Creating an IAM User and Granting Organizations Permissions

This section describes how a management account creates an IAM user and grants organization administrator permissions to the user.

You can use Identity and Access Management (IAM) for fine-grained permissions control on Organizations. With IAM, you can:

• Grant users only the permissions required to perform a given task based on their job responsibilities. For example, you use the management account to create two IAM users, and assign one of them the permissions to create and delete OUs while the other one only the permission to view information about OUs.
• Use the management account to create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials to access Huawei Cloud and use Organizations, improving account security.
• Entrust another Huawei Cloud account or a cloud service to perform efficient O&M on your Organizations.

If your HUAWEI ID or Huawei Cloud cloud account meets your permissions requirements, you can skip this section.

The following describes how to create an IAM user and grant permissions to the user. Figure 1 illustrates an example process.

Process Flow

Figure 1 Process of granting Organizations permissions

1. On the IAM console, Create a user group and assign permissions (OrganizationsReadOnlyAccess as an example).

   Create a user group on the IAM console to assign the Organizations ReadOnlyAccess permissions to the group.

2. Create an IAM user and add it to the user group.

   Create a user on the IAM console and add it to the user group created in 1.

3. Log in and verify permissions.

   Log in to the console as the IAM user. If you can access Organizations and view organization information but encounter an error message when you attempt to add an OU, saying "Insufficient permission. Contact the administrator", the Organizations ReadOnlyAccess policy has been applied and you have only the permission to view organization information.