When a trust relationship is established between another account and your account, you become a delegated party and you can authorize a user to manage resources for the delegating party. If another account has created multiple agencies for you, you can authorize one or more users through custom policies to manage resources specified in all or specific agencies. Each user can only switch to the agency for which the user has been granted permissions.

Prerequisites

A trust relationship has been established between another account and your account.
You have obtained the name of the delegating account and the name and ID of the created agency.

Procedure

Create a custom policy.

This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize a user to manage resources for all agencies, go to 2.
1. In the navigation pane, choose Policies.
2. On the Policies page, click Create Custom Policy.
3. Enter a policy name.
4. Select Global services for Scope.
5. Select JSON.
6. In the Policy Content area, enter the following content:
```
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "iam:agencies:assume"
                        ],
                        "Resource": {
                                "uri": [
                                        "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
                                ]
                        },
                        "Effect": "Allow"
                }
        ]
}
```
  - Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
  - For more information about fine-grained policies, see Fine-Grained Policy Management.
7. Click OK.
Create a user group and grant permissions to it.
1. In the navigation pane, choose User Groups.
2. On the User Groups page, click Create User Group.
3. Enter a user group name.
4. Click OK.
  The user group is displayed in the user group list.
5. Click Manage Permissions in the Operation column of the row that contains the created user group.
6. On the Permissions tab page, click Assign Permissions above the permission list.
7. Specify the authorization scope. If you select Region-specific projects, select one or more projects in the drop-down list.
  - Global service project: Services deployed without specifying physical regions are called global services, such as OBS, CDN, and TMS. Permissions for these services must be assigned in the global service project.
  - Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. If you want the permissions to take effect for all regions, grant them in all these regions.
8. Select the policy created in 1 or the Agent Operator role, and click OK. The authorization is completed.
Create a user and add the user to the user group.
1. In the navigation pane, choose Users.
2. On the Users page, click Create User.
3. Specify the user information, select an access type, and click Next.
4. In the Available User Groups area, select the user group created in 2.
5. Click Create.

Follow-up Operation

Point to the delegating account in the upper right corner of the page and choose Switch Role to switch back to your account.

Assigning Permissions to a User (by a Delegated Party)

Prerequisites

Procedure

Follow-up Operation