- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
- Access Key Management
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups to Which an IAM User Belongs
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (Recommended)
- Modifying IAM User Information (Recommended)
- Modifying User Information
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting a User Permissions for an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Querying MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Querying Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the Cloud Alliance Regions?
- Project Management
- Agency Management
- Account Management
- Others
- Videos
Show all
Authorizing IAM Users to Manage Resources of an Account
Company B is a professional O&M company. It becomes a delegated party after being authorized by company A. Company B assigns permissions to one or more of its IAM users to manage company A's resources.
Requirements
- Company B wants to authorize its employees (IAM users) to manage the delegated resources of company A.
- If company A creates multiple agencies for company B, company B can allocate the agencies to different employees. This will allow each employee to only manage resources of specific agencies.
Solution
- Account B creates users on the IAM console, and grants the permissions (including Agent Operator) required for managing delegated resources to the users.
- Account B creates a custom policy with only the permissions required to manage the delegated resources of an agency. Then, account B attaches the policy to the group to which a user belongs, so that the user can only manage the resources of the agency.
Procedure
Account B performs the following procedure to authorize IAM users to manage resources of specific agencies. After authorization, the IAM users of account B can switch their roles to account A to manage account A's resources. To do this, account B needs to have obtained the account (HUAWEI ID), agency name, and agency ID of the delegating party.
- Create a user group and grant permissions to it.
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter the user group name, for example, Agency Management.
- Click OK.
The user group is displayed in the user group list.
- In the row containing the target user group, click Authorize.
NOTE:
- To authorize a user to manage only the resources of a specific agency, perform the following steps.
- To authorize a user to manage the resources of all agencies, go to the next step.
- On the Select Policy/Role page, click Create Policy in the upper right.
- Enter a policy name, for example, Agency 1 for Managing Company A.
- Select JSON for Policy View.
- In the Policy Content area, enter the following content:
{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..." ] }, "Effect": "Allow" } ] }
NOTE:
Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
- Click Next.
- Select the Agency 1 for Managing Company A agency created in the previous step or the Agent Operator role.
NOTE:
- The custom policy allows the user only to manage resources of a specific agency ID.
- The Agent Operator role allows the user to manage the resources of all agencies.
- Specify the authorization scope.
- Click OK.
- Create a user and add the user to the user group.
- In the navigation pane, choose Users.
- On the Users page, click Create User.
- On the Create User page, enter a username and email address.
- For Access Type, select Management console access.
- For Credential Type, select Set by user.
- Enable login protection, select a verification mode, and click Next.
- Select the user group Agency Management created in 2 and click Create.
- Switch the role.
- Log in to HUAWEI CLOUD as the user created in 2. For more information, see Logging In as an IAM User.
- Click the username in the upper right corner, and choose Switch Role.
- Enter the account name of the delegating party. The agency created by the delegating party is displayed automatically.
NOTE:
If an agency other than the agencies created by the delegating party is displayed, a message is displayed indicating that you do not have access permissions. Select the correct agency in the Agency Name drop-down list box.
- Click OK to switch to the delegating account.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.