diff --git a/docs/iam/umn/ALL_META.TXT.json b/docs/iam/umn/ALL_META.TXT.json index 461aa89e6..b1dc6e35f 100644 --- a/docs/iam/umn/ALL_META.TXT.json +++ b/docs/iam/umn/ALL_META.TXT.json @@ -349,9 +349,9 @@ "node_id":"iam_01_0653.xml", "product_code":"iam", "code":"20", - "des":"As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.To ", + "des":"As an administrator, you can modify the password, MFA device, login protection, and access keys of an IAM user.IAM users can change their passwords on the Basic Informati", "doc_type":"usermanual", - "kw":"Changing the Login Password of an IAM User,IAM Users,User Guide", + "kw":"Modifying Security Settings for an IAM User,IAM Users,User Guide", "search_title":"", "metedata":[ { @@ -359,7 +359,7 @@ "documenttype":"usermanual" } ], - "title":"Changing the Login Password of an IAM User", + "title":"Modifying Security Settings for an IAM User", "githuburl":"" }, { @@ -441,7 +441,7 @@ "code":"25", "des":"A user inherits permissions from the groups which the user belongs to. To change the permissions of a user, add the user to a new group or remove the user from an existin", "doc_type":"usermanual", - "kw":"Adding Users to or Removing Users from a User Group,User Groups and Authorization,User Guide", + "kw":"Adding IAM Users to or Removing IAM Users from a User Group,User Groups and Authorization,User Guide", "search_title":"", "metedata":[ { @@ -449,7 +449,7 @@ "documenttype":"usermanual" } ], - "title":"Adding Users to or Removing Users from a User Group", + "title":"Adding IAM Users to or Removing IAM Users from a User Group", "githuburl":"" }, { @@ -493,9 +493,9 @@ "node_id":"iam_03_0004.xml", "product_code":"iam", "code":"28", - "des":"To revoke a policy or role attached to a user group, do the following:To revoke multiple policies or roles attached to a user group, do as follows:", + "des":"You can modify or delete permissions of a user group on its details page.To revoke a policy or role attached to a user group, do the following:To revoke multiple policies", "doc_type":"usermanual", - "kw":"Revoking Permissions of a User Group,User Groups and Authorization,User Guide", + "kw":"Managing Permissions of a User Group,User Groups and Authorization,User Guide", "search_title":"", "metedata":[ { @@ -503,7 +503,7 @@ "documenttype":"usermanual" } ], - "title":"Revoking Permissions of a User Group", + "title":"Managing Permissions of a User Group", "githuburl":"" }, { @@ -511,7 +511,7 @@ "node_id":"iam_01_0657.xml", "product_code":"iam", "code":"29", - "des":"Cloud services interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services.For example, the DNS Administrat", + "des":"Cloud services interwork with each other. Therefore, the administrator needs to assign both the required roles and their dependent roles for the authorization to take eff", "doc_type":"usermanual", "kw":"Assigning Dependency Roles,User Groups and Authorization,User Guide", "search_title":"", @@ -560,29 +560,11 @@ "title":"Basic Concepts", "githuburl":"" }, - { - "uri":"iam_01_0601.html", - "node_id":"iam_01_0601.xml", - "product_code":"iam", - "code":"32", - "des":"Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles f", - "doc_type":"usermanual", - "kw":"Roles,Permissions,User Guide", - "search_title":"", - "metedata":[ - { - "prodname":"iam", - "documenttype":"usermanual" - } - ], - "title":"Roles", - "githuburl":"" - }, { "uri":"iam_01_0017.html", "node_id":"iam_01_0017.xml", "product_code":"iam", - "code":"33", + "code":"32", "des":"A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).Version: Distinguishes between role-based access control (RBA", "doc_type":"usermanual", "kw":"Policy Syntax,Permissions,User Guide", @@ -600,7 +582,7 @@ "uri":"iam_01_0016.html", "node_id":"iam_01_0016.xml", "product_code":"iam", - "code":"34", + "code":"33", "des":"You can create custom policies to supplement system-defined policies and implement more refined access control.Select Allow or Deny.Select a cloud service.Only one cloud ", "doc_type":"usermanual", "kw":"Creating a Custom Policy,Permissions,User Guide", @@ -618,7 +600,7 @@ "uri":"iam_01_0600.html", "node_id":"iam_01_0600.xml", "product_code":"iam", - "code":"35", + "code":"34", "des":"Use the following method to assign permissions of the FullAccess policy to a user but also forbid the user from accessing CTS. Create a custom policy for denying access t", "doc_type":"usermanual", "kw":"Custom Policy Use Cases,Permissions,User Guide", @@ -636,7 +618,7 @@ "uri":"en-us_topic_0046611308.html", "node_id":"en-us_topic_0046611308.xml", "product_code":"iam", - "code":"36", + "code":"35", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Security Settings", @@ -654,8 +636,8 @@ "uri":"iam_07_0001.html", "node_id":"iam_07_0001.xml", "product_code":"iam", - "code":"37", - "des":"You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Setting", + "code":"36", + "des":"You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settin", "doc_type":"usermanual", "kw":"Security Settings Overview,Security Settings,User Guide", "search_title":"", @@ -672,7 +654,7 @@ "uri":"iam_01_0703.html", "node_id":"iam_01_0703.xml", "product_code":"iam", - "code":"38", + "code":"37", "des":"As an account administrator, both you and your IAM users can manage basic information on this page.A mobile number or an email address can be bound only to one account or", "doc_type":"usermanual", "kw":"Basic Information,Security Settings,User Guide", @@ -690,7 +672,7 @@ "uri":"iam_01_0029.html", "node_id":"iam_01_0029.xml", "product_code":"iam", - "code":"39", + "code":"38", "des":"Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the ", "doc_type":"usermanual", "kw":"Critical Operation Protection,Security Settings,User Guide", @@ -708,7 +690,7 @@ "uri":"iam_01_0704.html", "node_id":"iam_01_0704.xml", "product_code":"iam", - "code":"40", + "code":"39", "des":"The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", "doc_type":"usermanual", "kw":"Login Authentication Policy,Security Settings,User Guide", @@ -726,7 +708,7 @@ "uri":"iam_01_0607.html", "node_id":"iam_01_0607.xml", "product_code":"iam", - "code":"41", + "code":"40", "des":"The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.Only the administr", "doc_type":"usermanual", "kw":"Password Policy,Security Settings,User Guide", @@ -744,8 +726,8 @@ "uri":"iam_07_0003.html", "node_id":"iam_07_0003.xml", "product_code":"iam", - "code":"42", - "des":"The ACL tab of the Security Settings page provides the IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP add", + "code":"41", + "des":"The ACL tab of the Security Settings page provides the IP Address Ranges, CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP address ", "doc_type":"usermanual", "kw":"ACL,Security Settings,User Guide", "search_title":"", @@ -762,7 +744,7 @@ "uri":"en-us_topic_0066738518.html", "node_id":"en-us_topic_0066738518.xml", "product_code":"iam", - "code":"43", + "code":"42", "des":"Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources ", "doc_type":"usermanual", "kw":"Projects,User Guide,User Guide", @@ -780,7 +762,7 @@ "uri":"en-us_topic_0079496986.html", "node_id":"en-us_topic_0079496986.xml", "product_code":"iam", - "code":"44", + "code":"43", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Agencies", @@ -798,10 +780,10 @@ "uri":"iam_01_0054.html", "node_id":"iam_01_0054.xml", "product_code":"iam", - "code":"45", + "code":"44", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", - "kw":"Account Delegation", + "kw":"Delegating Another Account for Resource Management", "search_title":"", "metedata":[ { @@ -809,17 +791,17 @@ "documenttype":"usermanual" } ], - "title":"Account Delegation", + "title":"Delegating Another Account for Resource Management", "githuburl":"" }, { "uri":"iam_06_0001.html", "node_id":"iam_06_0001.xml", "product_code":"iam", - "code":"46", + "code":"45", "des":"The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acco", "doc_type":"usermanual", - "kw":"Delegating Resource Access to Another Account,Account Delegation,User Guide", + "kw":"Process for Account Delegation,Delegating Another Account for Resource Management,User Guide", "search_title":"", "metedata":[ { @@ -827,17 +809,17 @@ "documenttype":"usermanual" } ], - "title":"Delegating Resource Access to Another Account", + "title":"Process for Account Delegation", "githuburl":"" }, { "uri":"en-us_topic_0046613147.html", "node_id":"en-us_topic_0046613147.xml", "product_code":"iam", - "code":"47", + "code":"46", "des":"By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your securi", "doc_type":"usermanual", - "kw":"Creating an Agency (by a Delegating Party),Account Delegation,User Guide", + "kw":"Creating an Agency and Assigning Permissions,Delegating Another Account for Resource Management,User", "search_title":"", "metedata":[ { @@ -845,17 +827,17 @@ "documenttype":"usermanual" } ], - "title":"Creating an Agency (by a Delegating Party)", + "title":"Creating an Agency and Assigning Permissions", "githuburl":"" }, { "uri":"iam_01_0063.html", "node_id":"iam_01_0063.xml", "product_code":"iam", - "code":"48", + "code":"47", "des":"When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admi", "doc_type":"usermanual", - "kw":"(Optional) Assigning Permissions to an IAM User (by a Delegated Party),Account Delegation,User Guide", + "kw":"Assigning Agency Permissions to an IAM User,Delegating Another Account for Resource Management,User ", "search_title":"", "metedata":[ { @@ -863,17 +845,17 @@ "documenttype":"usermanual" } ], - "title":"(Optional) Assigning Permissions to an IAM User (by a Delegated Party)", + "title":"Assigning Agency Permissions to an IAM User", "githuburl":"" }, { "uri":"en-us_topic_0046613148.html", "node_id":"en-us_topic_0046613148.xml", "product_code":"iam", - "code":"49", - "des":"When an account establishes a trust relationship with your account, you become a delegated party. The IAM users that are granted agency permissions can switch to the dele", + "code":"48", + "des":"When an account establishes a trust relationship with your account, you become a delegated party. The IAM users granted agency permissions can switch to the delegating do", "doc_type":"usermanual", - "kw":"Switching Roles (by a Delegated Party),Account Delegation,User Guide", + "kw":"Managing Delegated Resources,Delegating Another Account for Resource Management,User Guide", "search_title":"", "metedata":[ { @@ -881,17 +863,17 @@ "documenttype":"usermanual" } ], - "title":"Switching Roles (by a Delegated Party)", + "title":"Managing Delegated Resources", "githuburl":"" }, { "uri":"iam_06_0004.html", "node_id":"iam_06_0004.xml", "product_code":"iam", - "code":"50", + "code":"49", "des":"Services on the cloud platform interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services an", "doc_type":"usermanual", - "kw":"Cloud Service Agency,Agencies,User Guide", + "kw":"Delegating Another Service for Resource Management,Agencies,User Guide", "search_title":"", "metedata":[ { @@ -899,14 +881,14 @@ "documenttype":"usermanual" } ], - "title":"Cloud Service Agency", + "title":"Delegating Another Service for Resource Management", "githuburl":"" }, { "uri":"iam_01_0730.html", "node_id":"iam_01_0730.xml", "product_code":"iam", - "code":"51", + "code":"50", "des":"To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.You can change the cloud servic", "doc_type":"usermanual", "kw":"Deleting or Modifying Agencies,Agencies,User Guide", @@ -924,7 +906,7 @@ "uri":"en-us_topic_0059870089.html", "node_id":"en-us_topic_0059870089.xml", "product_code":"iam", - "code":"52", + "code":"51", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Identity Providers", @@ -942,10 +924,10 @@ "uri":"en-us_topic_0079620341.html", "node_id":"en-us_topic_0079620341.xml", "product_code":"iam", - "code":"53", + "code":"52", "des":"The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise manage", "doc_type":"usermanual", - "kw":"identity federation,Introduction,Identity Providers,User Guide", + "kw":"identity federation,Overview,Identity Providers,User Guide", "search_title":"", "metedata":[ { @@ -953,14 +935,14 @@ "documenttype":"usermanual" } ], - "title":"Introduction", + "title":"Overview", "githuburl":"" }, { "uri":"iam_08_0251.html", "node_id":"iam_08_0251.xml", "product_code":"iam", - "code":"54", + "code":"53", "des":"IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type f", "doc_type":"usermanual", "kw":"Application Scenarios of Virtual User SSO and IAM User SSO,Identity Providers,User Guide", @@ -978,7 +960,7 @@ "uri":"iam_08_0002.html", "node_id":"iam_08_0002.xml", "product_code":"iam", - "code":"55", + "code":"54", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Virtual User SSO via SAML", @@ -996,7 +978,7 @@ "uri":"iam_08_0021.html", "node_id":"iam_08_0021.xml", "product_code":"iam", - "code":"56", + "code":"55", "des":"The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During ", "doc_type":"usermanual", "kw":"Overview of Virtual User SSO via SAML,Virtual User SSO via SAML,User Guide", @@ -1014,10 +996,10 @@ "uri":"iam_08_0003.html", "node_id":"iam_08_0003.xml", "product_code":"iam", - "code":"57", + "code":"56", "des":"To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create ", "doc_type":"usermanual", - "kw":"Step 1: Create an IdP Entity,Virtual User SSO via SAML,User Guide", + "kw":"Creating an IdP Entity,Virtual User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1025,17 +1007,17 @@ "documenttype":"usermanual" } ], - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "githuburl":"" }, { "uri":"iam_08_0252.html", "node_id":"iam_08_0252.xml", "product_code":"iam", - "code":"58", + "code":"57", "des":"You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identi", "doc_type":"usermanual", - "kw":"Step 2: Configure the Enterprise IdP,Virtual User SSO via SAML,User Guide", + "kw":"Configuring an Enterprise IdP,Virtual User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1043,17 +1025,17 @@ "documenttype":"usermanual" } ], - "title":"Step 2: Configure the Enterprise IdP", + "title":"Configuring an Enterprise IdP", "githuburl":"" }, { "uri":"iam_08_0004.html", "node_id":"iam_08_0004.xml", "product_code":"iam", - "code":"59", + "code":"58", "des":"After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conver", "doc_type":"usermanual", - "kw":"Step 3: Configure Identity Conversion Rules,Virtual User SSO via SAML,User Guide", + "kw":"Configuring Identity Conversion Rules,Virtual User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1061,17 +1043,17 @@ "documenttype":"usermanual" } ], - "title":"Step 3: Configure Identity Conversion Rules", + "title":"Configuring Identity Conversion Rules", "githuburl":"" }, { "uri":"iam_08_0025.html", "node_id":"iam_08_0025.xml", "product_code":"iam", - "code":"60", + "code":"59", "des":"Federated users can initiate a login from the IdP or SP.Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.", "doc_type":"usermanual", - "kw":"Step 4: Verify the Federated Login,Virtual User SSO via SAML,User Guide", + "kw":"Verifying the Login,Virtual User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1079,17 +1061,17 @@ "documenttype":"usermanual" } ], - "title":"Step 4: Verify the Federated Login", + "title":"Verifying the Login", "githuburl":"" }, { "uri":"iam_08_0005.html", "node_id":"iam_08_0005.xml", "product_code":"iam", - "code":"61", + "code":"60", "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", - "kw":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP,Virtual User SSO via SAML", + "kw":"Configuring a Federated Login Entry in the Enterprise IdP,Virtual User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1097,14 +1079,14 @@ "documenttype":"usermanual" } ], - "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "githuburl":"" }, { "uri":"iam_08_0253.html", "node_id":"iam_08_0253.xml", "product_code":"iam", - "code":"62", + "code":"61", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"IAM User SSO via SAML", @@ -1122,7 +1104,7 @@ "uri":"iam_08_0254.html", "node_id":"iam_08_0254.xml", "product_code":"iam", - "code":"63", + "code":"62", "des":"The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During ", "doc_type":"usermanual", "kw":"Overview of IAM User SSO via SAML,IAM User SSO via SAML,User Guide", @@ -1140,10 +1122,10 @@ "uri":"iam_08_0255.html", "node_id":"iam_08_0255.xml", "product_code":"iam", - "code":"64", + "code":"63", "des":"To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create ", "doc_type":"usermanual", - "kw":"Step 1: Create an IdP Entity,IAM User SSO via SAML,User Guide", + "kw":"Creating an IdP Entity,IAM User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1151,17 +1133,17 @@ "documenttype":"usermanual" } ], - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "githuburl":"" }, { "uri":"iam_08_0256.html", "node_id":"iam_08_0256.xml", "product_code":"iam", - "code":"65", + "code":"64", "des":"You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identi", "doc_type":"usermanual", - "kw":"Step 2: Configure the Enterprise IdP,IAM User SSO via SAML,User Guide", + "kw":"Configuring an Enterprise IdP,IAM User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1169,17 +1151,17 @@ "documenttype":"usermanual" } ], - "title":"Step 2: Configure the Enterprise IdP", + "title":"Configuring an Enterprise IdP", "githuburl":"" }, { "uri":"iam_08_0257.html", "node_id":"iam_08_0257.xml", "product_code":"iam", - "code":"66", + "code":"65", "des":"For the IAM user SSO type, you must configure an external identity ID for the IAM user which the federated user maps to on the cloud platform. The external identity ID mu", "doc_type":"usermanual", - "kw":"Step 3: Configure an External Identity ID,IAM User SSO via SAML,User Guide", + "kw":"Configuring an External Identity ID,IAM User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1187,17 +1169,17 @@ "documenttype":"usermanual" } ], - "title":"Step 3: Configure an External Identity ID", + "title":"Configuring an External Identity ID", "githuburl":"" }, { "uri":"iam_08_0258.html", "node_id":"iam_08_0258.xml", "product_code":"iam", - "code":"67", + "code":"66", "des":"Federated users can initiate a login from the IdP or SP.Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.", "doc_type":"usermanual", - "kw":"Step 4: Verify the Federated Login,IAM User SSO via SAML,User Guide", + "kw":"Verifying the Login,IAM User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1205,17 +1187,17 @@ "documenttype":"usermanual" } ], - "title":"Step 4: Verify the Federated Login", + "title":"Verifying the Login", "githuburl":"" }, { "uri":"iam_08_0259.html", "node_id":"iam_08_0259.xml", "product_code":"iam", - "code":"68", + "code":"67", "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", - "kw":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP,IAM User SSO via SAML,Use", + "kw":"Configuring a Federated Login Entry in the Enterprise IdP,IAM User SSO via SAML,User Guide", "search_title":"", "metedata":[ { @@ -1223,14 +1205,14 @@ "documenttype":"usermanual" } ], - "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "githuburl":"" }, { "uri":"iam_08_0022.html", "node_id":"iam_08_0022.xml", "product_code":"iam", - "code":"69", + "code":"68", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Virtual User SSO via OpenID Connect", @@ -1248,7 +1230,7 @@ "uri":"iam_08_0010.html", "node_id":"iam_08_0010.xml", "product_code":"iam", - "code":"70", + "code":"69", "des":"This section describes how to configure identity federation and how identity federation works.The following describes how to configure your enterprise IdP and the cloud p", "doc_type":"usermanual", "kw":"Overview of Virtual User SSO via OpenID Connect,Virtual User SSO via OpenID Connect,User Guide", @@ -1266,10 +1248,10 @@ "uri":"iam_08_0009.html", "node_id":"iam_08_0009.xml", "product_code":"iam", - "code":"71", + "code":"70", "des":"To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On ", "doc_type":"usermanual", - "kw":"Step 1: Create an IdP Entity,Virtual User SSO via OpenID Connect,User Guide", + "kw":"Creating an IdP Entity,Virtual User SSO via OpenID Connect,User Guide", "search_title":"", "metedata":[ { @@ -1277,17 +1259,17 @@ "documenttype":"usermanual" } ], - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "githuburl":"" }, { "uri":"iam_08_0008.html", "node_id":"iam_08_0008.xml", "product_code":"iam", - "code":"72", + "code":"71", "des":"Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. Y", "doc_type":"usermanual", - "kw":"Step 2: Configure Identity Conversion Rules,Virtual User SSO via OpenID Connect,User Guide", + "kw":"Configuring Identity Conversion Rules,Virtual User SSO via OpenID Connect,User Guide", "search_title":"", "metedata":[ { @@ -1295,17 +1277,17 @@ "documenttype":"usermanual" } ], - "title":"Step 2: Configure Identity Conversion Rules", + "title":"Configuring Identity Conversion Rules", "githuburl":"" }, { "uri":"iam_08_0007.html", "node_id":"iam_08_0007.xml", "product_code":"iam", - "code":"73", + "code":"72", "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", - "kw":"(Optional) Step 3: Configure Login Link in the Enterprise Management System,Virtual User SSO via Ope", + "kw":"Configuring a Federated Login Entry in the Enterprise IdP,Virtual User SSO via OpenID Connect,User G", "search_title":"", "metedata":[ { @@ -1313,14 +1295,14 @@ "documenttype":"usermanual" } ], - "title":"(Optional) Step 3: Configure Login Link in the Enterprise Management System", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "githuburl":"" }, { "uri":"en-us_topic_0079620340.html", "node_id":"en-us_topic_0079620340.xml", "product_code":"iam", - "code":"74", + "code":"73", "des":"An identity conversion rule is a JSON object which can be modified. The following is an example JSON object:[ \n { \n \"remote\": [ \n { \n ", "doc_type":"usermanual", "kw":"Syntax of Identity Conversion Rules,Identity Providers,User Guide", @@ -1338,7 +1320,7 @@ "uri":"iam_10_0002.html", "node_id":"iam_10_0002.xml", "product_code":"iam", - "code":"75", + "code":"74", "des":"MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and ", "doc_type":"usermanual", "kw":"MFA Authentication and Virtual MFA Device,User Guide,User Guide", @@ -1356,7 +1338,7 @@ "uri":"iam_01_0011.html", "node_id":"iam_01_0011.xml", "product_code":"iam", - "code":"76", + "code":"75", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Auditing", @@ -1374,7 +1356,7 @@ "uri":"iam_01_0012.html", "node_id":"iam_01_0012.xml", "product_code":"iam", - "code":"77", + "code":"76", "des":"Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).", "doc_type":"usermanual", "kw":"IAM Operations That Can Be Recorded by CTS,Auditing,User Guide", @@ -1392,7 +1374,7 @@ "uri":"iam_01_0013.html", "node_id":"iam_01_0013.xml", "product_code":"iam", - "code":"78", + "code":"77", "des":"After you enable CTS, it records key operations performed on IAM. You can view the operation records of the last 7 days on the CTS console.The following filters are avail", "doc_type":"usermanual", "kw":"Viewing Audit Logs,Auditing,User Guide", @@ -1410,7 +1392,7 @@ "uri":"iam_01_0000.html", "node_id":"iam_01_0000.xml", "product_code":"iam", - "code":"79", + "code":"78", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"FAQs", @@ -1428,7 +1410,7 @@ "uri":"iam_01_0002.html", "node_id":"iam_01_0002.xml", "product_code":"iam", - "code":"80", + "code":"79", "des":"For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code", "doc_type":"usermanual", "kw":"How Do I Enable Login Authentication?,FAQs,User Guide", @@ -1446,7 +1428,7 @@ "uri":"iam_01_0003.html", "node_id":"iam_01_0003.xml", "product_code":"iam", - "code":"81", + "code":"80", "des":"MFA authentication provides an additional layer of protection on top of the username and password. If MFA–based login authentication is enabled, you will need to enter a ", "doc_type":"usermanual", "kw":"How Do I Bind a Virtual MFA Device?,FAQs,User Guide", @@ -1464,7 +1446,7 @@ "uri":"iam_01_0001.html", "node_id":"iam_01_0001.xml", "product_code":"iam", - "code":"82", + "code":"81", "des":"After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open ", "doc_type":"usermanual", "kw":"How Do I Obtain MFA Verification Codes?,FAQs,User Guide", @@ -1482,7 +1464,7 @@ "uri":"iam_01_0004.html", "node_id":"iam_01_0004.xml", "product_code":"iam", - "code":"83", + "code":"82", "des":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", "doc_type":"usermanual", "kw":"How Do I Unbind a Virtual MFA Device?,FAQs,User Guide", @@ -1500,7 +1482,7 @@ "uri":"en-us_topic_0046611300.html", "node_id":"en-us_topic_0046611300.xml", "product_code":"iam", - "code":"84", + "code":"83", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual", "kw":"Change History,User Guide", diff --git a/docs/iam/umn/CLASS.TXT.json b/docs/iam/umn/CLASS.TXT.json index a0bdfb224..698b6cf75 100644 --- a/docs/iam/umn/CLASS.TXT.json +++ b/docs/iam/umn/CLASS.TXT.json @@ -171,9 +171,9 @@ "code":"19" }, { - "desc":"As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.To ", + "desc":"As an administrator, you can modify the password, MFA device, login protection, and access keys of an IAM user.IAM users can change their passwords on the Basic Informati", "product_code":"iam", - "title":"Changing the Login Password of an IAM User", + "title":"Modifying Security Settings for an IAM User", "uri":"iam_01_0653.html", "doc_type":"usermanual", "p_code":"14", @@ -218,7 +218,7 @@ { "desc":"A user inherits permissions from the groups which the user belongs to. To change the permissions of a user, add the user to a new group or remove the user from an existin", "product_code":"iam", - "title":"Adding Users to or Removing Users from a User Group", + "title":"Adding IAM Users to or Removing IAM Users from a User Group", "uri":"iam_03_0002.html", "doc_type":"usermanual", "p_code":"23", @@ -243,16 +243,16 @@ "code":"27" }, { - "desc":"To revoke a policy or role attached to a user group, do the following:To revoke multiple policies or roles attached to a user group, do as follows:", + "desc":"You can modify or delete permissions of a user group on its details page.To revoke a policy or role attached to a user group, do the following:To revoke multiple policies", "product_code":"iam", - "title":"Revoking Permissions of a User Group", + "title":"Managing Permissions of a User Group", "uri":"iam_03_0004.html", "doc_type":"usermanual", "p_code":"23", "code":"28" }, { - "desc":"Cloud services interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services.For example, the DNS Administrat", + "desc":"Cloud services interwork with each other. Therefore, the administrator needs to assign both the required roles and their dependent roles for the authorization to take eff", "product_code":"iam", "title":"Assigning Dependency Roles", "uri":"iam_01_0657.html", @@ -278,15 +278,6 @@ "p_code":"30", "code":"31" }, - { - "desc":"Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles f", - "product_code":"iam", - "title":"Roles", - "uri":"iam_01_0601.html", - "doc_type":"usermanual", - "p_code":"30", - "code":"32" - }, { "desc":"A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).Version: Distinguishes between role-based access control (RBA", "product_code":"iam", @@ -294,7 +285,7 @@ "uri":"iam_01_0017.html", "doc_type":"usermanual", "p_code":"30", - "code":"33" + "code":"32" }, { "desc":"You can create custom policies to supplement system-defined policies and implement more refined access control.Select Allow or Deny.Select a cloud service.Only one cloud ", @@ -303,7 +294,7 @@ "uri":"iam_01_0016.html", "doc_type":"usermanual", "p_code":"30", - "code":"34" + "code":"33" }, { "desc":"Use the following method to assign permissions of the FullAccess policy to a user but also forbid the user from accessing CTS. Create a custom policy for denying access t", @@ -312,7 +303,7 @@ "uri":"iam_01_0600.html", "doc_type":"usermanual", "p_code":"30", - "code":"35" + "code":"34" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -321,16 +312,16 @@ "uri":"en-us_topic_0046611308.html", "doc_type":"usermanual", "p_code":"13", - "code":"36" + "code":"35" }, { - "desc":"You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Setting", + "desc":"You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settin", "product_code":"iam", "title":"Security Settings Overview", "uri":"iam_07_0001.html", "doc_type":"usermanual", - "p_code":"36", - "code":"37" + "p_code":"35", + "code":"36" }, { "desc":"As an account administrator, both you and your IAM users can manage basic information on this page.A mobile number or an email address can be bound only to one account or", @@ -338,8 +329,8 @@ "title":"Basic Information", "uri":"iam_01_0703.html", "doc_type":"usermanual", - "p_code":"36", - "code":"38" + "p_code":"35", + "code":"37" }, { "desc":"Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the ", @@ -347,8 +338,8 @@ "title":"Critical Operation Protection", "uri":"iam_01_0029.html", "doc_type":"usermanual", - "p_code":"36", - "code":"39" + "p_code":"35", + "code":"38" }, { "desc":"The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", @@ -356,8 +347,8 @@ "title":"Login Authentication Policy", "uri":"iam_01_0704.html", "doc_type":"usermanual", - "p_code":"36", - "code":"40" + "p_code":"35", + "code":"39" }, { "desc":"The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.Only the administr", @@ -365,17 +356,17 @@ "title":"Password Policy", "uri":"iam_01_0607.html", "doc_type":"usermanual", - "p_code":"36", - "code":"41" + "p_code":"35", + "code":"40" }, { - "desc":"The ACL tab of the Security Settings page provides the IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP add", + "desc":"The ACL tab of the Security Settings page provides the IP Address Ranges, CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP address ", "product_code":"iam", "title":"ACL", "uri":"iam_07_0003.html", "doc_type":"usermanual", - "p_code":"36", - "code":"42" + "p_code":"35", + "code":"41" }, { "desc":"Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources ", @@ -384,7 +375,7 @@ "uri":"en-us_topic_0066738518.html", "doc_type":"usermanual", "p_code":"13", - "code":"43" + "code":"42" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -393,61 +384,61 @@ "uri":"en-us_topic_0079496986.html", "doc_type":"usermanual", "p_code":"13", - "code":"44" + "code":"43" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "product_code":"iam", - "title":"Account Delegation", + "title":"Delegating Another Account for Resource Management", "uri":"iam_01_0054.html", "doc_type":"usermanual", + "p_code":"43", + "code":"44" + }, + { + "desc":"The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acco", + "product_code":"iam", + "title":"Process for Account Delegation", + "uri":"iam_06_0001.html", + "doc_type":"usermanual", "p_code":"44", "code":"45" }, - { - "desc":"The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acco", - "product_code":"iam", - "title":"Delegating Resource Access to Another Account", - "uri":"iam_06_0001.html", - "doc_type":"usermanual", - "p_code":"45", - "code":"46" - }, { "desc":"By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your securi", "product_code":"iam", - "title":"Creating an Agency (by a Delegating Party)", + "title":"Creating an Agency and Assigning Permissions", "uri":"en-us_topic_0046613147.html", "doc_type":"usermanual", - "p_code":"45", - "code":"47" + "p_code":"44", + "code":"46" }, { "desc":"When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admi", "product_code":"iam", - "title":"(Optional) Assigning Permissions to an IAM User (by a Delegated Party)", + "title":"Assigning Agency Permissions to an IAM User", "uri":"iam_01_0063.html", "doc_type":"usermanual", - "p_code":"45", - "code":"48" + "p_code":"44", + "code":"47" }, { - "desc":"When an account establishes a trust relationship with your account, you become a delegated party. The IAM users that are granted agency permissions can switch to the dele", + "desc":"When an account establishes a trust relationship with your account, you become a delegated party. The IAM users granted agency permissions can switch to the delegating do", "product_code":"iam", - "title":"Switching Roles (by a Delegated Party)", + "title":"Managing Delegated Resources", "uri":"en-us_topic_0046613148.html", "doc_type":"usermanual", - "p_code":"45", - "code":"49" + "p_code":"44", + "code":"48" }, { "desc":"Services on the cloud platform interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services an", "product_code":"iam", - "title":"Cloud Service Agency", + "title":"Delegating Another Service for Resource Management", "uri":"iam_06_0004.html", "doc_type":"usermanual", - "p_code":"44", - "code":"50" + "p_code":"43", + "code":"49" }, { "desc":"To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.You can change the cloud servic", @@ -455,8 +446,8 @@ "title":"Deleting or Modifying Agencies", "uri":"iam_01_0730.html", "doc_type":"usermanual", - "p_code":"44", - "code":"51" + "p_code":"43", + "code":"50" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -465,16 +456,16 @@ "uri":"en-us_topic_0059870089.html", "doc_type":"usermanual", "p_code":"13", - "code":"52" + "code":"51" }, { "desc":"The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise manage", "product_code":"iam", - "title":"Introduction", + "title":"Overview", "uri":"en-us_topic_0079620341.html", "doc_type":"usermanual", - "p_code":"52", - "code":"53" + "p_code":"51", + "code":"52" }, { "desc":"IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type f", @@ -482,8 +473,8 @@ "title":"Application Scenarios of Virtual User SSO and IAM User SSO", "uri":"iam_08_0251.html", "doc_type":"usermanual", - "p_code":"52", - "code":"54" + "p_code":"51", + "code":"53" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -491,8 +482,8 @@ "title":"Virtual User SSO via SAML", "uri":"iam_08_0002.html", "doc_type":"usermanual", - "p_code":"52", - "code":"55" + "p_code":"51", + "code":"54" }, { "desc":"The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During ", @@ -500,53 +491,53 @@ "title":"Overview of Virtual User SSO via SAML", "uri":"iam_08_0021.html", "doc_type":"usermanual", - "p_code":"55", - "code":"56" + "p_code":"54", + "code":"55" }, { "desc":"To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create ", "product_code":"iam", - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "uri":"iam_08_0003.html", "doc_type":"usermanual", - "p_code":"55", - "code":"57" + "p_code":"54", + "code":"56" }, { "desc":"You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identi", "product_code":"iam", - "title":"Step 2: Configure the Enterprise IdP", + "title":"Configuring an Enterprise IdP", "uri":"iam_08_0252.html", "doc_type":"usermanual", - "p_code":"55", - "code":"58" + "p_code":"54", + "code":"57" }, { "desc":"After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conver", "product_code":"iam", - "title":"Step 3: Configure Identity Conversion Rules", + "title":"Configuring Identity Conversion Rules", "uri":"iam_08_0004.html", "doc_type":"usermanual", - "p_code":"55", - "code":"59" + "p_code":"54", + "code":"58" }, { "desc":"Federated users can initiate a login from the IdP or SP.Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.", "product_code":"iam", - "title":"Step 4: Verify the Federated Login", + "title":"Verifying the Login", "uri":"iam_08_0025.html", "doc_type":"usermanual", - "p_code":"55", - "code":"60" + "p_code":"54", + "code":"59" }, { "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", - "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "uri":"iam_08_0005.html", "doc_type":"usermanual", - "p_code":"55", - "code":"61" + "p_code":"54", + "code":"60" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -554,8 +545,8 @@ "title":"IAM User SSO via SAML", "uri":"iam_08_0253.html", "doc_type":"usermanual", - "p_code":"52", - "code":"62" + "p_code":"51", + "code":"61" }, { "desc":"The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During ", @@ -563,53 +554,53 @@ "title":"Overview of IAM User SSO via SAML", "uri":"iam_08_0254.html", "doc_type":"usermanual", - "p_code":"62", - "code":"63" + "p_code":"61", + "code":"62" }, { "desc":"To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create ", "product_code":"iam", - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "uri":"iam_08_0255.html", "doc_type":"usermanual", - "p_code":"62", - "code":"64" + "p_code":"61", + "code":"63" }, { "desc":"You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identi", "product_code":"iam", - "title":"Step 2: Configure the Enterprise IdP", + "title":"Configuring an Enterprise IdP", "uri":"iam_08_0256.html", "doc_type":"usermanual", - "p_code":"62", - "code":"65" + "p_code":"61", + "code":"64" }, { "desc":"For the IAM user SSO type, you must configure an external identity ID for the IAM user which the federated user maps to on the cloud platform. The external identity ID mu", "product_code":"iam", - "title":"Step 3: Configure an External Identity ID", + "title":"Configuring an External Identity ID", "uri":"iam_08_0257.html", "doc_type":"usermanual", - "p_code":"62", - "code":"66" + "p_code":"61", + "code":"65" }, { "desc":"Federated users can initiate a login from the IdP or SP.Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.", "product_code":"iam", - "title":"Step 4: Verify the Federated Login", + "title":"Verifying the Login", "uri":"iam_08_0258.html", "doc_type":"usermanual", - "p_code":"62", - "code":"67" + "p_code":"61", + "code":"66" }, { "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", - "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "uri":"iam_08_0259.html", "doc_type":"usermanual", - "p_code":"62", - "code":"68" + "p_code":"61", + "code":"67" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -617,8 +608,8 @@ "title":"Virtual User SSO via OpenID Connect", "uri":"iam_08_0022.html", "doc_type":"usermanual", - "p_code":"52", - "code":"69" + "p_code":"51", + "code":"68" }, { "desc":"This section describes how to configure identity federation and how identity federation works.The following describes how to configure your enterprise IdP and the cloud p", @@ -626,35 +617,35 @@ "title":"Overview of Virtual User SSO via OpenID Connect", "uri":"iam_08_0010.html", "doc_type":"usermanual", - "p_code":"69", - "code":"70" + "p_code":"68", + "code":"69" }, { "desc":"To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On ", "product_code":"iam", - "title":"Step 1: Create an IdP Entity", + "title":"Creating an IdP Entity", "uri":"iam_08_0009.html", "doc_type":"usermanual", - "p_code":"69", - "code":"71" + "p_code":"68", + "code":"70" }, { "desc":"Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. Y", "product_code":"iam", - "title":"Step 2: Configure Identity Conversion Rules", + "title":"Configuring Identity Conversion Rules", "uri":"iam_08_0008.html", "doc_type":"usermanual", - "p_code":"69", - "code":"72" + "p_code":"68", + "code":"71" }, { "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", - "title":"(Optional) Step 3: Configure Login Link in the Enterprise Management System", + "title":"Configuring a Federated Login Entry in the Enterprise IdP", "uri":"iam_08_0007.html", "doc_type":"usermanual", - "p_code":"69", - "code":"73" + "p_code":"68", + "code":"72" }, { "desc":"An identity conversion rule is a JSON object which can be modified. The following is an example JSON object:[ \n { \n \"remote\": [ \n { \n ", @@ -662,8 +653,8 @@ "title":"Syntax of Identity Conversion Rules", "uri":"en-us_topic_0079620340.html", "doc_type":"usermanual", - "p_code":"52", - "code":"74" + "p_code":"51", + "code":"73" }, { "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and ", @@ -672,7 +663,7 @@ "uri":"iam_10_0002.html", "doc_type":"usermanual", "p_code":"13", - "code":"75" + "code":"74" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -681,7 +672,7 @@ "uri":"iam_01_0011.html", "doc_type":"usermanual", "p_code":"13", - "code":"76" + "code":"75" }, { "desc":"Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).", @@ -689,8 +680,8 @@ "title":"IAM Operations That Can Be Recorded by CTS", "uri":"iam_01_0012.html", "doc_type":"usermanual", - "p_code":"76", - "code":"77" + "p_code":"75", + "code":"76" }, { "desc":"After you enable CTS, it records key operations performed on IAM. You can view the operation records of the last 7 days on the CTS console.The following filters are avail", @@ -698,8 +689,8 @@ "title":"Viewing Audit Logs", "uri":"iam_01_0013.html", "doc_type":"usermanual", - "p_code":"76", - "code":"78" + "p_code":"75", + "code":"77" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -708,7 +699,7 @@ "uri":"iam_01_0000.html", "doc_type":"usermanual", "p_code":"", - "code":"79" + "code":"78" }, { "desc":"For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code", @@ -716,8 +707,8 @@ "title":"How Do I Enable Login Authentication?", "uri":"iam_01_0002.html", "doc_type":"usermanual", - "p_code":"79", - "code":"80" + "p_code":"78", + "code":"79" }, { "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If MFA–based login authentication is enabled, you will need to enter a ", @@ -725,8 +716,8 @@ "title":"How Do I Bind a Virtual MFA Device?", "uri":"iam_01_0003.html", "doc_type":"usermanual", - "p_code":"79", - "code":"81" + "p_code":"78", + "code":"80" }, { "desc":"After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open ", @@ -734,8 +725,8 @@ "title":"How Do I Obtain MFA Verification Codes?", "uri":"iam_01_0001.html", "doc_type":"usermanual", - "p_code":"79", - "code":"82" + "p_code":"78", + "code":"81" }, { "desc":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", @@ -743,8 +734,8 @@ "title":"How Do I Unbind a Virtual MFA Device?", "uri":"iam_01_0004.html", "doc_type":"usermanual", - "p_code":"79", - "code":"83" + "p_code":"78", + "code":"82" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", @@ -753,6 +744,6 @@ "uri":"en-us_topic_0046611300.html", "doc_type":"usermanual", "p_code":"", - "code":"84" + "code":"83" } ] \ No newline at end of file diff --git a/docs/iam/umn/en-us_image_0000001209613221.png b/docs/iam/umn/en-us_image_0000001209613221.png index e55805d8a..d6a8c5e55 100644 Binary files a/docs/iam/umn/en-us_image_0000001209613221.png and b/docs/iam/umn/en-us_image_0000001209613221.png differ diff --git a/docs/iam/umn/en-us_image_0000001209614103.png b/docs/iam/umn/en-us_image_0000001209614103.png deleted file mode 100644 index 59f695c71..000000000 Binary files a/docs/iam/umn/en-us_image_0000001209614103.png and /dev/null differ diff --git a/docs/iam/umn/en-us_image_0000001646661553.png b/docs/iam/umn/en-us_image_0000001646661553.png index 1073f956c..2283bdc45 100644 Binary files a/docs/iam/umn/en-us_image_0000001646661553.png and b/docs/iam/umn/en-us_image_0000001646661553.png differ diff --git a/docs/iam/umn/en-us_image_0000001100309480.png b/docs/iam/umn/en-us_image_0000001924150268.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001100309480.png rename to docs/iam/umn/en-us_image_0000001924150268.png diff --git a/docs/iam/umn/en-us_image_0000001146589991.png b/docs/iam/umn/en-us_image_0000001924309660.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001146589991.png rename to docs/iam/umn/en-us_image_0000001924309660.png diff --git a/docs/iam/umn/en-us_image_0000001925383938.png b/docs/iam/umn/en-us_image_0000001925383938.png new file mode 100644 index 000000000..7a551f696 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000001925383938.png differ diff --git a/docs/iam/umn/en-us_image_0000001646415725.png b/docs/iam/umn/en-us_image_0000001951269481.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001646415725.png rename to docs/iam/umn/en-us_image_0000001951269481.png diff --git a/docs/iam/umn/en-us_image_0000001146708849.png b/docs/iam/umn/en-us_image_0000001951429117.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001146708849.png rename to docs/iam/umn/en-us_image_0000001951429117.png diff --git a/docs/iam/umn/en-us_image_0000002162336158.png b/docs/iam/umn/en-us_image_0000002162336158.png new file mode 100644 index 000000000..e0168a607 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002162336158.png differ diff --git a/docs/iam/umn/en-us_topic_0046611269.html b/docs/iam/umn/en-us_topic_0046611269.html index 9052e474d..079330bd3 100644 --- a/docs/iam/umn/en-us_topic_0046611269.html +++ b/docs/iam/umn/en-us_topic_0046611269.html @@ -6,7 +6,7 @@

