Creating a User Group and Assigning Permissions
As an administrator, you can create user groups, and grant them permissions by attaching policies or roles. Users you add to the user groups inherit permissions of the policies or roles. IAM provides general permissions (such as administrator or read-only permissions) for each cloud service, which you can assign to user groups. Users in the groups can then use cloud services based on the assigned permissions. For details, see Assigning Permissions to an IAM User. For details about the system permissions of all cloud services, see "Permissions".
Prerequisites
Before creating a user group, learn about the following:
- Understand the basic concepts of permissions.
- Know "Permissions" provided by IAM.
Creating a User Group
- Log in to the IAM console as an administrator.
- On the IAM console, choose User Groups from the navigation pane, and click Create User Group in the upper right corner.
- On the displayed page, enter a user group name.
- Click OK.
You can create a maximum of 20 user groups. To create more user groups, increase the quota by referring to Quotas
Assigning Permissions to a User Group
To assign permissions to a user group, do as follows. To revoke permissions of a user group, see Revoking Permissions of a User Group.
- In the user group list, click Authorize in the row that contains the newly created user group.
- On the Authorize User Group page, select the permissions to be assigned to the user group and click Next.
If the system-defined policies do not meet your requirements, click Create Policy in the upper right to create custom policies. You can use them to supplement system-defined policies for refined permissions control. For details, see Creating a Custom Policy.
- Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.
Table 1 Authorization scopes Scope
Description
All resources
IAM users can use the resources in all region-specific projects and the global service project in your account as specified by the permissions.
Enterprise projects
IAM users can use the resources in the enterprise projects you select, as specified by the permissions. This option is available only when the enterprise project function has been enabled.
For details about enterprise projects, see Enterprise Management.
Region-specific projects
IAM users can use the resources in the region-specific projects you select, as specified by the permissions.
If some of the selected permissions belong to global services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for project-level services will apply to the region-specific projects you select.
Global services
IAM users can use global services as specified by the permissions. Global services are deployed with no physical regions specified. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN).
If some of the selected permissions belong to project-level services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for global services will apply to the global services.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot