account, select Identity and Access Management on the console to enter the User Management page;

  2. Click User Management in the left navigation bar, and click Create User on the IAM User Management List page;
  3. In the New User dialog box that appears, enter the username, confirm the details, and return to the IAM User Management List to view the newly created IAM user.

Configuration Policy

Public DNS supports both system policies and custom policies, allowing for product-level and instance-level permission control of DNS.

  • System policy: A pre-defined set of permissions provided by the Baidu AI Cloud system for resource management. These can be directly assigned to IAM users, but users cannot modify them.
  • Custom policy: A user-created, more granular set of permissions for resource management, allowing specific permissions to be configured for single instances. This provides flexibility to address the unique permission management needs of different users.

System Policy

The system policy includes 3 types of policies: management permission, operation and maintenance permission and read-only permission. The scope of permission is as follows:

Policy name Permission Permission scope
DNSReadPolicy Read-only permission to access the public DNS service Query domain name list, view resolution records
DNSOperatePolicy Permission for operational actions of public DNS Query domain name list, view resolution records and resolution configuration
DNSFullControlPolicy Full control permission for public DNS service management Query domain list, view resolution records, configure resolution, add/delete domain names, renew, upgrade
LDReadPolicy Read-only permission to access the local DNS service Query domain name list, view instance details
LDOperatePolicy Permission for operational actions of local DNS Query domain name list, view instance details, configure resolution settings, and associate VPCs
LDFullControlPolicy Full control permission for local DNS service management Query domain name list, view instance details, configure resolution settings, associate VPCs, add/delete domain names
ResolverReadAccessPolicy Permissions of read-only access resolver View forwarding rule list, View egress endpoint, view ingress endpoint
ResolverOperateAccessPolicy Permissions of operational action resolver View forwarding rule list, view egress endpoints, view ingress endpoints, create/modify/delete forwarding rules, associate VPCs, modify egress endpoints, modify ingress endpoints
ResolverFullControlAccessPolicy Full control permission for resolver management View forwarding rule list, view egress endpoints, view ingress endpoints, create/modify/delete forwarding rules, associate VPCs, create/modify/delete egress endpoints, create/modify/delete ingress endpoints

Custom Policy

Custom policies authorize users at the instance level, differing from system policies as they apply exclusively to selected instances.

IAM users navigate to Policy Management via the left navigation bar, click Create Policy, enter the policy name, and select the service type (choose Intelligent Cloud DNS for public DNS or local DNS for private DNS). The default Visual Editor method for policy creation requires no modifications.

image.png

The scope of custom permission is detailed as follows:

Product Name Read-only permission Operation and maintenance permission Management permission
Public DNS service Query domain name list, view resolution records Query domain name list, view resolution records and resolution configuration Query domain list, view resolution records, configure resolution, delete domain names, renew, upgrade
Local DNS service - Private zone Query domain name list, view instance details, view forwarding rule list Query domain name list, view instance details, configure resolution settings, and associate VPCs Query domain name list, view instance details, configure resolution settings, associate VPCs, and delete domain names
Private DNS service - Resolver View forwarding rule list, View egress endpoint, view ingress endpoint View forwarding rule list, view egress endpoints, view ingress endpoints, create/modify/delete forwarding rules and associate VPCs View forwarding rule list, view egress endpoints, view ingress endpoints, create/modify/delete forwarding rules, associate VPCs, create/modify/delete egress endpoints, create/modify/delete ingress endpoints

User Authorization

Under User Management -> IAM User List, locate the relevant IAM user and click Add Permission in the Operations column. You can then authorize the user through either a System Policy or a Custom Policy.

Note: To change an IAM user's permissions without modifying existing policy rules, you must delete the current policy and assign a new one since existing policy permissions cannot be unchecked or edited directly.

Previous
Function Release Records
Next
Local DNS service