Creating a User and Granting Permissions

This section describes how to use IAM to implement fine-grained permissions control for your Enterprise Router resources. With IAM, you can:

Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to Enterprise Router resources.
Grant only the minimum permissions required for users to perform a given task.
Entrust or a cloud service to perform professional and efficient O&M on your Enterprise Router resources.

If your account does not require individual IAM users, skip this topic.

Figure 1 shows the procedure for granting permissions.

Prerequisites

You have learned about Enterprise Router permissions that can be added to the user group. For details about the system permissions supported by enterprise routers, see Permissions.

For the permissions of other services, see System Permissions.

Process Flow

Figure 1 Process for granting Enterprise Router permissions

Create a user group and assign permissions.
Create a user group on the IAM console, and assign the ER ReadOnlyAccess permission to the group.
Create a user and add the user to the user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in to the management console as the created user, switch to the authorized region, and verify that the user has only the ER ReadOnlyAccess permission.
1. Click Service List and choose Enterprise Router. Then click Create Enterprise Router in the upper right corner. If the enterprise router fails to be created, the ER ReadOnlyAccess permission has taken effect.
2. Choose any other service in the Service List. If a message appears indicating insufficient permissions to access the service, the ER ReadOnlyAccess permission has already taken effect.