Help Center/ Identity and Access Management/ Best Practices/ Using IAM to Authorize Specified Resources Across Different Regions
Updated on 2025-06-19 GMT+08:00

Using IAM to Authorize Specified Resources Across Different Regions

Company A is an enterprise user of Huawei Cloud, and it has multiple project teams that require different resources and personnel. This section presents the best practice for multi-project management to address company A's requirements.

Requirements

  • Requirement 1: Company A can purchase multiple types of resources in CN-Hong Kong and AP-Singapore for two project teams. Resources of the two project teams need to be isolated from each other. Access to specific cloud services needs to be authorized, for example, only authorized IAM users can access and use ECS.
  • Requirement 2: Each member of the project teams can access only the resources of the project team to which the member belongs, and only has the permissions required to complete tasks.
  • Requirement 3: Each project team makes payments only for the resources used by its members, and the project expenditures are clear.

Solution

  • Solution to requirement 1: Enterprise Management (EPS) and Identity and Access Management (IAM) provided by Huawei Cloud can isolate resources between projects. However, the implementation logic and functions of the two services are different.
    • Enterprise Management: You can create enterprise projects to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. Each enterprise project can contain resources of multiple regions, and resources can be added to or removed from enterprise projects. Specified resources of certain services, for example, a specific ECS, can be added to or removed from enterprise projects.
    • IAM: IAM projects group and physically isolate resources in a region, and each IAM project can only contain resources in the same region.
In conclusion, Enterprise Management provides more flexible cross-region resource isolation between projects than IAM. Therefore, it is recommended that company A use Enterprise Management to manage project resources. The solutions to the following requirements are proposed using the Enterprise Management service. For details about the two services, see What Are the Differences Between IAM and Enterprise Management?
  • Solution to requirement 2: In IAM, company A creates IAM users for employees and adds the IAM users to different groups. In Enterprise Management, company A adds the user groups to the enterprise projects created to address Requirement 1 and assigns required resource access permissions (see Table 1) to each user group.
    Figure 1 Personnel management model of company A
    Table 1 User group permissions in company A

    User Group

    Responsibility

    Permissions

    Description

    Accounting team

    Project expenditure management

    Enterprise Project BSS FullAccess

    Permissions for accounting management of enterprise projects

    Development team

    Project development

    ECS FullAccess

    Full permissions for Elastic Cloud Server (ECS)

    OBS FullAccess

    Full permissions for Object Storage Service (OBS)

    ELB FullAccess

    Full permissions for Elastic Load Balance (ELB)

    Security maintenance team

    Security O&M of the project

    ECS CommonOperations

    Permissions for basic ECS operations

    CAD Administrator

    Full permissions for Advanced Anti-DDoS (AAD)

    Operations team

    Overall operations of the project

    EPS FullAccess

    Full permissions for Enterprise Management, including modifying, enabling, disabling, and viewing enterprise projects

    For details about permissions of all Huawei Cloud services, see System-defined Permissions.

  • Solution to requirement 3: Company A uses Enterprise Management to manage renewals, orders, accounting, unsubscriptions, changes, and quotas of each enterprise project. For details, see Enterprise Project Accounting Management.

Process Flow

The following figure illustrates the process of enterprise project management for addressing company A's requirements.

Figure 2 Enterprise project management process

Step 1: Enable Enterprise Management and create enterprise projects on the Enterprise Management console.

Step 2: On the IAM console, create a user group for each functional team, create IAM users for employees, and add the users to different user groups.

Step 3: On the IAM console, assign the required permissions to each user group and add the user group to the corresponding enterprise project. Users in the group automatically inherit its permissions.

Step 4: Purchase resources on other cloud service consoles and associate the resources with the corresponding enterprise projects.

Follow-Up Operation: Enterprise Project Management. Perform personnel, resource, and accounting management on the Enterprise Management console.

Enabling Enterprise Management and Creating Enterprise Projects

Perform the following operations to create two enterprise projects (A and B) on the Enterprise Management console. If you have enabled Enterprise Project, go to step 4.

