Creating a User Group and Assigning Permissions
As an administrator, you can create user groups, and grant them permissions by attaching policies or roles. Users you add to the user groups inherit permissions of the policies or roles. IAM provides administrator permissions and read-only permissions for each cloud service, which you can assign to user groups. Users in the groups can then use cloud services based on the assigned permissions. For details, see Assigning Permissions to an IAM User. For details about the permissions of all cloud services, see System Permissions.
Prerequisites
Before creating a user group, complete the following operations:
- Understand the basic concepts of permissions.
- For the permissions of all cloud services supported by IAM, see System Permissions.
Creating a User Group
- Log in to the IAM console as an administrator.
- On the IAM console, choose User Groups from the navigation pane, and click Create User Group in the upper right corner.
Figure 1 Creating a user group
- Enter a user group name, for example, Developers.
Figure 2 Entering a user group name
- Click OK.
You can create a maximum of 20 user groups. To create more user groups, increase the quota by referring to How Do I Increase My Quota?
Assigning Permissions to a User Group
To assign permissions to a user group, do as follows:
- In the user group list, choose Authorize in the row that contains the Developers group.
Figure 3 Going to the user group authorization page
- On the Authorize User Group page, select the permissions to be assigned to the user group and click Next.
If the system-defined policies do not meet your requirements, click Create Policy in the upper right to create custom policies. You can use them to supplement system-defined policies for refined permissions control. For details, see Creating a Custom Policy.Figure 4 Selecting permissions
- Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.
Table 1 Authorization scopes Scope
Description
All resources
IAM users can use the resources in all region-specific projects and the global service project in your account as specified by the permissions.
Enterprise projects
IAM users can use the resources in the enterprise projects you select, as specified by the permissions. This option is available only when the enterprise project function has been enabled.
For details about enterprise projects, see What is Enterprise Project Management Service? To enable the enterprise project function, see Enabling the Enterprise Project Function.
Region-specific projects
IAM users can use the resources in the region-specific projects you select, as specified by the permissions.
If some of the selected permissions belong to global services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for project-level services will take effect for the region-specific projects you select.
Global service project
IAM users can use global services as specified by the permissions. Global services are deployed with no physical regions specified. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN).
If some of the selected permissions belong to project-level services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for global services will take effect for the global service project.
- Click OK.
Table 2 lists the common permissions. For the complete list of service-specific permissions, see System Permissions.
- If you add a user to multiple groups, the user will inherit all the permissions that have been assigned to the groups.
- For more information about permissions management, see Assigning Permissions to O&M Personnel, Assigning Dependency Roles, and Custom Policy Use Cases.
|
Category |
Policy/Role Name |
Description |
Scope |
|---|---|---|---|
|
General administration |
FullAccess |
Full permissions for services supporting policy-based access control. |
Global |
|
Resource management |
Tenant Administrator |
Administrator permissions for all services except IAM. |
All regions |
|
Viewing resources |
Tenant Guest |
Read-only permissions for all resources. |
All regions |
|
IAM user management |
Security Administrator |
Administrator permissions for IAM. |
Global |
|
Accounting management |
BSS Administrator |
Administrator permissions for Billing Center, including managing invoices, orders, contracts, and renewals, and viewing bills.
NOTE:
This role depends on the BSS Administrator role to take effect. |
Specific regions |
|
Computing O&M |
ECS FullAccess |
Administrator permissions for ECS. |
Specific regions |
|
CCE FullAccess |
Administrator permissions for Cloud Container Engine (CCE). |
Specific regions |
|
|
CCI FullAccess |
Administrator permissions for Cloud Container Instance (CCI). |
Specific regions |
|
|
BMS FullAccess |
Administrator permissions for Bare Metal Server (BMS). |
Specific regions |
|
|
IMS FullAccess |
Administrator permissions for Image Management Service (IMS). |
Specific regions |
|
|
AutoScaling FullAccess |
Administrator permissions for Auto Scaling (AS). |
Specific regions |
|
|
Network O&M |
VPC FullAccess |
Administrator permissions for Virtual Private Cloud (VPC). |
Specific regions |
|
ELB FullAccess |
Administrator permissions for Elastic Load Balance (ELB). |
Specific regions |
|
|
Database O&M |
RDS FullAccess |
Administrator permissions for Relational Database Service (RDS). |
Specific regions |
|
DDS FullAccess |
Administrator permissions for Document Database Service (DDS). |
Specific regions |
|
|
DDM FullAccess |
Administrator permissions for Distributed Database Middleware (DDM). |
Specific regions |
|
|
Security O&M |
Anti-DDoS Administrator |
Administrator permissions for Anti-DDoS. |
Specific regions |
|
CAD Administrator |
Administrator permissions for Advanced Anti-DDoS (AAD). |
Specific regions |
|
|
WAF Administrator |
Administrator permissions for Web Application Firewall (WAF). |
Specific regions |
|
|
VSS Administrator |
Administrator permissions for Vulnerability Scan Service (VSS). |
Specific regions |
|
|
CGS Administrator |
Administrator permissions for Container Guard Service (CGS). |
Specific regions |
|
|
KMS Administrator |
Administrator permissions for Key Management Service (KMS), which has been renamed Data Encryption Workshop (DEW). |
Specific regions |
|
|
DBSS System Administrator |
Administrator permissions for Database Security Service (DBSS). |
Specific regions |
|
|
SES Administrator |
Administrator permissions for Security Expert Service (SES). |
Specific regions |
|
|
SC Administrator |
Administrator permissions for SSL Certificate Manager (SCM). |
Specific regions |
Last Article: User Groups and Authorization
Next Article: Adding Users to or Removing Users from a User Group
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.