Help Center> Identity and Access Management> User Guide> IAM Users> Assigning Permissions to an IAM User
Updated on 2023-11-23 GMT+08:00

Assigning Permissions to an IAM User

IAM users created without being added to any groups do not have any permissions. The administrator can assign permissions to these IAM users on the IAM console. IAM users can also assign permissions to themselves. After authorization, the users can use cloud resources in your account as specified by their permissions.

Constraints

A maximum of 500 permissions (including system-defined permissions and custom policies) can be assigned to each IAM user for enterprise projects.

Procedure

  1. Log in to the IAM console as the administrator.
  2. In the user list, click Authorize in the row that contains the target user.

    Figure 1 Authorizing an IAM user

  3. On the Authorize User page, select an authorization mode and permissions.

    • Inherit permissions from user groups: Add the IAM user to certain groups to inherit their permissions.

      If you select this option, select the user groups which the user will belong to.

      Figure 2 Enterprise project function not enabled
    • Select permissions: Directly assign specific permissions to the IAM user. You can assign permissions directly to IAM users only when Enterprise Project is enabled. To enable Enterprise Project, see Enabling the Enterprise Project Function.

      If you select this option, select permissions, click Next in the lower right, and then go to 4.

      Figure 3 Enterprise project function enabled
    • If you add an IAM user to the default group admin, the user becomes an administrator and can perform all operations on all cloud services.
    • If you add a user to multiple user groups, the user inherits the permissions that are assigned to these groups.
    • For details on the system-defined permissions of all cloud services supported by IAM, see System-defined Permissions.
    • If you have enabled enterprise management, you cannot create subprojects in IAM.

  4. On the Select Scope page, select enterprise projects that the IAM user can access. You do not need to perform this step if you have selected Inherit permissions from user groups.
  5. Click OK.

    You can go to the Permissions > Authorization page and view or modify the permissions of the IAM user.