Help Center/ Identity and Access Management/ User Guide (Ankara Region)/ Getting Started/ Step 1: Create User Groups and Assign Permissions
Updated on 2024-04-15 GMT+08:00

Step 1: Create User Groups and Assign Permissions

A company has three functional teams, including the management (admin group), development, and test teams. After the company administrator creates an account, the default group admin is automatically generated and has full permissions for all cloud services. The administrator only needs to create another two groups in IAM for the development and test teams, respectively.

Creating User Groups

  1. Log in to the management console and choose Identity and Access Management.
  2. On the IAM console, choose User Groups and click Create User Group.
  3. Create a group for developers and click OK.
  4. Repeat steps 2 and 3 to create a group for testers.

Assigning Permissions to User Groups

Developers in the company need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to assign the required permissions to the developer group to enable access to these services. Testers in this company need to use APM, so the administrator needs to assign the required permissions to the tester group to enable access to the service. After permissions are assigned, users in the two groups can access the corresponding services. For details about the permissions of all cloud services, see "Permissions".

  1. Determine the permissions policies to be attached to each user group.

    Determine the policies (see Table 1). Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.

    Table 1 Required permissions policies

    User Group

    Cloud Service

    Region

    Policy or Role

    Developer group

    ECS

    Specific regions

    ECS Admin

    RDS

    Specific regions

    RDS Admin

    ELB

    Specific regions

    ELB Admin

    VPC

    Specific regions

    VPC Administrator

    EVS

    Specific regions

    EVS Admin

    OBS

    Global

    OBS Buckets Viewer

    Tester group

    Cloud Eye

    Specific regions

    CES Administrator

  2. In the user group list, click Authorize in the row containing the developer user group.
  3. Assign permissions to the user group for region-specific projects.

    1. All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
    2. Select Region-specific projects for Scope, select an authorized region, and click OK.

      Then users in the developer group can access the specified project-level services in authorized regions but do not have permissions to access the services in other regions.

  4. Assign permissions to the user group for the global services.

    1. Select OBS Buckets Viewer and click Next.
    2. Select Global services for Scope and click OK.

  5. Repeat steps 2 to 4 to attach the CES Administrator role to the tester group.