  1. Log in to the Huawei Cloud console, hover over the account name in the upper right corner and choose Basic Information.
  2. On the Basic Information page, click Enable Enterprise Project Function.
  3. Read and agree to the Huawei Cloud Enterprise Management Agreement, and click Apply Now.
  4. On the Huawei Cloud management console, choose Enterprise > Project Management.

    Figure 3 Accessing the Enterprise Project Management Service page

  5. On the Enterprise Project Management Service page, click Create Enterprise Project.

    Figure 4 Creating an enterprise project

  6. Enter Enterprise_Project_A for Name and click OK.
  7. Repeat steps 5 to 6 to create Enterprise_Project_B.

    The two enterprise projects are displayed on the Enterprise Project Management Service page.

Creating IAM Users and User Groups

The following is an example procedure for creating a user group (Enterprise Project A_Accounting) and user (Murphy) and adding the user to the user group.

  1. Create a user group.

    1. Go to Huawei Cloud management console, and choose Service List > Management & Governance > Identity and Access Management.
    2. On the IAM console, choose User Groups in the navigation pane. Then click Create User Group.
      Figure 5 Creating a user group
    1. Set the user group name to Enterprise Project A_Accounting and click OK.
    2. Repeat steps 2 to 3 to create the accounting, development, security maintenance, and operations teams for the two enterprise projects.

    The user groups are displayed in the user group list.

  2. Create an IAM user and add the user to a user group.

    1. In the navigation pane of the IAM console, choose Users. Then click Create User.
    1. Specify the user details, select access types (see Figure 6), and click Next.
      Figure 6 Creating an IAM user
    1. Add user Murphy to the user group Enterprise Project A_Accounting and click Create.
    Figure 7 Adding an IAM user to user groups
    1. Repeat steps 1 to 3 to create users for all employees and add the users to corresponding user groups.

    The users are displayed in the user list. You can view the IAM users of each user group on the Users tab.

Associating User Groups with Enterprise Projects

The following describes how to assign enterprise project permissions to a user group on the IAM console. You will learn the detailed steps for associating enterprise projects with IAM user groups.

  1. Log in to the IAM console as an administrator.
  2. In the user group list, locate the row containing the target user group and click Authorize in the Operation column.
  3. On the displayed page, search for Enterprise Project BSS FullAccess in the search box, select it, and click Next.

    You can create custom policies to supplement system-defined policies for fine-grained permissions management. For details, see Creating a Custom Policy.

    Figure 8 Selecting permissions

  4. Select the Enterprise projects authorization scope.

    Figure 9 Selecting an enterprise project

  5. In the enterprise project list, select Enterprise_Project_A.
  6. Click OK.

Purchasing Resources and Associating Them with Enterprise Projects

The following is an example procedure for purchasing an ECS and associating it with enterprise project A.

  1. Log in to the Huawei Cloud management console, click in the upper left corner, and choose Compute > Elastic Cloud Server.
  2. Click Buy ECS in the upper right corner.

    Figure 10 Buying an ECS

  3. Specify the ECS details and select Enterprise_Project_A from the Enterprise Project drop-down list.

    Figure 11 Selecting an enterprise project

  4. Click Next in the lower right corner to view the resource details and submit the order.
  5. Repeat steps 1 to 4 to purchase required resources for the two enterprise projects.

    To view the purchased resources, go to the Enterprise Management console and click View Resource in the row that contains enterprise project A or B.

Follow-Up Operation: Enterprise Project Management

After completing the preceding steps, you can manage your enterprise projects on the Enterprise > Project Management > Enterprise Project Management Service page.

  • Resource management: Click View Resource to view the existing resources of an enterprise project and add more resources to the enterprise project.
  • Personnel management: Choose More > Permissions to go to the IAM console to view the users and user groups associated with an enterprise project, and modify the users, user groups, and their permissions for the enterprise project. For details, see Personnel Management.
  • Accounting management: Click View Expenditures to view the orders and bills and manage renewals of an enterprise project. For details, see Enterprise Project Accounting Management.