Why Permissions Granted to a User Do Not Take Effect?
Symptom
Permissions that you grant to an IAM user do not take effect.
Troubleshooting
- Cause: Incorrect permissions were granted to the user group to which the user belongs.
Solution: Ask the administrator to modify the permissions granted to the user group to which the IAM user belongs. For details, see Modifying User Group Permissions. For details about permissions, see System-defined Permissions.
- Cause: Actions are denied by the permissions granted to the user.
View the system-defined permissions granted to the IAM user and check whether there is a policy statement that denies the action. For details, see Policy Syntax. If the system-defined permissions cannot meet your requirements, create a custom policy to allow the action. For details, see Creating a Custom Policy.
- Cause: The IAM user has not been added to the user group with permissions assigned.
Solution: Add the user to the target user group as the administrator. For details, see Adding Users to a User Group.
- Cause: For a regional service, the user group is not assigned with permissions in specific regions.
Assign permissions to the user group in specific regions. If you have assigned the user only permissions for a default region-specific project, the user does not have permissions for the subprojects. In this case, assign permissions for the required subproject. For details, see Assigning Permissions to a User Group.
- Cause: The IAM user has not switched to the region where the user has been authorized to use cloud resources.
Remind the user to switch to the region where the user is authorized to use cloud resources. For details, see Switching Regions.
- Cause: If the administrator has granted OBS permissions to the user, the permissions will take effect 15 to 30 minutes after the authorization.
- Cause: The browser cache has not been cleared for a long time.
- Cause: The service (such as OBS) provides separate permissions control.
Grant the user permissions by referring to the service documentation. For example, see Introduction to OBS Permission Control.
- Cause: If you have granted permissions to a user in both IAM and Enterprise Management, the permissions for enterprise projects may not take effect. IAM authentication takes precedence over Enterprise Management authentication. If an IAM user has the ECS ReadOnlyAccess permission for all resources and enterprise project A, the user can view all ECS resources.
Modify the permissions of the user on the IAM console.
Related FAQ
Symptom: You have granted an IAM user only required permissions but the user has more permissions.
Possible causes:
- The required permissions you granted to the IAM user have dependency permissions, which are automatically assigned so that the required permissions can take effect for the user.
- You have granted other permissions to the IAM user in Enterprise Project Management. If you manage projects and users using IAM, cancel the permissions configured there. For details, see Deleting Enterprise Projects That Are Managed by a User.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.