Differences Between IAM and Enterprise Management

Differences Between IAM and Enterprise Management

• Enabling method
  • Identity and Access Management (IAM) is an identity management service on and is free of charge.
  • Enterprise Management is a resource management service on . After registering with the system, .
• Resource isolation
  • Using IAM, you can create multiple projects in a region to isolate resources, and authorize users to access resources in specific projects. For details, see "Projects" in Identity and Access Management User Guide.
  • Using Enterprise Management, you can create enterprise projects to isolate resources across regions. Enterprise Management makes it easy for you to assign permissions for specific cloud resources. For example, you can add an Elastic Cloud Server (ECS) to an enterprise project, and assign permissions to a user to manage this ECS in the project. Then the user can manage only this ECS.

Relationship Between Enterprise Management and IAM

• The functions of creating users and user groups are the same for IAM and Enterprise Management.
• If you have enabled Enterprise Management, you need to use the policies managed in IAM to assign permissions to user groups created in Enterprise Management. If the system-defined policies cannot meet your requirements, you can create custom policies in IAM. The custom policies will be synchronized to Enterprise Management and can be associated with user groups in both IAM and Enterprise Management.
• If you grant a user group with permissions in both IAM and Enterprise Management, users in the group will inherit permissions from the policies attached to the group in both IAM and Enterprise Management. Requests of these users will then be authenticated based on the actions in the attached policies.
  • If the attached policies contain the same action, the action defined in IAM takes precedence. In the following example, the action creating ECSs is allowed in Enterprise Management but denied in IAM, then users are not allowed to create ECSs.

    A policy attached in an IAM project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Deny"
    }
    
    A policy attached in an enterprise project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Allow"
    }

  • All different actions in the policies attached in IAM and Enterprise Management will take effect. In the following example, users are allowed to create and delete ECSs.

    A policy attached in an IAM project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:create"
      ],
      "Effect": "Allow"
    }
    A policy attached in an enterprise project contains the following action:
    {
      "Action": [
        "ecs:cloudServers:delete"
      ],
      "Effect": "Allow"
    }

Authentication Process

When a user initiates an access request, the system authenticates the request based on the actions defined in the policies attached to the group that the user belongs to. The following figure shows the authentication process.

Figure 1 Request authentication process

1. A user initiates an access request.
2. The system searches for IAM project permissions and then searches for matched actions in the permissions.
3. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). Then the authentication is completed.
4. If no matched actions are found in IAM project permissions, the system continues to search for enterprise project permissions and matched actions.
5. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). The authentication is completed.
6. If no matched actions are found, the system returns a Deny. Then the authentication is completed.