How Do I Limit Specific Enterprise Projects to Different IAM Users?

Background

Your account A has two IAM users (User B and User C) and two enterprise projects (B and C).

You want to:

• Allow user B to view and manage resources only in enterprise project B.
• Allow user C to view and manage resources only in enterprise project C.

Procedure

1. Create user groups.

   In the IAM console, create user groups B and C.

   For details how to create a user group and assign permissions, see Creating a User Group and Assigning Permissions.

   Figure 1 Created user groups
   

2. Add users to user groups.

   Add user B and user C to groups B and C, respectively.

   For details about how to create a user and add it to the user group, see Creating an IAM User.

   Figure 2 Adding a user to a user group
   

3. Assign permissions to user groups.

   Assign policies, for example, ELB FullAccess, to groups B and C.

   1. In the Operation column of the row containing user group B, click Authorize.
   2. Select the ELB FullAccess policy and click Next.
   3. Select a scope and click OK.
      Select Enterprise projects for Scope, and select enterprise project B in the displayed enterprise project list.

      Figure 3 Selecting a scope
      
   4. Click Finish.
   5. Repeat steps 3.a to 3.d to assign the ELB FullAccess policy to user group C.

Verification

Log in to the management console as user B and create a load balancer. If only enterprise project B can be selected, the permissions have taken effect.

Figure 4 Selecting an enterprise project when creating a resource