Creating a User and Granting Permissions
This section describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your SA resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials to access to SA resources.
- Grant only the permissions required for users to perform a task.
- Entrust an account or cloud service to perform professional and efficient O&M on your SA resources.
If your account does not require individual IAM users, skip over this section.
The following walks you through how to grant permissions. Figure 1 shows the process.
Prerequisites
Learn about the permissions supported by SA and choose policies or roles based on your requirements. For details, see SA permissions.
Table 1 lists all the system-defined roles and policies supported by SA.
|
Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
SA FullAccess |
All permissions for SA |
System-defined policy |
None |
|
SA ReadOnlyAccess |
Read-only permission for SA. Users with the read-only permission can only query SA information but cannot perform configuration in SA. |
System-defined policy |
None |
Currently, the SA FullAccess or SA ReadOnlyAccess permission can be used only when you have the Tenant Guest permission. The details are as follows:
- Configure all SA permissions: SA FullAccess and Tenant Guest.
To use SA Resource Manager and Baseline Inspection, configure the following permissions:
- Resource Manager: Configure SA FullAccess and Tenant Administrator. For details, see How Do I Assign Operation Permissions to an Account?
- Baseline Inspection: Configure SA FullAccess, Tenant Administrator, and IAM permissions. For details, see How Do I Assign Operation Permissions to an Account?
- Configure SA read-only permissions: Configure SA ReadOnlyAccess and Tenant Guest.
Authorization Process
- Create a user group and assign permissions.
Create a user group on the IAM console. Then, assign the SA FullAccess and Tenant Guest permissions to the group.
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify the permissions.
Log in to the SA console as the created user, and verify that the user only has read permissions for SA.
Choose any other service from Service List. If a message appears indicating that you do not have permissions to access the service, the SA FullAccess policy has already taken effect.
- Configure an agency.
To use SA Resource Manager and Baseline Inspection, configure the following permissions:
- Resource Manager: Configure SA FullAccess and Tenant Administrator. For details, see How Do I Assign Operation Permissions to an Account?
- Baseline Inspection: Configure SA FullAccess, Tenant Administrator, and IAM permissions. For details, see How Do I Assign Operation Permissions to an Account?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