  • Click OK.

    The user group is displayed in the user group list.

  • In the row containing the user group, click Authorize in the Operation column.
  • On the Authorize User Group page, select the permissions to be assigned to the user group. You can also click Go to Old Edition to use the old version for authorization.

    If the system-defined policies do not meet your requirements, you can click Create Policy in the upper right to create custom policies for fine-grained permissions control. For details, see Creating a Custom Policy.

    -
    Figure 1 Selecting permissions
    +
    Figure 1 Selecting permissions

  • Click Next.
  • Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.

    diff --git a/docs/iam/umn/en-us_topic_0046611276.html b/docs/iam/umn/en-us_topic_0046611276.html index e887d792d..b9827e59a 100644 --- a/docs/iam/umn/en-us_topic_0046611276.html +++ b/docs/iam/umn/en-us_topic_0046611276.html @@ -3,7 +3,7 @@

    IAM Features

    IAM provides the following basic functions:

    • Refined permissions management

      You can control user access to different projects and grant different permissions to users for the same project. For example, you can grant some users permissions to manage Object Storage Service (OBS), and grant other users only the permissions to read data from OBS.

      -
      Figure 1 Permissions management model
      +
      Figure 1 Permissions management model

    • Simplified authorization

      You can authorize users in just two steps:

      1. Plan user groups according to users' responsibilities and grant permissions to each user group.
      2. Add a user to the user group that matches the user's responsibilities.
      diff --git a/docs/iam/umn/en-us_topic_0046611300.html b/docs/iam/umn/en-us_topic_0046611300.html index 7ec382558..912bfb4a2 100644 --- a/docs/iam/umn/en-us_topic_0046611300.html +++ b/docs/iam/umn/en-us_topic_0046611300.html @@ -2,13 +2,19 @@

      Change History

      -
    Table 1 Authorization scopes

    Scope
    - - - - - + - - + - - - + - - + - - - - - + + + + + - - + - - + + + + + - + + + + - + + + + + + + + + + + + - + + + + - diff --git a/docs/iam/umn/iam_01_0034.html b/docs/iam/umn/iam_01_0034.html index 19957cff8..35c4041ea 100644 --- a/docs/iam/umn/iam_01_0034.html +++ b/docs/iam/umn/iam_01_0034.html @@ -6,7 +6,7 @@

    Example

    The following is an example of how to use IAM.

    Assume that there are three user groups in your enterprise: security administrators (admin), developers, and testers. Each user group can contain multiple users, and a user can belong to multiple user groups.

    -
    Figure 1 User management model
    +
    Figure 1 User management model
    1. Create a security administrator Franklin and add Franklin to the default user group admin.
    2. Log in as Franklin, create another security administrator Lawrence, and add Lawrence to the default user group admin.
    3. Log in as Franklin or Lawrence, create user groups Developers and Testers, and grant the required permissions to each user group.
    4. Log in as Franklin or Lawrence, create developers Elizabeth and Randolph, and add them to the Developers user group. Then create tester Jennifer, and add Jennifer and Randolph to the Testers user group.
    5. Users Elizabeth, Jennifer, and Randolph log in using their own credentials.

      Security administrators and users are IAM users who have different permissions depending on the user groups to which they belong. All IAM users have their own security credentials (username and password) to log in to the system.

    diff --git a/docs/iam/umn/iam_01_0054.html b/docs/iam/umn/iam_01_0054.html index 02611a470..11b8182c3 100644 --- a/docs/iam/umn/iam_01_0054.html +++ b/docs/iam/umn/iam_01_0054.html @@ -3,17 +3,17 @@ -

    Account Delegation

    +

    Delegating Another Account for Resource Management

    diff --git a/docs/iam/umn/iam_01_0063.html b/docs/iam/umn/iam_01_0063.html index 241385a4c..78eb3d6ad 100644 --- a/docs/iam/umn/iam_01_0063.html +++ b/docs/iam/umn/iam_01_0063.html @@ -1,34 +1,34 @@ -

    (Optional) Assigning Permissions to an IAM User (by a Delegated Party)

    -

    When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

    +

    Assigning Agency Permissions to an IAM User

    +

    When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

    You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.

    Prerequisites

    • A trust relationship has been established between your account and another account.
    • You have obtained the name of the delegating account and the name and ID of the created agency.
    -

    Procedure

    1. Create a user group and grant permissions to it.

      1. On the User Groups page, click Create User Group.
      2. Enter a user group name.
      3. Click OK.
      4. In the row containing the user group, click Authorize.
      5. Create a custom policy.

        This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to 1.f.

        +

        Procedure

        1. Create a user group and grant permissions to it.

          1. On the User Groups page, click Create User Group.
          2. Enter a user group name.
          3. Click OK.
          4. In the row containing the user group, click Authorize.
          5. Create a custom policy.

            This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to step 6.

            -
            1. On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
            2. Enter a policy name.
            3. Select JSON for Policy View.
            4. In the Policy Content area, enter the following content:
              {
+
              1. On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
              2. Enter a policy name.
              3. Select JSON for Policy View.
              4. In the Policy Content area, enter the following content:
                {
         "Version": "1.1",
         "Statement": [
                 {
                         "Action": [
-                                "iam:agencies:assume"
+                                "iam:tokens:assume"
                         ],
                         "Resource": {
                                 "uri": [
-                                        "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
+                                        "/iam/agencies/agencyTest"
                                 ]
                         },
                         "Effect": "Allow"
                 }
         ]
 }
                
-
                 
                • Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
                • For more information about permissions, see Permissions.
                
+
                 
                • Replace agencyTest with the agency name obtained from a delegating party. Copy the other content without making any changes.
                • For more information about permissions, see Permissions.
                
 
                
 
              5. Click Next.
            5. Select the policy created in the previous step or the Agent Operator role and click Next.
              • Custom policy: Allows a user to manage resources only for an agency identified by a specific ID.
              • Agent Operator role: Allows a user to manage resources for all agencies.
            6. Specify the authorization scope.
            7. Click OK.
            -

          6. Create an IAM user and add the user to the user group.

            1. On the Users page, click Create User.
            2. On the Create User page, enter a username.
            3. Select Management console access for Access Type and then select Set by user for Credential Type.
            4. Enable login protection and click Next.
            5. Select the user group created in 1 and click Create.

              After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.

              +

            6. Create an IAM user and add the user to the user group.

              1. On the Users page, click Create User.
              2. On the Create User page, enter a username.
              3. Select Management console access for Access Type and then select Set by user for Credential Type.
              4. Enable login protection and click Next.
              5. Select the user group created in step 1 and click Create.

                After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.

            @@ -38,7 +38,7 @@
        diff --git a/docs/iam/umn/iam_01_0430.html b/docs/iam/umn/iam_01_0430.html index f7a219e80..8e6c3ad51 100644 --- a/docs/iam/umn/iam_01_0430.html +++ b/docs/iam/umn/iam_01_0430.html @@ -6,9 +6,9 @@

        Deleting User Groups

        Procedure

        To delete a user group, do the following:

        -
        1. Log in to the IAM console. In the navigation pane, choose User Groups.
        2. In the user group list, click Delete in the row that contains the user group to be deleted.
        3. In the displayed dialog box, click Yes.
        +
        1. Log in to the IAM console. In the navigation pane, choose User Groups.
        2. In the user group list, click Delete in the row that contains the user group to be deleted.
        3. In the displayed dialog box, click OK.

        Batch Deleting User Groups

        To delete multiple user groups at a time, do the following:

        -
        1. Log in to the IAM console. In the navigation pane, choose User Groups.
        2. In the user group list, select the user groups to be deleted and click Delete above the list.
        3. In the displayed dialog box, click Yes.
        +
        1. Log in to the IAM console. In the navigation pane, choose User Groups.
        2. In the user group list, select the user groups to be deleted and click Delete above the list.
        3. In the displayed dialog box, click OK.
        diff --git a/docs/iam/umn/iam_01_0552.html b/docs/iam/umn/iam_01_0552.html index 0b87079f7..c59bde154 100644 --- a/docs/iam/umn/iam_01_0552.html +++ b/docs/iam/umn/iam_01_0552.html @@ -3,12 +3,12 @@

        Logging In as an IAM User

        You can log in to the console as an IAM user or obtain the IAM user login link from the administrator and then use the link to log in.

        Method 1: Logging In by Clicking IAM User Login

        1. On the login page, enter the domain name, username/email address/mobile number, and password.

          • Domain name: The name of the account that was used to create the IAM user. You can obtain the domain name from the administrator.
          • Username/Email address/Mobile number: The username, email address, or mobile number of the IAM user. You can obtain the username and password from the administrator.
          • Password: The password of the IAM user.
          -

        2. Click Log In.

          +

        3. Click Log In.

        Method 2: Logging In Using the IAM User Login Link

        You can obtain the IAM user login link from the administrator and then log in using this link. When you visit the link, the system displays the login page and automatically populates the domain name. You only need to enter your username/email address/mobile number and password.

        -
        1. Obtain the IAM user login link from the administrator.

          Figure 1 IAM user login link
          +
          1. Obtain the IAM user login link from the administrator.

            Figure 1 IAM user login link

          2. Paste the link into the address bar of a browser, press Enter, and enter the IAM username/email address/mobile number and password, and click Log In.
        diff --git a/docs/iam/umn/iam_01_06.html b/docs/iam/umn/iam_01_06.html index b5835706c..29c155d83 100644 --- a/docs/iam/umn/iam_01_06.html +++ b/docs/iam/umn/iam_01_06.html @@ -14,7 +14,7 @@
      6. Deleting an IAM User
        7. -
      7. Changing the Login Password of an IAM User
        +
      8. Modifying Security Settings for an IAM User
      9. Modifying User Permissions
        10. diff --git a/docs/iam/umn/iam_01_0601.html b/docs/iam/umn/iam_01_0601.html deleted file mode 100644 index b424be334..000000000 --- a/docs/iam/umn/iam_01_0601.html +++ /dev/null @@ -1,98 +0,0 @@ - - - - - -

        Roles

        -

        Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles for permissions management.

