Application Scenarios
Centralized Identity Management: Enabling Secure Access to Multiple Accounts Through One-Time Configuration
If an enterprise has multiple Huawei Cloud accounts and their workforce users need to access resources under multiple accounts, they have to log in to those accounts individually or create IAM users under the accounts, causing high maintenance costs and low efficiency. In this scenario, IAM Identity Center has the following advantages:
- Centralized user creation and management
- The IAM Identity Center administrator creates users, assigns passwords, and manages users by group. A single portal provides users with password-based SSO access to multiple accounts.
- Seamless working with identity systems
- IAM Identity Center works with SAML 2.0-based Microsoft Azure Active Directory (AD) or Okta.
- IAM Identity Center automatically provisions users from SCIM-compliant identity providers. The IAM Identity Center administrator can manage users in Microsoft Azure AD or Okta. User information is automatically synchronized to IAM Identity Center.
- Users can use the existing passwords in Microsoft Azure AD or Okta to log in to the user portal and access resources under the associated accounts. The administrator does not need to re-assign passwords.
- Multi-factor authentication
- The IAM Identity Center administrator can forcibly enable multi-factor authentication (MFA) for users to reduce the risk of password leakage.
- MFA devices support apps that comply with the Time-Based One-Time Passwords (TOTP) protocol.
Fine-grained Authorization: Assigning Different Permissions on Member Accounts to Different Identities Easily
Generally, a large enterprise has multiple Huawei Cloud accounts, which carry different services and are used by different workforce identities. Different workforce identities need to be configured with fine-grained permissions for access to different member accounts to ensure secure resource access within the enterprise. In this scenario, IAM Identity Center has the following advantages:
- Centralized management of multi-account permissions
- The IAM Identity Center administrator can create permission sets, each of which contains a maximum of 20 IAM policies.
- Each account can be associated with permission sets and IAM Identity Center users who are allowed to access resources under the account.
- IAM Identity Center automatically synchronizes the account permission information to IAM without the complexity of managing individual accounts.
- Attribute-based access control
- The IAM Identity Center administrator can create permission sets based on identity attributes, request context attributes, and resource attributes supported by IAM. These include more than 20 global attributes, such as organizations, tags, request time, and source addresses of users and resources, and other cloud service-level attributes.
- The IAM Identity Center administrator can create permission sets based on service tags defined by identity providers. IAM Identity Center automatically converts the service tags to the identity tag attributes in IAM during federated login to control access permissions.
- The administrator configures permissions for all users only once. Permissions can be automatically changed or revoked when the administrator modifies identity tag attributes at later time.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot