- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
- Access Key Management
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups to Which an IAM User Belongs
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (Recommended)
- Modifying IAM User Information (Recommended)
- Modifying User Information
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting a User Permissions for an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Querying MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Querying Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the Cloud Alliance Regions?
- Project Management
- Agency Management
- Account Management
- Others
- Videos
Step 1: Create User Groups and Assign Permissions
A company has three functional teams, including the management (admin group), development, and test teams. After the company administrator creates an account, the default group admin is automatically generated and has full permissions for all cloud services. The administrator only needs to create another two groups in IAM for the development and test teams, respectively.
Creating User Groups
- Use your HUAWEI ID to enable HUAWEI CLOUD services, and then log in to HUAWEI CLOUD.
Figure 1 Logging in to HUAWEI CLOUD
- Log in to the management console.
Figure 2 Logging in to the management console
- On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
Figure 3 Accessing the IAM console
- On the IAM console, choose User Groups and click Create User Group.
Figure 4 Creating a user group
- Enter Developers for Name, and click OK.
Figure 5 Setting the user group information
- Repeat steps 4 and 5 to create the Testers group.
Assigning Permissions to User Groups
Developers in the company need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to assign the required permissions to the Developers group to enable access to these services. Testers in this company need to use APM, so the administrator needs to assign the required permissions to the Testers group to enable access to the service. After permissions are assigned, users in the two groups can access the corresponding services. For details about the permissions of all cloud services, see System-defined Permissions.
- Determine the permissions policies to be attached to each user group.
Determine the policies (see Table 1) by referring to System-defined Permissions. Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.
Table 1 Required permissions policies User Group
Cloud Service
Region
Policy or Role
Developers
ECS
Specific regions
ECS FullAccess
RDS
Specific regions
RDS FullAccess
ELB
Specific regions
ELB FullAccess
VPC
Specific regions
VPC FullAccess
EVS
Specific regions
EVS FullAccess
OBS
Global
OBS OperateAccess
Testers
APM
Specific regions
APM FullAccess
- In the user group list, click Authorize in the row containing the user group Developers.
Figure 6 Authorizing a user group
- Assign permissions to the user group for region-specific projects.
- All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
- Specify the scope as Region-specific projects, select EU-Dublin, and click OK.
The company is located in Dublin. Therefore, select EU-Dublin to reduce network latency and accelerate service access. Then users in the Developers group can access the specified project-level services in EU-Dublin but do not have permissions to access the services in other regions.
- Assign permissions to the user group for the global service project.
- Select OBS OperateAccess and click Next.
- Specify the scope as Global service project and click OK.
- Repeat steps 2 to 5 to attach the APM FullAccess policy to the Testers group in the EU-Dublin region.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.