Help Center/ SecMaster/ Best Practices/ Log Access and Transfer Operation Guide/ Procedure/ Step 4: Create a Non-administrator IAM User
Updated on 2024-12-09 GMT+08:00

Step 4: Create a Non-administrator IAM User

This topic walks you through how to create a non-administrator IAM user.

IAM authentication is used for tenant log collection. So you need to create an IAM user (machine-machine account) with the minimum permission to access SecMaster APIs. MFA must be disabled for the IAM user. This user is used to log in to the log collector on the tenant side and access SecMaster.

Creating a Non-administrator IAM User

  1. Log in to the console as the IAM administrator.
  2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
  3. Create a user group.

    1. In the navigation pane on the left, choose User Groups. On the displayed page, click Create User Group in the upper right corner.
    2. On the Create User Group page, specify user group name and description.
      • Name: Set this parameter to Tenant collection.
      • Description: Enter a description.
    3. Click OK.

  4. Assign permissions to the user group.

    1. In the navigation pane on the left, choose Permissions > Policies/Roles. In the upper right corner of the displayed page, click Create Custom Policy.
    2. Configure a policy.
      • Policy Name: Set this parameter to Least permission policy for tenant collection.
      • Policy View: Select JSON.
      • Policy Content: Copy the following content and paste it in the text box.
        { 
            "Version": "1.1", 
            "Statement": [ 
                { 
                    "Effect": "Allow", 
                    "Action": [ 
                        "secmaster:workspace:get", 
                        "secmaster:node:create", 
                        "secmaster:node:monitor", 
                        "secmaster:node:taskQueueDetail" ,
                        "secmaster:node:updateTaskNodeStatus" 
                    ] 
                } 
            ] 
        }
    3. Click OK.

  5. Assign permissions to the created user group.

    1. In the navigation pane on the left, choose User Groups. On the displayed page, click Tenant collection created in 3.
    2. On the Permissions tab, click Authorize.
    3. On the Select Policy/Role page, search for and select the Least permission policy for tenant collection added in 4, and click Next.
    4. Set the minimum authorization scope. Select All resources for Scope. After the setting is complete, click OK.

  6. Create a user.

    1. In the navigation pane on the left on the IAM console, choose Users. Then, click Create User in the upper right corner.
    2. Set basic user information.
      Table 1 Basic user information

      Parameter

      Configuration description

      User Details

      Custom configuration.

      Record the IAM Username you configure. The username is required later.

      Access Type

      Programmatic access

      Select this parameter.

      Management console access

      Deselect this parameter.

      Credential Type

      Access key

      Select this parameter.

      Password

      Select this parameter.

      After selecting the Password parameter, select Set by user, and set a password. Record the IAM user password you set. This password is required later.

    3. Click Next.
    4. Search for and select the Tenant collection user group created in 3, and click Create in the lower right corner.

  7. Verify that no virtual MFA devices are associated to the user.

    1. In the navigation pane on the left on the IAM console, choose Users. Then, click the user created in 6.
    2. Click the Security Settings tab and ensure that the status of Virtual MFA Device is Unbound.

  8. View the domain account information of the IAM user.

    1. Hover over the username in the upper right corner and select My Credentials from the drop-down list.
    2. On the API Credentials page, view and record the account name, which is the domain account for installing the isap-agent.
      Figure 1 Account Name