Updated on 2024-07-26 GMT+08:00

Basic Concepts

The following are basic concepts that you need to understand before you get started with the IAM service.

Account

An account is created after you successfully register with the cloud platform. Your account owns your resources and has full access permissions for your cloud services and resources. You can use your account to perform operations such as resetting the login password and assigning permissions to IAM users.

IAM User

You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password or access keys) and uses cloud resources based on the assigned permissions.

If an IAM user forgets their password, the user can reset the password by referring to "How Do I Reset My Password?" in the Identity and Access Management FAQs.

Relationship Between an Account and Its IAM Users

An account and its IAM users have a parent-child relationship. IAM users are created by an account, and they only have the permissions granted by the account. The account can modify or revoke the IAM users' permissions at any time.

Figure 1 Account and IAM users

Authorization

Authorization is the process of granting required permissions for a user to perform specific tasks. After a system-defined or custom policy is assigned to a user group, users in the group inherit the permissions defined by the policy to manage resources.

Figure 2 Authorization process

User Group

An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM users added to a user group automatically obtain the permissions assigned to the group. If a user is added to multiple user groups, the user inherits the permissions from all these groups.

There is a default user group admin. It has all the permissions required to use all of the cloud resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.

Figure 3 User group and users

Permissions

You can grant permissions by using roles and policies.
  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. IAM supports both system-defined and custom policies.
    • A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and cannot be modified. If you need to assign permissions for a specific service to a user group or agency on the IAM console but cannot find corresponding policies, it indicates that the service does not support permissions management through IAM.
    • Custom policies function as a supplement to system-defined policies. You can create custom policies using the actions supported by cloud services for more refined access control. You can create custom policies in the visual editor or in JSON view.
Figure 4 Example permissions

Credentials

Credentials confirm the identity of a user when the user accesses the cloud platform through the console or APIs. Credentials can be either a password or access keys. You can manage your own credentials and your IAM users' credentials.
  • Password: A common credential for logging in to the management console or calling APIs.
  • Access key: An access key ID/secret access key (AK/SK) pair, which can only be used to call APIs. Each access key provides a signature for cryptographic authentication to ensure that access requests are secret, complete, and correct.

Virtual MFA Device

A virtual MFA device is an application that generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. The cloud platform only supports software-based virtual MFA devices, which are application programs running on smart devices such as mobile phones.

Project

A region corresponds to a project. Default projects are defined to group and physically isolate resources (including computing, storage, and network resources) across regions. You can grant users permissions in a default project to access all resources in the region associated with the project. If you need more refined access control, you can create subprojects under a default project and create resources in subprojects. Then you can assign required permissions for users to access only resources in specific subprojects.

Figure 5 Projects

Enterprise Project

Enterprise projects allow you to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. An enterprise project can contain resources of multiple regions, and you can easily add resources to or remove resources from enterprise projects.

Agency

A trust relationship that you can establish between your account and another account or a cloud service to delegate resource access.

  • Account delegation: You can delegate another account to implement O&M on your resources based on assigned permissions.
  • Cloud service delegation: Cloud services interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate a cloud service to access other services.