Help Center> Identity and Access Management> FAQs> Project Management> What Are the Differences Between IAM and Enterprise Management?
Updated on 2023-08-23 GMT+08:00

What Are the Differences Between IAM and Enterprise Management?

Enterprise Management enables enterprises to manage cloud resources by project and organization level. It includes enterprise project, accounting, application, and personnel management. IAM is an identity management service that provides identity authentication, permissions management, and access control.

You can use both IAM and Enterprise Management to manage users and access permissions. Enterprise Management also allows accounting and application management, and supports more fine-grained authorization for resource usage. It is recommended for medium- and large-sized enterprises. For more information about Enterprise Management, see Enterprise Management User Guide.

Differences Between IAM and Enterprise Management

  • Enabling method
    • IAM is free of charge and you can use it immediately after you register with Huawei Cloud.
    • Enterprise Management is a resource management service on Huawei Cloud. After registering with the system, you need to apply for enabling Enterprise Management. For details, see Enabling Enterprise Center.
  • Resource isolation
    • Using IAM, you can create multiple projects in a region to isolate resources, and authorize users to access resources in specific projects. For details, see Projects.
    • Using Enterprise Management, you can create enterprise projects to isolate resources across regions. Enterprise Management makes it easy for you to assign permissions for specific cloud resources. For example, you can add an Elastic Cloud Server (ECS) to an enterprise project, and assign permissions to a user for managing the ECS in the project. The user then can manage only this ECS.
  • Supported services

Relationship Between Enterprise Management and IAM

  • The functions of creating users and user groups are the same for IAM and Enterprise Management.
  • If you have enabled Enterprise Management, you need to use the policies managed in IAM to assign permissions to user groups created in Enterprise Management. If the system-defined policies cannot meet your requirements, you can create custom policies in IAM. The custom policies will be synchronized to Enterprise Management and can be associated with user groups in both IAM and Enterprise Management.
  • If you grant a user group with permissions in both IAM and Enterprise Management, users in the group will have permissions from the policies attached to the group in both IAM and Enterprise Management. Requests of these users will then be authenticated based on the actions in the associated policies.
    • If the attached policies contain the same action, the effect of the action in IAM takes priority. For example, when a user requests for creating a cloud server, the Deny effect defined in IAM is applied. Therefore, the user cannot create cloud servers.
      A policy attached in an IAM project contains the following action:
      {
        "Action": [
          "ecs:cloudServers:create"
        ],
        "Effect": "Deny"
      }
      
      A policy attached in an enterprise project contains the following action:
      {
        "Action": [
          "ecs:cloudServers:create"
        ],
        "Effect": "Allow"
      }
    • All different actions in the policies attached in IAM and Enterprise Management will take effect. The following are two actions that allow users to create and delete cloud servers.
      A policy attached in an IAM project contains the following action:
      {
        "Action": [
          "ecs:cloudServers:create"
        ],
        "Effect": "Allow"
      }
      A policy attached in an enterprise project contains the following action:
      {
        "Action": [
          "ecs:cloudServers:delete"
        ],
        "Effect": "Allow"
      }

Authentication Process

When a user initiates an access request, the system authenticates the request based on the actions in the policies attached to the group to which the user belongs. The following figure shows the authentication process.

Figure 1 Request authentication process
  1. A user initiates an access request.
  2. The system searches for IAM project permissions and then searches for matched actions in the permissions.
  3. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). Then the authentication is completed.
  4. If no matched actions are found in IAM project permissions, the system continues to search for enterprise project permissions and matched actions.
  5. If a matched Allow or Deny action is found, the system returns an authentication result (Allow or Deny). Then the authentication is completed.
  6. If no matched actions are found, the system returns a Deny. Then the authentication is completed.

Project Management FAQs

more