Help Center/ Identity and Access Management/ FAQs/ User Groups and Permissions Management/ Why Permissions Granted to a User Do Not Take Effect?
Updated on 2024-11-18 GMT+08:00

Why Permissions Granted to a User Do Not Take Effect?

Symptom

Permissions that you grant to an IAM user do not take effect.

Troubleshooting

  1. Cause: Incorrect permissions were granted to the user group to which the user belongs.

    Solution: Ask the administrator to modify the permissions granted to the user group to which the IAM user belongs. For details, see Modifying User Group Permissions. For details about permissions, see System-defined Permissions.

  2. Cause: Actions are denied by the permissions granted to the user.

    View the system-defined permissions granted to the IAM user and check whether there is a policy statement that denies the action. For details, see Policy Grammar. If the system-defined permissions cannot meet your requirements, create a custom policy to allow the action. For details, see Creating a Custom Policy.

  3. Cause: The IAM user has not been added to the user group with permissions assigned.

    Solution: Add the user to the target user group as the administrator. For details, see Adding Users to a User Group.

  4. Cause: For a regional service, the user group is not assigned with permissions in specific regions.

    Assign permissions to the user group in specific regions. If you have assigned the user only permissions for a default region-specific project, the user does not have permissions for the subprojects. In this case, assign permissions for the required subproject. For details, see Assigning Permissions to a User Group.

  5. Cause: The IAM user has not switched to the region where the user has been authorized to use cloud resources.

    Remind the user to switch to the region where the user is authorized to use cloud resources. For details, see Switching Regions.

  6. Cause: If the administrator has granted OBS permissions to the user, the permissions will take effect 15 to 30 minutes after the authorization.

    Check the permissions after 15 to 30 minutes and try again.

  7. Cause: The browser cache has not been cleared for a long time.

    Clear the browser cache and try again.

  8. Cause: The service (such as OBS) provides separate permissions control.

    Grant the user permissions by referring to the service documentation. For example, see Introduction to OBS Permission Control.

  9. Cause: If you have granted permissions to a user in both IAM and Enterprise Management, the permissions for enterprise projects may not take effect. IAM authentication takes precedence over Enterprise Management authentication. If an IAM user has the ECS ReadOnlyAccess permission for all resources and enterprise project A, the user can view all ECS resources.

    Modify the permissions of the user on the IAM console.

Related FAQ

Symptom: You have granted an IAM user only required permissions but the user has more permissions.

Possible causes:

  1. The required permissions you granted to the IAM user have dependency permissions, which are automatically assigned so that the required permissions can take effect for the user.
  2. You have granted other permissions to the IAM user in Enterprise Project Management. If you manage projects and users using IAM, cancel the permissions configured there. For details, see Deleting Enterprise Projects That Are Managed by a User.