Step 1: Create User Groups and Assign Permissions

Creating User Groups

1. Use your HUAWEI ID to enable Huawei Cloud services, and then log in to Huawei Cloud.
   Figure 1 Logging in to Huawei Cloud
   

2. Log in to the management console.
   Figure 2 Logging in to the management console
   

3. On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
   Figure 3 Accessing the IAM console
   

4. On the IAM console, choose User Groups and click Create User Group.
   Figure 4 Creating a user group
   

5. Create a group for developers and click OK.
   Figure 5 Setting the user group details
   

6. Repeat steps 4 and 5 to create a group for testers.

Assigning Permissions to User Groups

Developers in the company need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to assign the required permissions to the developer group to enable access to these services. Testers in this company need to use APM, so the administrator needs to assign the required permissions to the tester group to enable access to the service. After permissions are assigned, users in the two groups can access the corresponding services. For details about the permissions of all cloud services, see System-defined Permissions.

1. Determine the permissions policies to be attached to each user group.

   Determine the policies (see Table 1) by referring to System-defined Permissions. Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.

   Table 1 Required permissions policies

   User Group	Cloud Service	Region	Policy or Role
   Developer group	ECS	Specific regions	ECS FullAccess
   	RDS	Specific regions	RDS FullAccess
   	ELB	Specific regions	ELB FullAccess
   	VPC	Specific regions	VPC FullAccess
   	EVS	Specific regions	EVS FullAccess
   	OBS	Global	OBS OperateAccess
   Tester group	APM	Specific regions	APM FullAccess

2. In the user group list, click Authorize in the row containing the developer user group.
   Figure 6 Authorizing a user group
   

3. Assign permissions to the user group for region-specific projects.
   1. All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
   2. Select Region-specific projects for Scope, select CN-Hong Kong, and click OK.

      The company is located in Hong Kong. Therefore, select CN-Hong Kong to reduce network latency and accelerate service access. Then users in the developer group can access the specified project-level services in CN-Hong Kong but do not have permissions to access the services in other regions.

4. Assign permissions to the user group for the global services.
   1. Select OBS OperateAccess and click Next.
   2. Select Global services for Scope and click OK.

5. Repeat steps 2 to 4 to attach the APM FullAccess policy to the tester group in the CN-Hong Kong region.