Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Identity and Access Management/ User Guide/ User Groups and Authorization/ Creating a User Group and Assigning Permissions

Creating a User Group and Assigning Permissions

Updated on 2024-12-25 GMT+08:00

As an administrator, you can create user groups, and grant them permissions by attaching policies or roles. Users you add to the user groups inherit permissions of the policies or roles. IAM users can assign permissions to themselves. IAM provides general permissions (such as administrator or read-only permissions) for each cloud service, which you can assign to user groups. Users in the groups can then use cloud services based on the assigned permissions. For details, see Assigning Permissions to an IAM User. For details about the system-defined permissions of all cloud services, see System-defined Permissions.

Prerequisites

Before creating a user group, learn about the following:

Creating a User Group

  1. Log in to the IAM console as the administrator.
  2. On the IAM console, choose User Groups from the navigation pane, and click Create User Group in the upper right corner.

    Figure 1 Creating a user group

  3. On the displayed page, enter a user group name.
  4. Click OK.

    NOTE:

    You can create a maximum of 20 user groups. To create more user groups, increase the quota by referring to How Do I Increase My Quota?

Assigning Permissions to a User Group

To assign permissions to a user group, do as follows. To revoke permissions of a user group, see Revoking Permissions of a User Group.

  1. In the user group list, click Authorize in the row that contains the created user group.

    Figure 2 Going to the user group authorization page

  2. On the Authorize User Group page, select the permissions to be assigned to the user group and click Next.

    If the system-defined policies do not meet your requirements, click Create Policy in the upper right to create custom policies. You can use them to supplement system-defined policies for refined permissions control. For details, see Creating a Custom Policy.
    Figure 3 Selecting permissions

  3. Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.

    Table 1 Authorization scopes

    Scope

    Description

    All resources

    IAM users will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.

    Enterprise projects

    IAM users can use the resources in the enterprise projects you select based on the assigned permissions. This option is available only when Enterprise Project is enabled.

    For details about enterprise projects, see What Is Enterprise Project Management Service?. To enable Enterprise Project, see Enabling the Enterprise Project Function.

    Region-specific projects

    IAM users can use the resources in the region-specific projects you select based on the assigned permissions.

    If you have selected global service permissions and specified the scope as Region-specific projects, the global service permissions will be applied to all resources by default. The selected permissions for project-level services will be applied to the region-specific projects you select.

    NOTE:

    Region-specific projects in Dedicated Cloud are not supported.

    Global services

    IAM users can use global services based on the assigned permissions. Global services are deployed with no physical regions specified. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN).

    If you have selected project-level service permissions and specified the scope as Global services, the project-level service permissions will be applied to all resources by default. The selected permissions for global services will still be applied to the global services you select.

  4. Click OK.

Table 2 lists the common permissions. For the complete list of service-specific permissions, see System-defined Permissions.

NOTE:
  • If you add a user to multiple groups, the user will inherit all the permissions that have been assigned to these groups.
Table 2 Common permissions

Category

Policy/Role Name

Description

Authorization Scope

General administration

FullAccess

Full permissions for services supporting policy-based access control.

All

Resource management

Tenant Administrator

Administrator permissions for all services except IAM.

All

Viewing resources

Tenant Guest

Read-only permissions for all resources.

All

IAM user management

Security Administrator

Administrator permissions for IAM.

Global services

Accounting management

BSS Administrator

Administrator permissions for Billing Center, including managing invoices, orders, contracts, and renewals, and viewing bills.

NOTE:

This role depends on the BSS Administrator role to take effect.

Region-specific projects

Computing O&M

ECS FullAccess

Administrator permissions for ECS.

Region-specific projects

CCE FullAccess

Administrator permissions for Cloud Container Engine (CCE).

Region-specific projects

CCI FullAccess

Administrator permissions for Cloud Container Instance (CCI).

Region-specific projects

BMS FullAccess

Administrator permissions for Bare Metal Server (BMS).

Region-specific projects

IMS FullAccess

Administrator permissions for Image Management Service (IMS).

Region-specific projects

AutoScaling FullAccess

Administrator permissions for Auto Scaling (AS).

Region-specific projects

Network O&M

VPC FullAccess

Administrator permissions for Virtual Private Cloud (VPC).

Region-specific projects

ELB FullAccess

Administrator permissions for Elastic Load Balance (ELB).

Region-specific projects

Database O&M

RDS FullAccess

Administrator permissions for Relational Database Service (RDS).

Region-specific projects

DDS FullAccess

Administrator permissions for Document Database Service (DDS).

Region-specific projects

DDM FullAccess

Administrator permissions for Distributed Database Middleware (DDM).

Region-specific projects

Security O&M

Anti-DDoS Administrator

Administrator permissions for Anti-DDoS.

Region-specific projects

AAD Administrator

Administrator permissions for Advanced Anti-DDoS (AAD).

Region-specific projects

WAF Administrator

Administrator permissions for Web Application Firewall (WAF).

Region-specific projects

VSS Administrator

Administrator permissions for Vulnerability Scan Service (VSS).

Region-specific projects

CGS Administrator

Administrator permissions for Container Guard Service (CGS).

Region-specific projects

KMS Administrator

Administrator permissions for Key Management Service (KMS), which has been renamed Data Encryption Workshop (DEW).

Region-specific projects

DBSS System Administrator

Administrator permissions for Database Security Service (DBSS).

Region-specific projects

SES Administrator

Administrator permissions for Security Expert Service (SES).

Region-specific projects

SC Administrator

Administrator permissions for SSL Certificate Manager (SCM).

Region-specific projects

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback