- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Show all
Copied.
Creating an IAM User and Granting Organizations Permissions
This section describes how a management account creates an IAM user and grants organization administrator permissions to the user.
You can use Identity and Access Management (IAM) for fine-grained permissions control on Organizations. With IAM, you can:
- Grant users only the permissions required to perform a given task based on their job responsibilities. For example, you use the management account to create two IAM users, and assign one of them the permissions to create and delete OUs while the other one only the permission to view information about OUs.
- Use the management account to create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials to access Huawei Cloud and use Organizations, improving account security.
- Entrust another Huawei Cloud account or a cloud service to perform efficient O&M on your Organizations.
If your HUAWEI ID or Huawei Cloud cloud account meets your permissions requirements, you can skip this section.
The following describes how to create an IAM user and grant permissions to the user. Figure 1 illustrates an example process.
Prerequisites
Before assigning permissions to user groups, learn about the permissions supported by Organizations, as described in Permissions.
For the permissions of other services, see System Permissions.
Process Flow
- On the IAM console, Create a user group and assign permissions (OrganizationsReadOnlyAccess as an example).
Create a user group on the IAM console to assign the Organizations ReadOnlyAccess permissions to the group.
- Create an IAM user and add it to the user group.
Create a user on the IAM console and add it to the user group created in 1.
- Log in and verify permissions.
Log in to the console as the IAM user. If you can access Organizations and view organization information but encounter an error message when you attempt to add an OU, saying "Insufficient permission. Contact the administrator", the Organizations ReadOnlyAccess policy has been applied and you have only the permission to view organization information.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot