Before You Start

Intended Audience

The Identity and Access Management (IAM) service is intended for administrators, including:

• Account administrator (with full permissions for all services, including IAM)
• IAM users added to the admin group (with full permissions for all services, including IAM)
• IAM users assigned the Security Administrator role (with permissions to access IAM)

If you want to view, audit, and track the records of key operations performed on IAM, enable Cloud Trace Service (CTS). For details, see Enabling CTS.

Account

An account has full permissions to access the resources under the account.

IAM User

The administrator can create users in IAM and assign permissions for specific resources. IAM users can log in to the cloud platform using their account name, username, and password, and then use resources based on assigned permissions. IAM users do not own resources.

Relationship Between an Account and Its IAM Users

An account and its IAM users share a parent-child relationship. The account owns the resources and has full permissions for these resources.

IAM users are created by the account administrator, and only have the permissions granted by the administrator. The administrator can modify or revoke the IAM users' permissions at any time.

Figure 1 Relationship between an account and its IAM users

User Group

You can use user groups to assign permissions to IAM users. By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.

The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.

Figure 2 User group

Permission

IAM provides common permissions of different services, such as administrator and read-only permissions, which you can assign to users. By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and attach permissions policies or roles to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.

• Roles: a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users. When using roles to grant permissions, you also need to assign dependency roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
• Policies: a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization on a principle of least privilege (PoLP) basis. For example, you can grant Elastic Cloud Server (ECS) users only the permissions required for managing a certain type of ECS resources.