Using IAM Identity Policies to Grant Access to Enterprise Router

System-defined permissions in identity policy-based authorization provided by IAM let you control access to Enterprise Router. With IAM, you can:

Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Enterprise Router resources.
Grant only the minimum permissions required for users to perform a given task.
Entrust an account or a cloud service to perform efficient O&M on your Enterprise Router resources.

If your account meets your permissions requirements, you can skip this topic.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

You have learned about system-defined permissions in Identity Policy-based Authorization for Enterprise Router.

To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting Enterprise Router permissions

On the IAM console, create an IAM user or create a user group.
Attach a system-defined identity policy to the user or user group.
Assign the permissions defined in the system-defined identity policy ERReadOnlyPolicy to the user or group, or attach the system-defined identity policy to it.
Log in as the IAM user and verify permissions.
In the authorized region on the console, perform the following operations:
- Choose Service List > Enterprise Router. On the Enterprise Router console, click Create Enterprise Router in the upper right corner. If an enterprise router cannot be created, the ERReadOnlyPolicy policy is taking effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the ERReadOnlyPolicy policy is in effect.

Example Custom Policies

Create custom policies to supplement system-defined policies of Enterprise Router.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect.

The following are examples of custom identity policies.

Example 1: Grant the permission to create and delete enterprise routers.

{ 
    "Version": "5.0", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "er:instances:create", 
                "er:instances:delete" 
            ] 
        } 
    ] 
}

Example 2: Create a custom policy containing multiple actions.

A custom policy can contain the actions of one or multiple services. The following is an example policy containing actions of multiple services:

{ 
    "Version": "5.0", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "er:instances:create", 
                "er:instances:delete" 
            ] 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "dcaas:vgw:create", 
                "dcaas:vgw:delete" 
            ] 
        }
    ] 
}

Parent topic: Using IAM to Grant Access to Enterprise Router

Previous topic: Using IAM Roles or Policies to Grant Access to Enterprise Router

Next topic: Enterprise Routers