Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ Service Overview/ Differences Between the Old and New IAM Consoles
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Differences Between the Old and New IAM Consoles

The new IAM console provides more refined and flexible permission control than the old console. Some functions are deleted to help you focus on IAM access control capabilities. The following details the differences between the old and new IAM consoles.

Users

Table 1 Differences of IAM users on the old and new IAM consoles

Function

Item

Old Console

New Console

User creation

Batch creation

Supported

Not supported

User details setting

Username, description, mobile number, email address, external identity ID, access type, credential type, and login protection

Username and description

Creation method

Creating a user on the IAM console

Creating a user on the IAM Identity Center console (recommended) or on the IAM console

Authorization

Inheriting permissions from user groups

Inheriting permissions from user groups or attaching identity policies to users

User management

Batch deletion

Supported

Supported

Batch modification

Supported (status, access type, authentication mode, login password, mobile number, and email address)

Supported (status and login password)

User details export

Supported (exporting information about all users)

Supported (exporting information about selected or all users)

Modification of user details

User status and description

Username, status, and description

Tagging

Not supported

Supported

Access Mode

Changing the access mode to restrict user access.

Enabling or disabling "Manage Console Access" to restrict console access, and determining whether to allow API calls via programmatic access by creating AK/SK for users

Security settings

Login credentials

Login password reset, password deletion, and last password change time

Console access disable (by deleting the password), password reset, and password update time, password expiration time, and last login time

Multi-factor authentication (MFA)

Virtual MFA devices or security keys

Virtual MFA devices or security keys

Login protection

Supported

Not supported

User Groups

The search capability is enhanced. You can filter user groups by user group name, description, and creation time.

Policy

The new IAM console supports more condition keys for fine-grained permission control.

Table 2 Differences of policies on the old and new consoles

Item

Old Console

New Console

Navigation pane

Authorization and Policies/Roles

Identity policies

Authorization

Both IAM authorization and enterprise project authorization are supported.

Only IAM authorization is supported. You can use the condition key g:EnterpriseProjectId to control the authorization scope of enterprise projects.

Capability

Policies can be attached on the User Groups and Agencies pages only. After the enterprise project function is enabled, you can use policies to directly authorize users for specific enterprise projects.

You can attach identity policies to or detach identity policies from IAM identities (users, user groups, agencies, and trust agencies).

Authorization object

System-defined policies, system-defined roles, and custom policies can be attached only to user groups and agencies. After the enterprise project function is enabled, you can attach system-defined policies and custom policies to users for specific enterprise projects.

System-defined policies and custom identity policies can be attached to users, user groups, agencies, and trust agencies.

The following policy denies access to Huawei Cloud service platforms based on the source IP address:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
			"*:*:*"
		],
		"Condition": {
			"NotIpAddress": {
				"g:SourceIp": [
					"192.0.2.0/24",
					"10.27.128.0/24"
				]
			}
		}
	}]
}

The following policy allows only IAM users whose names start with TestUser to query enterprise route instance details:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["er:instances:get"],
            "Resource": ["*"],
            "Condition": {
                "StringMatch": {
                    "g:UserName": [
                        "TestUser*"
                    ]
                }
            }
        }
    ]
}

Project

The new IAM console does not support projects. You can use condition key g:ProjectId to control the authorization scope of projects (see the following policy). If you still want to use project-based authorization, go to the old IAM console.

The following example policy only allows VPCs to be created in the IAM project identified by 10a6c23c2a1044779794798beb067c94:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["vpc:vpcs:create"],
            "Resource": ["*"],
            "Condition": {
                "StringEquals": {
                    "g:ProjectId": "10a6c23c2a1044779794798beb067c94"
                }
            }
        }
    ]
}

The following example policy only allows queries to ECS details in the IAM project 10a6c23c2a1044779794798beb067c94:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["ecs:cloudServers:showServer"],
            "Resource": ["*"],
            "Condition": {
                "StringEquals": {
                    "g:ProjectId": "10a6c23c2a1044779794798beb067c94"
                }
            }
        }
    ]
}

Agency

Table 3 Differences of agencies on the old and new consoles

Function

Item

Old Console

New Console

Agency list

Viewing the agency list

You can only view agencies created on the old console.

You can view agencies created on the old console and trust agencies created on the new console.

Agency creation

Creating an agency

You cannot set trust policies for agencies created.

You can set trust policies for trust agencies created.

Creating an account agency

You can specify the account name.

You can specify the account ID.

Expression of delegation duration

Validity period

Maximum session duration

Option

None

External ID and MFA

Edit mode

None

Trust policy

Authorization scope setting

Assigning permissions and setting the scope

None (Authorization can be performed separately after the agency is created.)

Agency details

Display of details

Agency type and account name

URN only

Authorization records

Displayed

None

Identity Providers

The new IAM console does not support identity providers. You can use Identity Source in IAM Identity Center. If you still want to use identity providers, go to the old IAM console.

Security Settings

The new IAM console does not provide the following settings:

  • Login password, mobile number, and email address
  • Critical operation protection
  • ACL, which is integrated into the login authentication policy setting. You are advised to use the "Condition" key in permission policies to restrict access by IP address range.

My Credentials

Login credentials and MFA device functions are available on the new console. You can manage the password of an identity that has logged in to the console. You can check the password expiration time and the last time when the password was changed. You can bind and unbind MFA devices, including virtual MFA devices and security keys. If you are using a HUAWEI ID, you need to go to the account and security page to bind a virtual MFA device to your HUAWEI ID. It is used for identity authentication during login and operation protection.