Scenario

Company A is an enterprise user of HUAWEI CLOUD, and it has multiple project teams that require different resources and personnel. This section presents the best practice for multi-project management to address company A's requirements.

Requirements

Requirement 1: Company A can purchase multiple types of resources in EU-Dublin for two project teams. Resources of the two project teams need to be isolated from each other. Access to specific cloud services needs to be authorized, for example, only authorized IAM users can access and use ECS.
Requirement 2: Each member of the project teams can access only the resources of the project team to which the member belongs, and only has the permissions required to complete tasks.
Requirement 3: Each project team makes payments only for the resources used by its members, and the project expenditures are clear.

Solution

Solution to requirement 1: Enterprise Management (EPS) and Identity and Access Management (IAM) are two cloud services of HUAWEI CLOUD that can isolate resources between projects. However, the implementation logic and functions of the two services are different.
- Enterprise Management: You can create enterprise projects to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. Each enterprise project can contain resources of multiple regions, and resources can be added to or removed from enterprise projects. Specified resources of certain services, for example, a specific ECS, can be added to or remove from enterprise projects.
- IAM: IAM projects group and physically isolate resources in a region, and each IAM project can only contain resources in the same region.

In conclusion, Enterprise Management provides more flexible cross-region resource isolation between projects than IAM. Therefore, it is recommended that company A use Enterprise Management to manage project resources. The solutions to the following requirements are proposed using the Enterprise Management service. For details about the two services, see What Are the Differences Between IAM and Enterprise Management?

Solution to requirement 2: In IAM, company A creates IAM users for employees and adds the IAM users to different groups. In Enterprise Management, company A adds the user groups to the enterprise projects created to address Requirement 1 and assigns required resource access permissions (see Table 1) to each user group.

Figure 1 Personnel management model of company A
Click to enlarge

**Table 1** User group permissions in company A
User Group	Responsibility	Permissions	Description
Accounting team	Project expenditure management	Enterprise Project BSS FullAccess	Permissions for accounting management of enterprise projects
Development team	Project development	ECS FullAccess	Full permissions for Elastic Cloud Server (ECS)
		OBS FullAccess	Full permissions for Object Storage Service (OBS)
		ELB FullAccess	Full permissions for Elastic Load Balance (ELB)
Security maintenance team	Security O&M of the project	ECS CommonOperations	Permissions for basic ECS operations
Security maintenance team	Security O&M of the project	CAD Administrator	Full permissions for Advanced Anti-DDoS (AAD)
Operations team	Overall operations of the project	EPS FullAccess	Full permissions for Enterprise Management, including modifying, enabling, disabling, and viewing enterprise projects

For details about permissions of all HUAWEI CLOUD services, see System-defined Permissions.

Solution to requirement 3: Company A uses Enterprise Management to manage renewals, orders, accounting, unsubscriptions, changes, and quotas of each enterprise project. For details, see Enterprise Project Accounting Management.

Parent topic: Cross-Region Permissions Assignment (Original Multi-Project Management)

Previous topic: Cross-Region Permissions Assignment (Original Multi-Project Management)

Next topic: Procedure