Updated on 2023-06-09 GMT+08:00

Creating a User and Granting Permissions

This section describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your SA resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to SA resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust an account or cloud service to perform professional and efficient O&M on your SA resources.

If your account does not require individual IAM users, skip over this section.

The following walks you through how to grant permissions. Figure 1 shows the process.

Prerequisites

Learn about the permissions (see Permissions Management) supported by SA and choose policies or roles according to your requirements.

Table 1 lists all the system-defined roles and policies supported by SA.

Table 1 System-defined permissions supported by SA

Policy Name

Description

Type

Dependency

SA FullAccess

All permissions for SA

System-defined policy

None

SA ReadOnlyAccess

Read-only permission for SA. Users with the read-only permission can only query SA information but cannot perform configuration in SA.

System-defined policy

None

Currently, the SA FullAccess or SA ReadOnlyAccess permission can be used only when you have the Tenant Guest permission. The details are as follows:

  • Configure all SA permissions: SA FullAccess and Tenant Guest.

    To use SA Resource Manager and Baseline Inspection, configure the following permissions:

  • Configure SA read-only permissions: Configure SA ReadOnlyAccess and Tenant Guest.

Authorization Process

Figure 1 Process for granting permissions
  1. Create a user group and assign permissions.

    Create a user group on the IAM console. Then, assign the SA FullAccess and Tenant Guest permissions to the group.

  2. Create a user and add it to a user group.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in and verify the permissions.

    Log in to the SA console as the created user, and verify that the user only has read permissions for SA.

    Choose any other service from Service List. If a message appears indicating that you do not have permissions to access the service, the SA FullAccess policy has already taken effect.

  4. Configure an agency.

    To use SA Resource Manager and Baseline Inspection, configure the following permissions: