Basic Concepts
The following are basic concepts that you need to understand before you get started with the IAM service.
Account
An account is created after you successfully register with HUAWEI CLOUD. Your account has full access permissions for your cloud resources and makes payments for the use of these resources. You can use the account to reset user passwords and assign permissions.
You cannot modify or delete your account in IAM, but you can do so in My Account.
IAM User
You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.
If an IAM user forgets their password, reset the password by referring to What Can I Do If My Password Is Forgotten?
Relationship Between an Account and Its IAM Users
An account and its IAM users share a parent-child relationship. The account owns the resources and makes payments for the resources used by IAM users. It has full permissions for these resources. IAM users are created by an administrator, and only have the permissions granted by the administrator. The administrator can modify or cancel the IAM users' permissions at any time.
Credentials
- Password: A common credential for logging in to the management console or calling APIs.
- Access key: An access key ID/secret access key (AK/SK) pair, which can only be used to call APIs. Each access key provides a signature for cryptographic authentication to ensure that access requests are secret, complete, and correct.
Virtual MFA Device
A virtual MFA device is an application that generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. Currently, HUAWEI CLOUD supports software-based virtual MFA devices, which are application programs running on smart devices such as mobile phones. For details about how to use virtual MFA devices, see Virtual MFA Device.
User Group
You can use user groups to assign permissions to IAM users. By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services. If a user is added to multiple user groups, the user inherits the permissions assigned to all these groups.
The default user group admin has all the permissions required to use all of the cloud resources. Users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.
Authorization
Authorization is the process of granting required permissions for a user to perform a task. After a system-defined or custom policy is assigned to a user group, users in the group inherit the permissions defined by the policy to manage resources.
Permission
- Roles: A type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant ECS users only the permissions required for managing a certain type of ECS resources. IAM supports both system-defined and custom policies.
- A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and cannot be modified. If you need to assign permissions for a specific service to a user group or agency on the IAM console but cannot find corresponding policies, it indicates that the service does not support permissions management through IAM. Please submit a service ticket and request that permissions for the service be made available in IAM.
- You can create custom policies using the actions supported by cloud services and use custom policies to supplement system-defined policies for more refined access control. You can create custom policies in the visual editor or in JSON view.
Project
A region corresponds to a project. Default projects are defined to group and physically isolate resources (including computing, storage, and network resources) across regions. You can grant users permissions in a default project to access all resources in the region associated with the project. If you need more refined access control, you can create subprojects under a default project and purchase resources in subprojects. Then you can assign required permissions for users to access only resources in specific subprojects.
Agency
A trust relationship that you can establish between your account and another HUAWEI CLOUD account or a cloud service to delegate resource access.
- Account delegation: You can delegate another HUAWEI CLOUD account to implement O&M on your resources based on assigned permissions.
- Cloud service delegation: HUAWEI CLOUD services interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate a cloud service to access other services.
Enterprise Project
Enterprise projects allow you to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. An enterprise project can contain resources of multiple regions, and you can easily add resources to or remove resources from enterprise projects.
For details about how to obtain enterprise project IDs and features, see the Enterprise Management User Guide.
Last Article: What Is IAM?
Next Article: Functions
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.