Help Center/ Workspace/ Service Overview/ Security/ Identity Authentication and Access Control
Updated on 2025-09-28 GMT+08:00

Identity Authentication and Access Control

IAM Identity Authentication

Workspace enables fine-grained permission management via IAM, providing identity authentication, role assignment, and access control for secure resource access.

You can use your account to create IAM users, and assign permissions to the IAM users to control their access to specific resources. IAM permissions define which actions are allowed or denied on your cloud resources.

Project and Enterprise Project

You can group, manage, and isolate resources by project or enterprise project to control resource access and manage permissions by organization like enterprise, department, or project team.

  • Project

    Projects in IAM are used to group and isolate resources. Resources in your account must be mounted under projects. A project can be a department or a project team. Multiple projects can be created in one account.

  • Enterprise Project

    Enterprise projects are used to categorize and manage multiple resources. Resources in different regions can belong to one enterprise project. An enterprise can classify resources by department or project group and put relevant resources into one enterprise project for easy management. Resources can be migrated between enterprise projects.

  • Differences Between Projects and Enterprise Projects
    • IAM Project

      IAM projects can group and physically isolate resources. Resources cannot be transferred between IAM projects. They can only be deleted and then provisioned again.

    • Enterprise Project

      Enterprise projects provide more advanced functions than IAM projects and can be used to group and manage resources of different IAM projects of an enterprise. An enterprise project can contain resources in more than one region, and resources can be transferred between enterprise projects. If you have enabled enterprise management, you cannot create IAM projects anymore and can only manage existing projects. In the future, enterprise projects will replace IAM projects.

    Both projects and enterprise projects can be managed by one or more user groups. Users who manage enterprise projects are in user groups. After a policy is granted to a user group, users in the group can obtain the permissions defined in the policy in the project or enterprise project.

    For details about how to create an enterprise project and assign permissions, see Enterprise Projects.

Access Control

  • VPC

    Virtual Private Cloud (VPC) allows you to provision logically isolated virtual networks for Workspace. You can define security groups, virtual private networks (VPNs), IP address segments, and bandwidth for a VPC. This facilitates internal network configuration and management and allows you to change your network in a secure and convenient network manner. You can also define rules to control communications between cloud desktops in the same security group or across different security groups.

  • Security Group

    A security group is a collection of access control rules for Workspace that has the same security requirements and are mutually trusted. You can define different access control rules for a security group, and these rules are then applied to Workspace added to this security group.