Help Center> Identity and Access Management> User Guide (Kuala Lumpur Region)> Service Overview> Basic Concepts
Updated on 2022-08-18 GMT+08:00
View PDF

Basic Concepts

The following are basic concepts that you need to understand before you get started with the IAM service.

Account

An account is created after you successfully register with the cloud platform. Your account has full access permissions for your cloud resources. You can use the account to reset user passwords and assign permissions.

IAM User

You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions.

If an IAM user forgets their password, the user can reset the password by referring to "What Can I Do If My Password Is Forgotten?" in IAM FAQs.

Relationship Between an Account and Its IAM Users

An account and its IAM users share a parent-child relationship. IAM users are created using an account, and only have the permissions granted by the account. The account administrator can modify or cancel the IAM users' permissions at any time.

Figure 1 Account and IAM users

Authorization

Authorization is the process of granting required permissions for a user to perform a task. After a system-defined or custom policy is assigned to a user group, users in the group inherit the permissions defined by the policy to manage resources.

Figure 2 Authorization process

User Group

You can use user groups to assign permissions to IAM users. IAM users added to a user group automatically obtain the permissions assigned to the group. If a user is added to multiple user groups, the user inherits the permissions assigned to all these groups.

The default user group admin has all the permissions required to use all of the cloud resources. Users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.

Figure 3 User group and users

Permission

You can grant permissions by using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant ECS users only the permissions required for managing a certain type of ECS resources. IAM supports both system-defined and custom policies.
    • A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and cannot be modified. If you need to assign permissions for a specific service to a user group or agency on the IAM console but cannot find corresponding policies, it indicates that the service does not support permissions management through IAM.
    • You can create custom policies using the actions supported by cloud services and use custom policies to supplement system-defined policies for more refined access control. You can create custom policies in the visual editor or in JSON view.
Figure 4 Example of permissions

Credentials

Credentials confirm the identity of a user when the user accesses the cloud platform through the console or APIs. Credentials include a password and access keys. You can manage your credentials and the credentials of IAM users you have created.
  • Password: A common credential for logging in to the management console or calling APIs.
  • Access key: An access key ID/secret access key (AK/SK) pair, which can only be used to call APIs. Each access key provides a signature for cryptographic authentication to ensure that access requests are secret, complete, and correct.

Virtual MFA Device

A virtual MFA device is an application that generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. Currently, the cloud platform supports software-based virtual MFA devices, which are application programs running on smart devices such as mobile phones.

Project

A region corresponds to a project. Default projects are defined to group and physically isolate resources (including computing, storage, and network resources) across regions. You can grant users permissions in a default project to access all resources in the region associated with the project. If you need more refined access control, you can create subprojects under a default project and create resources in subprojects. Then you can assign required permissions for users to access only resources in specific subprojects.

Figure 5 Project

Enterprise Project

Enterprise projects allow you to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. An enterprise project can contain resources of multiple regions, and you can easily add resources to or remove resources from enterprise projects.

Agency

A trust relationship that you can establish between your account and another account or a cloud service to delegate resource access.

  • Account delegation: You can delegate another account to implement O&M on your resources based on assigned permissions.
  • Cloud service delegation: Services of the cloud platform interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate a cloud service to access other services.
Parent topic: Service Overview