        -

        Services on the cloud platform interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services. For more information, see Assigning Dependency Roles.

        -

        Role Content

        When using roles to assign permissions, you can select a role and click to view the details of the role. This section uses the DNS Administrator role as an example to describe the role content.

        -
        {
-    "Version": "1.0",
-    "Statement": [
-        {
-            "Action": [
-                "DNS:Zone:*",
-                "DNS:RecordSet:*",
-                "DNS:PTRRecord:*"
-            ],
-            "Effect": "Allow"
-        }
-    ],
-    "Depends": [
-        {
-            "catalog": "BASE",
-            "display_name": "Tenant Guest"
-        },
-        {
-            "catalog": "VPC",
-            "display_name": "VPC Administrator"
-        }
-    ]
-}
        -
        -

        Parameter Description

        -
    Table 1 Change history

    Released On

    +
    - - + + + diff --git a/docs/iam/umn/en-us_topic_0046613147.html b/docs/iam/umn/en-us_topic_0046613147.html index 21a3916ba..06c0424b5 100644 --- a/docs/iam/umn/en-us_topic_0046613147.html +++ b/docs/iam/umn/en-us_topic_0046613147.html @@ -1,13 +1,13 @@ -

    Creating an Agency (by a Delegating Party)

    +

    Creating an Agency and Assigning Permissions

    By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password or access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

    Prerequisites

    Before creating an agency, complete the following operations:

    - +
    -

    Procedure

    1. Log in to the IAM console.
    2. On the IAM console, choose Agencies from the left navigation pane, and click Create Agency in the upper right corner.

      Figure 1 Creating an agency
      -

    3. Enter an agency name.

      Figure 2 Setting the agency name
      -

    4. Specify the agency type as Account, and enter the name of a delegated account.

      • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
      • Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Agency.
      +

      Procedure

      1. Log in to the IAM console.
      2. On the IAM console, choose Agencies from the left navigation pane, and click Create Agency in the upper right corner.

        Figure 1 Creating an agency
        +

      3. Enter an agency name.

        Figure 2 Setting the agency name
        +

      4. Specify the agency type as Account, and enter the name of a delegated account.

        • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
        • Cloud service: Delegate a specific service to access other services. For more information, see Delegating Another Service for Resource Management.

      5. Set the validity period and enter a description for the agency.
      6. Click Next.
      7. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.

        • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to an IAM User.
        • Agencies cannot be assigned the Security Administrator role. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).
        @@ -18,7 +18,7 @@
      diff --git a/docs/iam/umn/en-us_topic_0046613148.html b/docs/iam/umn/en-us_topic_0046613148.html index 1dd62ff45..a453e20a4 100644 --- a/docs/iam/umn/en-us_topic_0046613148.html +++ b/docs/iam/umn/en-us_topic_0046613148.html @@ -1,22 +1,22 @@ -

      Switching Roles (by a Delegated Party)

      -

      When an account establishes a trust relationship with your account, you become a delegated party. The IAM users that are granted agency permissions can switch to the delegating account and manage resources under the account based on the granted permissions.

      -

      Prerequisites

      • A trust relationship has been established between your account and another account.
      • You have obtained the delegating account name and agency name.
      +

      Managing Delegated Resources

      +

      When an account establishes a trust relationship with your account, you become a delegated party. The IAM users granted agency permissions can switch to the delegating domain name and manage resources under the account based on the granted permissions.

      +

      Prerequisites

      • A trust relationship has been established between another account and your account.
      • You have obtained the name of the delegating account and the agency name.
      -

      Procedure

      1. Log in to the management console using your account or log in as the IAM user created in 2.

        The IAM user created in 2 can switch roles to manage resources for the delegating party.

        +

        Procedure

        1. Log in to the management console using your account, or log in as the IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)".

          The IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)" has permission to manage agencies and switch roles.

          -

        2. Hover the mouse pointer over the username in the upper right corner and choose Switch Role.
        3. On the Switch Role page, enter the domain name of the delegating party.

          After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.

          +

        4. Move the cursor to the username in the upper right corner and choose Switch Role.
        5. On the Switch Role page, enter the domain name of the delegating party.

          After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.

          -

        6. Click OK to switch to the delegating account.
        +

      2. Click OK to switch to the delegating Domain name.
      -

      Follow-Up Procedure

      To return to your own account, hover the mouse pointer over the username in the upper right corner, choose Switch Role, and select your account.

      +

      Follow-Up Procedure

      Move the cursor to the username in the upper right corner and choose Switch Role.

      diff --git a/docs/iam/umn/en-us_topic_0046661675.html b/docs/iam/umn/en-us_topic_0046661675.html index 6ee9a8dc2..c46169fd7 100644 --- a/docs/iam/umn/en-us_topic_0046661675.html +++ b/docs/iam/umn/en-us_topic_0046661675.html @@ -4,7 +4,8 @@

      You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.

      If the job responsibilities of a user are changed, you can change the permissions assigned for that user by changing the groups which the user belongs to. You can also change the virtual MFA device and access keys of the user by choosing More > Security Settings in the row containing the target user. If a user forgot their password or access keys, you can modify the login credentials of the user.

      As an administrator, you can modify the basic information about an IAM user, change the security settings of the user and the groups to which the user belongs, and view or delete the assigned permissions. To view or modify user information, click Security Settings in the row containing the IAM user.

      -

      To adjust the item columns displayed on the list, click . The Username and Operation columns are displayed by default, and the Status column cannot be removed. You can also select Description, Last Login, Created, Access Type, Virtual MFA Device, Password Age, and Access Key (Status, Age, and AK).

      +

      To adjust the item columns displayed on the list, click . The Username and Operation columns are displayed by default, and the Status column cannot be removed. You can also select Description, Last Login, Last Activity, Created, Access Type, Virtual MFA Device, Password Age, and Access Key (Status, Age, and AK).

      +

      Last Activity displays the first login time of your account or all the IAM users who have logged in within a 5-minute span. If you just use the account to obtain a token, Last Activity shows last time there was any activity.

      Basic Information

      You can modify the basic information of IAM users, but cannot modify the basic information of your account. The username, user ID, and creation time can be viewed but cannot be modified.

      • Status: New IAM users are enabled by default. You can set Status to Disabled to disable an IAM user. A disabled user is no longer able to log in to the cloud platform through the management console or programmatic access.
      • Access Type: You can change the access type of the IAM user.
        • Pay attention to the following when you set the access type for an IAM user:
          • If you intend to enable the user to access cloud services only by using the management console, select Management console access.
          • If you intend to enable the user to access cloud services only by using programmatic access, select Programmatic access.
          • If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access.
          • If the user needs to perform access key verification when using certain services in the console, select both Programmatic access and Management console access.
          @@ -21,7 +22,7 @@
      • Remove the virtual MFA device from the user. For more information about MFA authentication and virtual MFA device, see MFA Authentication and Virtual MFA Device.
      5. -
      • Login Credentials: You can change the login password of the IAM user. For more information, see Changing the Login Password of an IAM User.
      • Login Protection: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.

        This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.

        +
        • Login Credentials: You can change the login password of the IAM user. For more information, see Modifying Security Settings for an IAM User.
        • Login Protection: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.

          This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.

        • Access Keys: You can manage access keys of the IAM user.
    diff --git a/docs/iam/umn/en-us_topic_0059870089.html b/docs/iam/umn/en-us_topic_0059870089.html index fa1ab5e17..3a97a689b 100644 --- a/docs/iam/umn/en-us_topic_0059870089.html +++ b/docs/iam/umn/en-us_topic_0059870089.html @@ -4,7 +4,7 @@
      -
    • Introduction
      +
    • Overview
    • Application Scenarios of Virtual User SSO and IAM User SSO
      • diff --git a/docs/iam/umn/en-us_topic_0079496985.html b/docs/iam/umn/en-us_topic_0079496985.html index 91c2e65db..558612865 100644 --- a/docs/iam/umn/en-us_topic_0079496985.html +++ b/docs/iam/umn/en-us_topic_0079496985.html @@ -3,7 +3,7 @@

      Assigning Permissions to an IAM User

      IAM users created without being added to any groups do not have permissions. You can assign permissions to these IAM users on the IAM console. Then the users can use cloud resources based on the assigned permissions.

      An IAM user obtains permissions from the user groups to which the user belongs. After you attach policies or roles to a group and add a user to the group, the user inherits the permissions defined by the policies or roles.

      -
      • If you do not add an IAM user to any group, the user will not have permissions for accessing any cloud services. For details on how to assign permissions to an IAM user, see Creating a User Group and Assigning Permissions and Adding Users to or Removing Users from a User Group.
      • If you have been added to the default group admin, you have administrator permissions and you can perform all operations on all cloud services.
      • For the system-defined permissions of all cloud services supported by IAM, see "Permissions".
      • If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.
      +
      • If you do not add an IAM user to any group, the user will not have permissions for accessing any cloud services. For details on how to assign permissions to an IAM user, see Creating a User Group and Assigning Permissions and Adding IAM Users to or Removing IAM Users from a User Group.
      • If you have been added to the default group admin, you have administrator permissions and you can perform all operations on all cloud services.
      • For the system-defined permissions of all cloud services supported by IAM, see "Permissions".
      • If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.

      Procedure

      1. In the user list, click Authorize in the row that contains the target user.
      2. On the Authorize User page, select an authorization mode and permissions.

        • Inherit permissions from user groups: Add the IAM user to certain groups to inherit their permissions.

          If you select this option, select the user groups to which the user will belong.

        • Select permissions: Directly assign specific permissions to the IAM user

          If you select this option, select the permissions to be assigned and click Next in the lower right corner to select the authorization scope.

        diff --git a/docs/iam/umn/en-us_topic_0079496986.html b/docs/iam/umn/en-us_topic_0079496986.html index 5400eb8e9..41a8b0cfa 100644 --- a/docs/iam/umn/en-us_topic_0079496986.html +++ b/docs/iam/umn/en-us_topic_0079496986.html @@ -4,9 +4,9 @@
          -
        • Account Delegation
          +
        • Delegating Another Account for Resource Management
          • -
        • Cloud Service Agency
          +
        • Delegating Another Service for Resource Management
        • Deleting or Modifying Agencies
          • diff --git a/docs/iam/umn/en-us_topic_0079620341.html b/docs/iam/umn/en-us_topic_0079620341.html index 7e5ab0551..977cb52d8 100644 --- a/docs/iam/umn/en-us_topic_0079620341.html +++ b/docs/iam/umn/en-us_topic_0079620341.html @@ -1,7 +1,7 @@ -

          Introduction

          -

          The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).

          +

          Overview

          +

          The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).

          Basic Concepts

    Table 1 Change history

    Released On

    What's New

    +

    Description

    2024-07-09

    +

    2025-06-24

    +

    This release incorporates the following changes:

    +

    Added the description of Last Activity in Viewing and Modifying User Information.

