Assigning Permissions to IAM Users

Scenario

UCS allows you to grant cluster permissions to IAM users and user groups under your account, so that departments or projects can be isolated by configuring permission policies and cluster groups.

Assume that you have two project teams, each involving multiple members. Figure 1 shows how their permissions are assigned.

• During the development, project team A needs the admin permission on fleets 1 and 2 and the read-only permission on fleet 3.
• During the development, project team B needs the admin permission on fleets 1 and 3 and the read-only permission on fleet 2.

Figure 1 Permission design

Solutions

To implement the preceding permission isolation, IAM system policies and UCS permission management must be used together. IAM system policies determine the user operations allowed on the UCS console, and UCS permission management determines the fleet and cluster resources that allow for user operations.

As shown in Figure 2, authorization consists of the following steps:

• Step 1: Authorization on the IAM console. The IAM administrator with the Tenant Administrator permission needs to create three user groups. One is the administrator user group, and the other two are user groups (1 and 2) corresponding to project teams A and B. The UCS FullAccess and UCS CommonOperations permissions are granted to the user groups, respectively.
• Step 2: Authorization on the UCS console. The UCS administrator with the UCS FullAccess permission creates the admin and read-only permission policies for user groups 1 and 2, and associates the permission policies with the fleet.

  The association method is as follows: The admin permission policy of user group 1 is associated with fleets 1 and 2, and the read-only permission policy is associated with fleet 3. The admin permission policy of user group 2 is associated with fleets 1 and 3, and the read-only permission policy is associated with fleet 2.

Figure 2 Authorization scheme

Prerequisites

• The account has subscribed to UCS and fleet and cluster resources have been available according to Figure 1.
• The permission data is prepared according to Figure 2.

  Table 1 Data preparation on the IAM console

  User Group	User	Permission
  Administrator user group: UCS_Group_admin	UCS_Group_admin_User1	UCS FullAccess
  User group 1: UCS_Group_1	UCS_Group_1_User1, UCS_Group_1_User2...	UCS CommonOperations
  User group 2: UCS_Group_2	UCS_Group_2_User1, UCS_Group_2_User2...	UCS CommonOperations

  Table 2 Data preparation on the UCS console

  User Group	User	Permission Type	Permission
  User group 1	UCS_Group_1_User1, UCS_Group_1_User2...	Admin	ucs-group-1-admin
  		Viewer	ucs-group-1-readonly
  User group 2	UCS_Group_2_User1, UCS_Group_2_User2...	Admin	ucs-group-2-admin
  		Viewer	ucs-group-2-readonly

Step 1: Authorize the IAM Administrator

1. Log in to the IAM console as the IAM administrator.
2. Choose User Groups from the navigation pane, and click Create User Group.
3. On the Create User Group page, enter the administrator user group name and description, and click OK.
   Figure 3 Creating a user group
   

4. In the user group list, click Authorize in the row that contains the target user group.
   Figure 4 Authorizing a user group
   

5. Search for and select the permission policy UCS FullAccess.
   Figure 5 Selecting policies
   

6. Click Next and select a scope.

   The default option All resources is selected, indicating that the IAM user will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.

7. Click OK.
8. On the IAM console homepage, choose Users from the navigation pane, and click Create User.

   Enter the username and initial password. For details about other parameters, see Creating an IAM User.

9. Click Next and select the user group authorized in the 4.
   Figure 6 Adding the user to a user group
   

10. Click Create.
11. Repeat the preceding steps to create and authorize other user groups and users in Table 1.

Step 2: Authorize the UCS Administrator

1. Log in to the UCS console as the UCS administrator. In the navigation pane, choose Permissions.
2. Click Create Permission Policy in the upper right corner.
3. Configure permission policy parameters as illustrated in Figure 7.
   Figure 7 Creating a permission policy
   
   • Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
   • User: Select the user associated with the permission policy, that is, the IAM user created in the previous step. In practice, a user group may contain multiple users. When creating a permission policy, you can select all users in the user group to grant permissions in batches.
   • Type: Select Admin. The admin permission indicates the read-write permissions on all cluster resource objects.

4. Click OK.
5. After the permission policy is created, go to the Fleets page and click in the upper right corner of the target fleet.
   Figure 8 Associating a permission policy with a fleet
   

6. On the displayed page, click Update Fleet Permissions. On the displayed page, associate the permission policy created in 3 with all namespaces of the fleet.
   Figure 9 Associating a permission policy with a fleet
   

7. Click OK. The IAM user can now log in to the UCS console to use the functions allowed by the permissions policies.
8. Repeat the preceding steps to create other permission policies in Table 2 and associate them with the fleet.