Creating a User Group and Assigning Permissions

Scenario

If you do not want to create an account for every personnel in your enterprise, you can use Identity and Access Management (IAM). Only the enterprise's administrator needs to create an account. The account can be used to create multiple IAM users for different enterprise personnel and assign permissions based on their job responsibilities. For the definitions of an account and IAM user, see Basic Concepts.

The following shows how to use IAM to manage permissions.

Process Flow

Preparations

If you already have an account, skip this step. If you do not have an account, perform the following operations to create one:

1. Visit https://www.huaweicloud.com/intl/en-us/ and click Sign Up.
2. Sign up for a HUAWEI ID and enable Huawei Cloud services.

   After the HUAWEI ID is created, the system redirects you to your personal information page.

3. 

   IAM is a free service. There is no charge to use IAM.

Step 1: Create a User Group

1. Use your HUAWEI ID to enable Huawei Cloud services, and then log in to Huawei Cloud.
   Figure 1 Logging in to Huawei Cloud
   

2. Log in to the management console.
   Figure 2 Logging in to the management console
   

3. On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
   Figure 3 Accessing the IAM console
   

4. On the IAM console, choose User Groups and click Create User Group.
   Figure 4 Creating a user group
   

5. In the displayed dialog box, enter a user group name.
   Figure 5 Setting the user group details
   

6. Click OK to create a developer user group.

   You will be redirected to the user group list and the created user group is displayed in the list.

Step 2: Assign Permissions to the User Group

Assume that developers in the enterprise need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to perform the following operations to assign the required permissions to the developer group to enable access to these services. For details about the permissions of all cloud services, see System-defined Permissions.

1. Determine the permissions required by the users in the user group.

   Table 1 lists the required permissions. You can determine which permissions are required by referring to System-defined Permissions. Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.

   Table 1 Required permissions

   Cloud Service	Region	Policy or Role
   ECS	Specific regions	ECS FullAccess
   RDS	Specific regions	RDS FullAccess
   ELB	Specific regions	ELB FullAccess
   VPC	Specific regions	VPC FullAccess
   EVS	Specific regions	EVS FullAccess
   OBS	Global	OBS OperateAccess

2. In the user group list, click Authorize in the row containing the developer user group.
   Figure 6 Authorizing a user group
   

3. Assign permissions to the user group for region-specific projects.
   1. All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
      Figure 7 Selecting required permissions
      
   2. Select Region-specific projects for Scope, select CN-Hong Kong, and click OK.

      Then users in the developer group only can access resources in CN-Hong Kong.

      Figure 8 Specifying the permission scope
      

4. Assign permissions to the user group for the global services.
   1. Select OBS OperateAccess and click Next.
      Figure 9 Selecting OBS OperateAccess
      
   2. Select Global services for Scope and click OK.
      Figure 10 Specifying the permission scope