Updated on 2023-02-25 GMT+08:00

Basic Concepts


By default, IAM users do not have permissions. To assign permissions to IAM users, add them to one or more groups, and attach policies or roles to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.

Permission Type

You can grant users permissions by using roles and policies.
  • Roles: a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles for permissions management. When using roles to grant permissions, you also need to assign dependency roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant ECS users only the permissions required for managing a certain type of ECS resources.

    IAM supports both system-defined policies and custom policies.

System-Defined Policy

A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and they cannot be modified. For details about the system-defined policies of all cloud services, see System Permissions.

If there are no system-defined policies for a specific service, it indicates that IAM does not support this service. You can submit a service ticket and apply for permissions management on IAM.

Custom Policy

You can create custom policies using the actions supported by cloud services to supplement system-defined policies for more refined access control. You can create custom policies in the visual editor or in JSON view.