    +

    2024-07-09

    This release incorporates the following change:

    Added TSI login in Table 1.

    @@ -35,13 +41,13 @@

    2023-05-26

    This release incorporates the following changes:

    - +

    2023-04-04

    This release incorporates the following changes:

    - +

    2023-02-21

    @@ -50,12 +56,12 @@

    Adjusted the structure of sections IAM Users, User Groups and Authorization, Security Settings, and Projects.

    Added section Logging In as an IAM User.

    Added section Deleting an IAM User.

    -

    Added section Changing the Login Password of an IAM User.

    -

    Added section Adding Users to or Removing Users from a User Group.

    +

    Added section Modifying Security Settings for an IAM User.

    +

    Added section Adding IAM Users to or Removing IAM Users from a User Group.

    Added section Deleting User Groups.

    -

    Added section Revoking Permissions of a User Group.

    +

    Added section Managing Permissions of a User Group.

    Added section Assigning Dependency Roles.

    -

    Added section Roles.

    +

    Modified content in section Assigning Permissions to an IAM User.

    Modified content in section Creating a User Group and Assigning Permissions.

    Modified content in section Basic Concepts.

    @@ -81,7 +87,7 @@

    2020-11-09

    This release incorporates the following changes:

    -

    Updated Creating a User Group and Assigning Permissions, Projects, Creating a User Group and Assigning Permissions, Viewing and Modifying User Group Information, Creating an Agency (by a Delegating Party), and (Optional) Assigning Permissions to an IAM User (by a Delegated Party) based on changes to the user group and agency management pages.

    +

    Updated Creating a User Group and Assigning Permissions, Projects, Creating a User Group and Assigning Permissions, Viewing and Modifying User Group Information, Creating an Agency and Assigning Permissions, and Assigning Agency Permissions to an IAM User based on changes to the user group and agency management pages.

    2020-07-21

    @@ -117,7 +123,7 @@

    2019-02-26

    This release incorporates the following change:

    -

    Added section (Optional) Assigning Permissions to an IAM User (by a Delegated Party).

    +

    Added section Assigning Agency Permissions to an IAM User.

    2018-11-22

    @@ -183,7 +189,7 @@

    2018-01-18

    This release incorporates the following changes:

    - +

    2017-10-27

    @@ -222,13 +228,13 @@

    2017-07-27

    This release incorporates the following changes:

    -
    • Added the description for the CTS Administrator permission.
    • Added the description for automatically extracting metadata and manually configuring metadata in Step 1: Create an IdP Entity.
    +
    • Added the description for the CTS Administrator permission.
    • Added the description for automatically extracting metadata and manually configuring metadata in Creating an IdP Entity.

    2017-05-26

    This release incorporates the following changes:

    -

    Added Step 1: Create an IdP Entity.

    +

    Added Creating an IdP Entity.

    2017-05-05

    @@ -240,7 +246,7 @@

    2017-04-27

    This release incorporates the following changes:

    - +

    2017-03-30

    @@ -282,7 +288,7 @@

    2016-09-30

    This release incorporates the following changes:

    -
    @@ -50,7 +50,7 @@

    Advantages of Identity Federation

    • Easy identity management

      With an identity provider, the administrator can manage workforce identities outside of the cloud platform and give these external workforce identities permissions to use resources on the cloud platform.

    • Simplified operations

      Workforce users can use their existing accounts in the enterprise to access the cloud platform through SSO.

      -
      Figure 1 Advantages of identity federation
      +
      Figure 1 Advantages of identity federation

    SSO Type

    IAM supports two SSO types: virtual user SSO and IAM user SSO. For details about how to choose an SSO type, see Application Scenarios of Virtual User SSO and IAM User SSO.

    @@ -58,7 +58,7 @@
  • IAM user SSO

    After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user.

    • Currently, IAM supports two federated login methods: browser-based SSO (web SSO) and SSO via API calling.

    -
    • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers.
    • SSO via API calling: Enterprise employees call APIs using development tools (such as OpenStack Client and ShibbolethECP Client) to access the cloud platform.
    +
    • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers.
    • API calling: Development tools (such as OpenStackClient and Shibboleth ECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access the cloud platform by calling APIs.
    Table 1 Basic concepts

    Concept
    @@ -110,7 +110,7 @@
    Table 2 Federated logins

    SSO Type

    -

    Precautions

    • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
    • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following restrictions:
      • Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
      • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.

        If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

        +

        Precautions

        • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
        • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following constraints:
          • Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
          • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.

            If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

        diff --git a/docs/iam/umn/iam_01_0003.html b/docs/iam/umn/iam_01_0003.html index d30ad0da2..2a79ecf16 100644 --- a/docs/iam/umn/iam_01_0003.html +++ b/docs/iam/umn/iam_01_0003.html @@ -7,7 +7,7 @@

        For more information, see MFA Authentication and Virtual MFA Device.

        Prerequisites

        You have installed an MFA application (for example, Google Authenticator) on your smartphone.

        -

        Procedure

        1. On the management console, hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
        2. On the My Credentials page, click Bind next to the Virtual MFA Device parameter.
        3. Go to the Bind Virtual MFA Device page.

          Figure 1 Binding a virtual MFA device
          +

          Procedure

          1. On the management console, hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
          2. On the My Credentials page, click Bind next to the Virtual MFA Device parameter.
          3. Go to the Bind Virtual MFA Device page.

            Figure 1 Binding a virtual MFA device

            The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.

            diff --git a/docs/iam/umn/iam_01_0013.html b/docs/iam/umn/iam_01_0013.html index 326149388..f645aa4b2 100644 --- a/docs/iam/umn/iam_01_0013.html +++ b/docs/iam/umn/iam_01_0013.html @@ -5,8 +5,8 @@

            Viewing IAM Audit Logs

            1. Log in to the management console.
            2. Click Service List in the upper part of the page and choose Cloud Trace Service under Management & Deployment.
            3. In the navigation pane, choose Trace List.
            4. Click Filter in the upper right corner of the trace list to set filter conditions.

              The following filters are available:
              • Trace Source, Resource Type, and Search By
                • Select a filter criteria from the drop-down list. Specifically, select IAM from the Trace Source drop-down list.
                • If you select Trace name for Search By, select a trace name.
                • If you select Resource ID for Search By, select or enter a resource ID.
                • If you select Resource name for Search By, select or enter a resource name.
              • Operator: Select an operator (a user rather than domain).
              • Trace Status: Available options include All trace statuses, normal, incident, and warning.
              • Specify the start time and end time for querying traces.
              -

            5. Click Query.
            6. Expand the details of a trace, as shown in Figure 1.

              Figure 1 Expanding trace details
              -

            7. Click View Trace in the Operation column. In the View Trace dialog box as shown in Figure 2, the trace details are displayed.

              Figure 2 Viewing a trace
              +

            8. Click Query.
            9. Expand the details of a trace, as shown in Figure 1.

              Figure 1 Expanding trace details
              +

            10. Click View Trace in the Operation column. In the View Trace dialog box as shown in Figure 2, the trace details are displayed.

              Figure 2 Viewing a trace

          diff --git a/docs/iam/umn/iam_01_0015.html b/docs/iam/umn/iam_01_0015.html index 7e1b42eef..eb43992b0 100644 --- a/docs/iam/umn/iam_01_0015.html +++ b/docs/iam/umn/iam_01_0015.html @@ -6,8 +6,6 @@

    Condition Key

    A key in the Condition element of a statement. There are global and service-level condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

    +

    A key in the Condition element of a statement. There are global and service-specific condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-specific condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

    Operator

    diff --git a/docs/iam/umn/iam_01_0017.html b/docs/iam/umn/iam_01_0017.html index 82925bf70..270656515 100644 --- a/docs/iam/umn/iam_01_0017.html +++ b/docs/iam/umn/iam_01_0017.html @@ -2,7 +2,7 @@

    Policy Syntax

    Policy Content

    A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).

    -

    +

    • Version: Distinguishes between role-based access control (RBAC) and fine-grained policies.
      • 1.0: RBAC policies, which are preset in the system and used to grant permissions for each service as a whole. After such a policy is granted to a user, the user has all permissions of the corresponding service.
      • 1.1: Fine-grained policies, which enable more refined authorization based on service APIs. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system-defined and custom policies.
        • System-defined policies: read-only and administrator permissions for different services.
        • Custom policies: created and managed by users to supplement system-defined policies. For example, you can create a custom policy to allow users only to modify ECS specifications.
    @@ -141,7 +141,7 @@

    Authentication Process

    IAM authenticates users according to the permissions granted to the users. The following diagram shows the authentication process.

    -
    Figure 1 Authentication process
    +
    Figure 1 Authentication process

    The actions in each policy bear the OR relationship.

    1. A user accesses the system and initiates an operation request.
    2. The system evaluates all the permissions policies assigned to the user.
    3. The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.
    4. If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.
    5. If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.
    diff --git a/docs/iam/umn/iam_01_0023.html b/docs/iam/umn/iam_01_0023.html index 45d19512c..f0864ce82 100644 --- a/docs/iam/umn/iam_01_0023.html +++ b/docs/iam/umn/iam_01_0023.html @@ -4,10 +4,10 @@

    You can manage users in your account and their security credentials. In addition, you can configure identity federation so that users in other systems can access the cloud platform through SSO.

    Domain

    A domain, also called an "account", is created upon successful registration with the cloud platform. The domain has full access permissions for its cloud services and resources.

    For security purposes, create a security administrator and grant them Security Administrator permissions to manage users and their permissions in your account.

    -
    Figure 1 Account management model
    +
    Figure 1 Account management model

    User

    You or other administrators can create users for employees, systems, or applications in IAM. The users can log in to the console or access APIs using their own identity credentials (passwords and access keys).

    -
    Figure 2 Relationship between an account and users
    +
    Figure 2 Relationship between an account and users

    Federated User

    Federated users access the cloud platform through identity federation.

    After being authenticated by an identity provider (IdP), users can access resources in a service provider (SP) without needing re-authentication.

    diff --git a/docs/iam/umn/iam_01_0024.html b/docs/iam/umn/iam_01_0024.html index af0ccf8d7..ca512e79a 100644 --- a/docs/iam/umn/iam_01_0024.html +++ b/docs/iam/umn/iam_01_0024.html @@ -10,7 +10,7 @@

    Granting Permissions to Other Accounts

    You (account A) can grant permissions to another account (account B) by creating an agency. Account B can then grant the Agent Operator permissions to a user so that the user can manage resources in your account (account A).

    Granting Permissions to Federated Users

    You can federate external users to IAM and grant permissions to the users to access cloud resources by creating an identity provider and identity conversion rules.

