How Do I Limit Specific Enterprise Projects to Different IAM Users?

Background

There are two IAM users, User B and User C, and two enterprise projects, EnterpriseProjectB and EnterpriseProjectC, in your account.

You want to:

• Allow User B to view and manage resources only in EnterpriseProjectB.
• Allow User C to view and manage resources only in EnterpriseProjectC.

Procedure

1. Create user groups.

   In the IAM console, create UserGroup B and UserGroup C.

   For details how to create a user group and assign permissions, see Creating a User Group and Assigning Permissions.

   Figure 1 Created user groups
   

2. Add users to user groups.

   Add User B and User C to UserGroup B and UserGroup C respectively.

   For details about how to create a user and add it to the user group, see Creating an IAM User.

   Figure 2 Adding a user to a user group
   

3. Assign permissions to user groups.

   Assign policies, for example, ELB FullAccess, to groups B and C.

   1. In the Operation column of the row containing UserGroup B, click Authorize.
   2. Select the ELB FullAccess policy and click Next.
   3. Select a scope and click OK.
      Select Enterprise projects for Scope, and select EnterpriseProjectB in the displayed enterprise project list.

      Figure 3 Selecting a scope
      
   4. Click Finish.
   5. Repeat steps 3.a to 3.d to assign the ELB FullAccess policy to UserGroup C.

Verification

Log in to the management console as User B and create a load balancer. If only EnterpriseProjectB can be selected, the permissions have taken effect.