Application Scenarios

Centralized Identity Management: Enabling Secure Access to Multiple Accounts Through One-Time Configuration

If an enterprise has multiple accounts and their workforce users need to access resources under multiple accounts, they have to log in to those accounts individually or create IAM users under the accounts, causing high maintenance costs and low efficiency. In this scenario, IAM Identity Center has the following advantages:

Centralized user creation and management
- The IAM Identity Center administrator creates users, assigns passwords, and manages users by group.
- A single portal provides users with password-based SSO access to multiple accounts.
Support for SAML 2.0 identity provider (Azure AD and Okta)
- IAM Identity Center can connect to external identity provider systems via SAML 2.0.
- IAM Identity Center automatically provisions users from SCIM-compliant identity providers. The administrator can manage users in external identity providers. User details can be automatically synchronized to IAM Identity Center without manual intervention.
- IdP users can use their existing accounts and passwords to log in to the portal and then go to Huawei Cloud to access resources of the Huawei Cloud account.
Multi-factor authentication (MFA)
- The IAM Identity Center administrator can forcibly enable multi-factor authentication (MFA) for users to reduce the risk of password leakage.
- MFA devices support Apps that comply with the Time-Based One-Time Passwords (TOTP) protocol and Fast Identity Online (FIDO2) security keys.

Fine-Grained Authorization: Assigning Different Permissions on Member Accounts to Different Identities Easily

Generally, a large enterprise has multiple accounts, which carry different services and are used by different workforce identities. Different workforce identities need to be configured with fine-grained permissions for access to different member accounts to ensure secure resource access within the enterprise. In this scenario, IAM Identity Center has the following advantages:

Centralized management of multi-account permissions
- The IAM Identity Center administrator can create permission sets, each of which contains a maximum of 20 IAM policies. With permission sets, permissions can be batch assigned to accounts.
- Each account can be associated with permission sets and IAM Identity Center users who are allowed to access resources under the account.
- IAM Identity Center automatically synchronizes the account permission information to IAM without the complexity of managing individual accounts.
Attribute-based access control
- The IAM Identity Center administrator can create permission sets using attribute-supported custom policies. The supported attributes include more than 20 global attributes, such as organizations, tags, request time, and source addresses of users and resources, and other cloud service-level attributes.
- The IAM Identity Center administrator can create permission sets based on service tags defined by identity providers. IAM Identity Center automatically converts the service tags to the identity tag attributes in IAM during federated login to control access permissions.
- The IAM Identity Center administrator only needs to configure permissions for all users only once. When attributes are changed, the corresponding condition keys in policies are also changed, and permissions are automatically granted, revoked, or modified accordingly.