Help Center/ Identity and Access Management/ Getting Started/ Step 1: Create User Groups and Assign Permissions
Updated on 2023-06-20 GMT+08:00

Step 1: Create User Groups and Assign Permissions

A company has three functional teams, including the management (admin group), development, and test teams. After the company administrator creates an account, the default group admin is automatically generated and has full permissions for all cloud services. The administrator only needs to create another two groups in IAM for the development and test teams, respectively.

Creating User Groups

  1. Use your HUAWEI ID to enable HUAWEI CLOUD services, and then log in to HUAWEI CLOUD.

    Figure 1 Logging in to HUAWEI CLOUD

  2. Log in to the management console.

    Figure 2 Logging in to the management console

  3. On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.

    Figure 3 Accessing the IAM console

  4. On the IAM console, choose User Groups and click Create User Group.

    Figure 4 Creating a user group

  5. Enter Developers for Name, and click OK.

    Figure 5 Setting the user group information

  6. Repeat steps 4 and 5 to create the Testers group.

Assigning Permissions to User Groups

Developers in the company need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to assign the required permissions to the Developers group to enable access to these services. Testers in this company need to use APM, so the administrator needs to assign the required permissions to the Testers group to enable access to the service. After permissions are assigned, users in the two groups can access the corresponding services. For details about the permissions of all cloud services, see System-defined Permissions.

  1. Determine the permissions policies to be attached to each user group.

    Determine the policies (see Table 1) by referring to System-defined Permissions. Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.

    Table 1 Required permissions policies

    User Group

    Cloud Service


    Policy or Role



    Specific regions

    ECS FullAccess


    Specific regions

    RDS FullAccess


    Specific regions

    ELB FullAccess


    Specific regions

    VPC FullAccess


    Specific regions

    EVS FullAccess



    OBS OperateAccess



    Specific regions

    APM FullAccess

  2. In the user group list, click Authorize in the row containing the user group Developers.

    Figure 6 Authorizing a user group

  3. Assign permissions to the user group for region-specific projects.

    1. All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
    2. Specify the scope as Region-specific projects, select EU-Dublin, and click OK.

      The company is located in Dublin. Therefore, select EU-Dublin to reduce network latency and accelerate service access. Then users in the Developers group can access the specified project-level services in EU-Dublin but do not have permissions to access the services in other regions.

  4. Assign permissions to the user group for the global service project.

    1. Select OBS OperateAccess and click Next.
    2. Specify the scope as Global service project and click OK.

  5. Repeat steps 2 to 5 to attach the APM FullAccess policy to the Testers group in the EU-Dublin region.