Importing Users from an Agency

Scenario

You can add cloud service agencies as project members. You can use this function in the following scenarios:

Scenario 1: When your enterprise needs to manage and access resources in multiple accounts, you can create users using IAM Identity Center, and generate agencies.
Scenario 2: When using the following services, you need to collaborate with other services. In this case, you can create an agency and delegate operation permissions to the following services so that they can use other services on your behalf. You can configure agencies according to the services you need.

**Table 1** Scenario
Operation		Dependency Service Permissions	Agency Name	Role-based Authorization	Dependent Identity Policy
Triggering a webhook request		CodeArts Pipeline: Execute pipelines. CodeArts Build: Execute tasks. CodeArts Check: Execute tasks.	repo_admin_trust	None.	CodeArtsRepoAgencyWebhookPolicy

**Table 2** Scenario
Operation		Dependent Service Permissions	Agency Name	Role-based Authorization	Dependent Identity Policy
Executing a pipeline		CodeArts Build: View and execute tasks. CodeArts Check: Execute and view check tasks. CodeArts Deploy: Vire and deploy applications. CodeArts TestPlan: Execute and view cases. CodeArts Artifact: Package upload and download permissions for release repos and self-hosted repos. CodeArts Repo: Query repository details, create branches, create MRs, create branches, and push code. IAM: Query the agency list. Project permission management: Query the permission matrix.	pipeline_admin_trust	CODEARTSPIPELINEAgencyFullPolicy	CODEARTSPIPELINEAgencyFullPolicy

**Table 3** Scenario
Operation		Dependent Service Permissions	Agency Name	Role-based Authorization	Dependent Identity Policy
Executing a task		CodeArts Repo: Download code, and view the repository list, branches/tags, and commit history.	check_admin_trust	None	CodeArtsCheckAgencyFullPolicy
Configuring a custom image		SWR: View organizations and upload and download images.	check_admin_trust	None	CodeArtsCheckAgencyFullPolicy

**Table 4** Scenario
Operation		Dependency Service Permissions	Agency Name	Role-based Authorization	Dependent Identity Policy
Running a build task	Code download configuration	CodeArts Repo: Commit and download code, and view the repository list, branches/tags, and commit history.	build_admin_trust	CodeArtsBuildAgencyFullPolicy	CodeArtsBuildAgencyFullPolicy
Running a build task	Build an image and push it to SWR	SWR: View organizations and upload images.	build_admin_trust	SWR Admin	CodeArtsBuildAgencyFullPolicy

**Table 5** Scenario
Operation		Dependency Service Permissions	Agency Name	Role-based Authorization	Dependent Identity Policy
Deploying an Application	Select a deployment source	CodeArts Artifact: Download permissions in the release repos.	deploy_admin_trust	CodeArtsDeployAgencyAccess CodeArtsDeployOBSAgencyAccess SWR Admin CCE Administrator	CodeArtsDeployServiceAgencyPolicy
	Kubernetes Manifest	CodeArts Repo: Download code, and view the repository list, branches/tags, and commit history.
	ServiceStage	CodeArts Artifact: Download release repos. Object Storage Service (OBS): Object list and download permissions. SoftWare Repository for Container (SWR): Admin permissions. Cloud Container Engine (CCE): Admin permissions. Cloud Service Engine (CSE): List all engines. ServiceStage: View, create, update, and delete applications. View the application list.
	FunctionGraph	CodeArts Artifact: Download release repos. CodeArts Repo: Download code, and view the repository list, branches/tags, and commit history. Object Storage Service (OBS): View object lists and download objects. FunctionGraph: View, create, and update functions. View the function list.

Procedure

Step	Description
Step 1: Create an Agency	Create an agency for your scenario.
Step 2: Import Users from the Agency	Import users from the agency as project members. Ensure that you have the DevUC > project-role > userconfig permission. For details, see How Do I Check and Obtain Required Project Permissions?

Step 1: Create an Agency

Create an agency for your scenario.

Scenario 1: Create an agency by performing the following steps.
After completing the preceding operations, go to the IAM console. On the Agencies page, you will see an agency whose delegated party is Cloud Service - IAM Identity Center.
Scenario 2: CodeArts supports both automatic and manual agency creation.

When you log in to CodeArts as tenant administrator, the following dialog box indicating that you agree to the above authorization is displayed.

CodeArts automatically creates agencies pipeline_admin_trust, build_admin_trust, deploy_admin_trust, check_admin_trust, repo_admin_trust and codearts_devuc_admin_trust in IAM. Except codearts_devuc_admin_trust, other agencies will become project members and code repository members by default and the roles are CI/CD engineer.

Performing the following operations may cause errors during task execution:

Change the role of the agency member in the project.
Delete the agency automatically created by CodeArts.
Modify the permissions of the CI/CD engineer role.

Figure 1 Authorization dialog box
Click to enlarge

If you do not agree to the authorization in the dialog box, you can manually create an agency on the IAM console.

Create an agency with the same name as that in Scenario by referring to Delegating Another Service for Resource Management.
Authorize the agency by referring to the "Role-based Authorization" column of the corresponding service in Scenario.
Switch to the new console and authorize the agency by referring to the "Role-based Authorization" column of the corresponding service in Scenario.

Step 2: Import Users from the Agency

Go to the CodeArts homepage.
1. Log in to the CodeArts console, click , and select a region where you have enabled CodeArts.
2. Click Go to Workspace.
  If your account uses the old billing mode (see Old Billing Modes), click Access Service.
Click the target project name to go to the project.
In the navigation pane, choose Settings > Members.
Click the Member View tab, choose Add Members, and select From Agencies.
In the displayed dialog box, select users, specify a role for each user, and click Save.

The new members are displayed in the list.

Figure 2 Importing Users from an Agency

Helpful Links

For details about the system roles in CodeArts projects, see built-in project roles in CodeArts.
For details about how to edit and delete members, see Step 3: Manage Project Members.
For details about how to configure permissions for each role in CodeArts, see Modifying Project Role Permissions.

Parent Topic: Adding Project Members

Previous topic: Inviting Users from Another Account

Next topic: Inviting Users by Link