Identity and access management

Introduction

Identity and Access Management facilitates efficient management of resource access permissions within cloud accounts. It is tailored for various enterprise roles by assigning different product permissions to employees. It is advised to adopt Identity and Access Management when multi-user collaboration is necessary for resource operations in your organization.

It is applicable to the following usage scenarios:

• Medium and large enterprise customers: Authorization management for multiple employees in the enterprise;
• Technology-oriented vendor or SAAS platform provider: Resource and permission management for proxy clients;
• Small and medium-sized developers or small enterprises: Add project members or collaborators for resource management.

Create User

1. After logging into the root account, select Identity and Access Management from the console to access the user management page.

   

2. Click on User Management in the left navigation bar, then click New User on the IAM User Management List page.
3. In the pop-up New User dialog box, fill in the User Name and confirm, and return to the IAM User Management List area to view the newly created IAM user.

Configuration Policy

Virtual Private Cloud (VPC) supports both system and custom policies, allowing for product-level permission control as well as instance-level permission control within the VPC.

• System policy: A pre-defined set of permissions provided by the Baidu AI Cloud system for resource management. These can be directly assigned to IAM users, but users cannot modify them.
• Custom policy: User-created more detailed permission set for resource management, allowing permission configuration for single instance to flexibly meet differentiated permission management of accounts for different users. When editing policies, after modifying the first name, select Virtual Private Cloud (VPC) under Service Type to display all sub-products. Users can set permissions based on different roles.

Description:

• A VPC is composed of multiple sub-products, and the permissions for each sub-product are classified into three types: read-only, operations and maintenance, and management (certain sub-products may not include management permissions).
• Custom policies apply to specific individual instances and only take effect for those instances. As a result, they do not include permissions for instance creation.

Permission scope

The correspondence between the names of system policy and third-level permissions for each product is as follows:

The permission scope of policies for each product is detailed as follows:

User Authorization

Under User Management -> IAM User List, select Edit Permission in the Operations column for the corresponding IAM user, then authorize with either System Policy or Custom Policy.

Note: To change an IAM user's permissions without modifying existing policy rules, you must delete the current policy and assign a new one since existing policy permissions cannot be unchecked or edited directly.

Sign in as IAM User

After the root account authorizes the IAM user, it can share the login link with the IAM user. The IAM user can then access the root account's management console via this link and operate or view the root account's resources based on the granted policies.

For other detailed operations, refer to: Multi-User Access Control.