What Are the Differences Between IAM and Enterprise Management?

Differences Between IAM and Enterprise Management

• Enabling method
  • IAM is free of charge and you can use it immediately after you register with the cloud platform.
  • Enterprise Management is a resource management service on the cloud platform. After registering with the system, you can use Enterprise Management free of charge..
• Resource isolation
  • Using IAM, you can create multiple projects in a region to isolate resources, and authorize users to access resources in specific projects. For details, see "Projects" in the Identity and Access Management User Guide.
  • Using Enterprise Management, you can create enterprise projects to isolate resources across regions. Enterprise Management makes it easy for you to assign permissions for specific cloud resources. For example, you can add an Elastic Cloud Server (ECS) to an enterprise project, and assign permissions to a user for managing the ECS in the project. The user then can manage only this ECS.

Relationship Between Enterprise Management and IAM

• The functions of creating users and user groups are the same for IAM and Enterprise Management.
• If you have enabled Enterprise Management, you need to use the policies managed in IAM to assign permissions to user groups created in Enterprise Management. If the system-defined policies cannot meet your requirements, you can create custom policies in IAM. The custom policies will be synchronized to Enterprise Management and can be associated with user groups in both IAM and Enterprise Management.
• If you grant a user group with permissions in both IAM and Enterprise Management, users in the group will have permissions from the policies attached to the group in both IAM and Enterprise Management. Requests of these users will then be authenticated based on the actions in the associated policies.
  • If the attached policies contain the same action, the effect of the action in IAM takes priority. For example, when a user requests for creating a cloud server, the Deny effect defined in IAM is applied. Therefore, the user cannot create cloud servers.

    A policy attached in an IAM project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Deny"
    }
    
    A policy attached in an enterprise project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Allow"
    }

  • All different actions in the policies attached in IAM and Enterprise Management will take effect. The following are two actions that allow users to create and delete cloud servers.

    A policy attached in an IAM project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Allow"
    }
    A policy attached in an enterprise project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:delete"
      ],
      "Effect": "Allow"
    }

Authentication Process

When a user initiates an access request, the system authenticates the request based on the actions in the policies attached to the group to which the user belongs. The following figure shows the authentication process.

Figure 1 Request authentication process

1. A user initiates an access request.
2. The system searches for IAM project permissions and then searches for matched actions in the permissions.
3. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). Then the authentication is completed.
4. If no matched actions are found in IAM project permissions, the system continues to search for enterprise project permissions and matched actions.
5. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). Then the authentication is completed.
6. If no matched actions are found, the system returns a Deny. Then the authentication is completed.