Updated on 2023-03-07 GMT+08:00

Functions

IAM provides the following functions: refined permissions management, secure access, critical operation protection, user group–based permissions assignment, project-based resource isolation, federated identity authentication, resource management delegation, and account security settings.

Refined Permissions Management

You can grant IAM users permissions to manage different resources in your account. For example, Charlie is granted only the permissions required to manage Virtual Private Cloud (VPC) resources in project B.
Figure 1 Permissions management model

Secure Access

Instead of sharing your account password with others, you can create IAM users for employees or applications in your organization and generate identity credentials for them to securely access specific resources based on assigned permissions.

Critical Operation Protection

IAM provides login protection and critical operation protection, making your account and resources more secure. When you or users created using your account log in to the console or perform a critical operation, you and the users need to complete authentication by email, SMS, or virtual MFA device.

User Group–based Permissions Assignment

With IAM, you do not need to assign permissions to single users. Instead, you can manage users by group and assign permissions to the group. Each user then inherits permissions from the groups of which they are members. To change the permissions of a user, you can remove the user from the original groups or add the user to other groups.

Project-based Resource Isolation

You can create subprojects in a region to isolate resources.

Federated Identity Authentication

The federated identity authentication function allows enterprises with identity authentication systems to access the cloud platform through single sign-on (SSO), eliminating the need to create users on the cloud platform.

Resource Management Delegation

You can delegate more professional, efficient accounts or other cloud services to manage specified resources.

Account Security Settings

Login authentication and password policies and access control list (ACL) improve security of user information and system data.

Eventual Consistency

Results of your IAM operations, such as creating users and user groups and assigning permissions, may not take effect immediately because data is replicated across different servers in the cloud platform's data centers around the world. Ensure that the operation results have taken effect before you perform any other operations that depend on them.