Updated on 2023-08-04 GMT+08:00

Basic Concepts

The following are basic concepts that you need to understand before you get started with the IAM service.


An account is created after you successfully register with Huawei Cloud. Your account has full access permissions for your cloud resources and makes payments for the use of these resources. You can use the account to reset user passwords and assign permissions.

You cannot modify or delete your account in IAM, but you can do so in My Account.

IAM User

You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (passwords or access keys) and uses cloud resources based on assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.

If an IAM user forgets their password, the user can reset the password by referring to How Do I Reset My Password?

Figure 1 IAM user login

Relationship Between an Account and Its IAM Users

An account and its IAM users have a parent-child relationship. The account owns the resources and makes payments for the resources used by IAM users. It has full permissions for these resources. IAM users are created by an account, and they only have the permissions granted by the account. The account can modify or revoke the IAM users' permissions at any time.

Figure 2 Account and IAM users


Authorization is the process of granting required permissions for a user to perform specific tasks.

User Group

An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM users added to a user group automatically obtain the permissions assigned to the group. If a user is added to multiple user groups, the user inherits the permissions from all these groups.

There is a default user group admin. It has all the permissions required to use all of the cloud resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.

Figure 3 User group and users


You can grant permissions by using roles and policies.
  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. IAM supports both system-defined and custom policies.
    • A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and cannot be modified. If you need to assign permissions for a specific service to a user group or agency on the IAM console but cannot find corresponding policies, it indicates that the service does not support permissions management through IAM. You can submit a service ticket to request that permissions for the service be made available in IAM.
    • Custom policies function as a supplement to system-defined policies. You can create custom policies using the actions supported by cloud services for more refined access control. You can create custom policies in the visual editor or in JSON view.
Figure 4 Example permissions


Credentials confirm the identity of a user when the user accesses Huawei Cloud through the console or APIs. Credentials can be either a password or access keys. You can manage your own credentials and your IAM users' credentials.
  • Password: A common credential for logging in to the management console or calling APIs.
  • Access key: An access key ID/secret access key (AK/SK) pair, which can only be used to call APIs. Each access key provides a signature for cryptographic authentication to ensure that access requests are secret, complete, and correct.

Virtual MFA Device

A virtual MFA device is an application that generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. Huawei Cloud only supports software-based virtual MFA devices, which are application programs running on smart devices such as mobile phones. For details about how to use virtual MFA devices, see Virtual MFA Device.


A region corresponds to a project. Default projects are defined to group and physically isolate resources (including computing, storage, and network resources) across regions. You can grant users permissions in a default project to access all resources in the region associated with the project. If you need more refined access control, you can create subprojects under a default project and purchase resources in subprojects. Then you can assign required permissions for users to access only resources in specific subprojects.

Figure 5 Projects

Enterprise Project

Enterprise projects allow you to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. An enterprise project can contain resources of multiple regions, and you can easily add resources to or remove resources from enterprise projects.

For details about how to obtain enterprise project IDs and features, see the Enterprise Management User Guide.


A trust relationship that you can establish between your account and another account or a cloud service to delegate resource access.

  • Account delegation: You can delegate another account to implement O&M on your resources based on assigned permissions.
  • Cloud service delegation: Huawei Cloud services interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate a cloud service to access other services.