You can use IAM for fine-grained permissions control for your Cloud Eye resources. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing Cloud Eye resources.
- Grant different permissions to IAM users based on their job responsibilities.
- Entrust an account or a cloud service to perform efficient O&M on your Cloud Eye resources.
If your account does not require individual IAM users, skip this topic.
This topic describes the procedure for granting permissions (see Figure 1).
Prerequisites
You have learned about the system policies of Cloud Eye before assigning the preset Cloud Eye permissions to user groups (if needed). To grant custom permissions to a user group, ensure that you have created a custom Cloud Eye policy.
For details about the system policies supported by Cloud Eye and the comparison between these policies, see Permissions.
- Create a user group and assign permissions.
Create a user group on the IAM console, and attach the CES Administrator, Tenant Guest, and Server Administrator policies to the group.
- Cloud Eye is a region-specific service and must be deployed in specific physical regions. Cloud Eye permissions can be assigned and take effect only in specific regions. If you want a permission to take effect for all regions, assign it in all these regions. The global permission does not take effect.
- The preceding permissions are all Cloud Eye permissions. For more refined Cloud Eye permissions, see Permissions.
- Create a user and add it to a user group. Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the Cloud Eye console as the created user, and verify that the user only has the CES Administrator permissions. After you log in to the Cloud Eye console and use related functions, if no authentication failure message is displayed, the authorization is successful.