    -
    Figure 2 Identity conversion of federated users
    +
    Figure 2 Identity conversion of federated users
    diff --git a/docs/iam/umn/iam_01_0029.html b/docs/iam/umn/iam_01_0029.html index dc8309bb1..b19a7afcd 100644 --- a/docs/iam/umn/iam_01_0029.html +++ b/docs/iam/umn/iam_01_0029.html @@ -4,51 +4,50 @@

    Critical Operation Protection

    -

    Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

    +

    Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

    Federated users do not need to verify their identity when performing critical operations.

    -

    Virtual MFA Device

    An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported, and they are application programs running on smart devices such as mobile phones.

    +

    Virtual MFA Device

    An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported. They are application programs running on smart devices such as mobile phones.

    This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see MFA Authentication and Virtual MFA Device.

    Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.

    -
    1. Go to the Security Settings page.
    2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
    3. Set up the MFA application by scanning the QR code or manually entering the secret key.

      You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

      -
      • Scanning the QR code

        Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Bind Virtual MFA Device page. Your account or IAM user is then added to the application.

        -
      • Manually entering the secret key

        Open the MFA application on your mobile phone, and enter the secret key.

        -

        The user can be manually added only using time-based one-time passwords (TOTP). You are advised to enable automatic time setting on your mobile phone.

        +
        1. Go to the Security Settings page.
        2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
        3. On the displayed page, enter a device name. Only letters, digits, hyphens (-), and underscores (_) are allowed.
        4. Select an MFA device. For this example, select Virtual MFA Device and click Next.
        5. Add a virtual MFA device to your MFA application.
        6. You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

          • Scanning the QR code

            Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Add MFA Device page. Then, the MFA application automatically adds the virtual MFA device.

            +
          • Entering the secret key

            Open the MFA application on your mobile phone, and enter the secret key.

            +

            TOTP-based virtual MFA devices can only be manually added. You are advised to enable automatic time setting on your mobile device.

          -

        7. View the verification codes on the MFA application. The code is automatically updated every 30 seconds.
        8. On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
        +

      • View the dynamic verification codes on the home page of the MFA application. The code is automatically updated every 30 seconds.
      • On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.

    Login Protection

    After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

    -

    For the account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.

    -
    • (Administrator) Enabling login protection for an IAM user

      To enable login protection for an IAM user, go to the Users page and choose More > Security Settings in the row that contains the IAM user. In the Login Protection area on the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device.

      -
    • Enabling login protection for your account

      To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification code, and click OK.

      +

      For an account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.

      +
      • (Administrator) Enabling login protection for an IAM user

        To enable login protection for an IAM user, go to the Users page and choose Security Settings in the row that contains the IAM user. In the Login Protection area in the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device or security key. You can enable or disable API login protection as needed when you select Virtual MFA device. The option is disabled by default. API login protection asks you for both a password and a virtual MFA device to obtain an IAM user token. Without API login protection, you can obtain the token with only a password. To obtain an IAM user token, see .

        +
      • Enabling login protection for your account

        To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification code, and click OK.

    Operation Protection

    • Enabling operation protection

      After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.

      The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.

    -
    1. Go to the Security Settings page.
    2. On the Critical Operations tab, locate the Operation Protection row and click Enable.
    3. Select Enable and then select Self-verification or Verification by another person.

      If you select Verification by another person, an identity verification is required to ensure that this verification method is available.

      -
      • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
      • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification are supported.
      +
      1. Go to the Security Settings page.
      2. On the Critical Operations tab, locate the Operation Protection row and click Enable.
      3. Select Enable and then select Self-verification or Verification by another person.

        If you select Verification by another person, an identity verification is required to ensure that this verification method is available.

        +
        • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
        • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification is supported. Virtual MFA devices are not supported.

      4. Click OK.
      • Disabling operation protection

      If operation protection is disabled, you and IAM users created using your account do not need to enter a verification code when performing a critical operation.

      -
      1. Go to the Security Settings page.
      2. On the Critical Operations tab, locate the Operation Protection row and click Change.
      3. Select Disable and click OK.
      4. Enter a verification code.

        • Self-verification: The administrator who wants to disable operation protection completes the verification. SMS, email, and virtual MFA verification are supported.
        • Verification by another person: The specified person completes the verification. Only SMS and email verification are supported.
        +
        1. Go to the Security Settings page.
        2. On the Critical Operations tab, locate the Operation Protection row and click Change.
        3. Select Disable and click OK.
        4. Enter a verification code.

          • Self-verification: The administrator who wants to disable operation protection completes the verification. Email, SMS, and virtual MFA verification are supported.
          • Verification by another person: The specified person completes the verification. Only SMS and email verification is supported. Virtual MFA devices are not supported.

        5. Click OK.
        • Each cloud service defines its own critical operations.
        • When IAM users created using your account perform a critical operation, they will be prompted to choose a verification method from email, SMS, and virtual MFA device.
          • If a user is only associated with a mobile number, only SMS verification is available.
          • If a user is only associated with an email address, only email verification is available.
          • If a user is not associated with an email address, mobile number, or virtual MFA device, the user will need to associate at least one of them before they can perform any critical operations.
        • You may not be able to receive email or SMS verification codes due to communication errors. In this case, you are advised to use a virtual MFA device for verification.
        • If operation protection is enabled, IAM users need to enter verification codes when performing a critical operation. The verification codes are sent to the mobile number or email address bound to the IAM users.

      Access Key Management

      • Enabling access key management

        After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.

        -

        To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

        +

        To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

      • Disabling access key management

        After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.

        -

        To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

        +

        To disable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

      Information Self-Management

      • Enabling information self-management

        By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.

        To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable in the Information Self-Management row. Select Enable, select the information types that IAM users can modify, and click OK.

        -
      • Disabling information self-management

        After you disable information self-management, only administrators can manage their own basic information. If IAM users need to modify their login password, mobile number, or email address, they can contact the administrator. For details, see Viewing and Modifying User Group Information.

        +
      • Disabling information self-management

        After you disable information self-management, only administrators can manage their own basic information. If you are an IAM user and want to change your login password, mobile number, or email address, contact the administrator. The administrator can modify the information by referring to Viewing and Modifying User Group Information.

        To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.

      @@ -62,64 +61,94 @@

    Compute

    +

    Compute

    Elastic Cloud Server (ECS)

    • Stopping, restarting, or deleting an ECS
    • Resetting the password for logging in to an ECS
    • Detaching a disk
    • Unbinding an EIP
    +
    • Stopping, restarting, or deleting an ECS
    • Resetting the password for logging in to an ECS
    • Detaching a disk
    • Unbinding an EIP
    • Changing specifications without stopping an ECS
    • Changing the OS without stopping an ECS
    • Reinstalling the OS without stopping an ECS

    Bare Metal Server (BMS)

    +

    Compute

    • Stopping or restarting a BMS
    • Resetting the BMS password
    • Detaching a disk
    • Unbinding an EIP
    +

    Bare Metal Server (BMS)

    +
    • Stopping or restarting a BMS
    • Resetting the BMS password
    • Detaching a disk
    • Unbinding an EIP

    Auto Scaling (AS)

    +

    Compute

    Deleting an AS group

    +

    Auto Scaling

    +

    Deleting an auto scaling group

    Storage

    +

    Storage

    Object Storage Service (OBS)
    • Deleting a bucket
    • Creating, editing, or deleting a bucket policy
    • Configuring an object policy
    • Creating, editing, or deleting a bucket ACL
    • Configuring access logging
    • Configuring URL validation
    • Creating or editing a bucket inventory

    Elastic Volume Service (EVS)

    +

    Storage

    Deleting an EVS disk

    +

    Elastic Volume Service (EVS)

    +
    • Deleting an EVS disk
    • Deleting a snapshot

    Cloud Backup and Recovery (CBR)

    +

    Storage

    • Deleting a vault
    • Deleting a backup
    • Restoring a backup
    • Deleting a policy
    • Dissociating a resource
    • Accepting a backup
    +

    Cloud Backup and Recovery (CBR)

    +
    • Deleting a vault
    • Deleting a backup
    • Restoring a backup
    • Deleting a policy
    • Dissociating a resource
    • Accepting a backup

    Networking

    +

    Storage

    Domain Name Service (DNS)

    +

    Scalable File Service (SFS)

    • Modifying, disabling, or deleting a record set
    +

    Deleting an SFS Turbo file system

    Virtual Private Cloud (VPC)

    +

    Containers

    • Releasing or unbinding an EIP
    • Deleting a VPC peering connection
    • Security group operations
      • Deleting an inbound or outbound rule
      • Modifying an inbound or outbound rule
      • Batch deleting inbound or outbound rules
      +

    Application Orchestration Service (AOS)

    +
    • Deleting a stack
    +

    Network

    +

    Virtual Private Cloud (VPC)

    +
    • Releasing or unbinding an EIP
    • Deleting a VPC peering connection
    • Security group operations
      • Deleting an inbound or outbound rule
      • Modifying an inbound or outbound rule
      • Batch deleting inbound or outbound rules

    Elastic Load Balance (ELB)

    +

    Network

    • Shared load balancers
      • Deleting a load balancer
      • Deleting a listener
      • Deleting a certificate
      • Removing a backend server
      • Unbinding an EIP
      • Unbind a public or private IPv4 address
      -
    • Dedicated load balancers
      • Deleting a load balancer
      • Deleting a listener
      • Deleting a certificate
      • Removing a backend server
      • Unbinding an EIP
      • Unbind a public or private IPv4 address
      • Unbinding an IPv6 address
      • Removing from IPv6 shared bandwidth
      +

    Elastic Load Balance (ELB)

    +
    • Shared load balancers
      • Deleting a load balancer
      • Deleting a listener
      • Deleting a certificate
      • Removing a backend server
      • Unbinding an EIP
      • Unbinding a public or private IPv4 address
      +
    • Dedicated load balancers
      • Deleting a load balancer
      • Deleting a listener
      • Deleting a certificate
      • Removing a backend server
      • Unbinding an EIP
      • Unbinding a public or private IPv4 address
      • Unbinding an IPv6 address
      • Removing from IPv6 shared bandwidth

    Elastic IP (EIP)

    +

    Network

    • Deleting a shared bandwidth
    • Releasing or unbinding an EIP
    • Batch releasing or unbinding EIPs
    +

    Elastic IP (EIP)

    +
    • Deleting a shared bandwidth
    • Releasing or unbinding an EIP
    • Batch releasing or unbinding EIPs
    +

    Network

    +

    NAT Gateway (NAT)

    +
    • Private NAT gateways
      • Deleting an SNAT rule
      • Deleting a DNAT rule
      • Releasing a transit IP address
      +
    • Public NAT gateways
      • Deleting an SNAT rule
      • Deleting a DNAT rule
      +

    Management & Deployment

    @@ -129,25 +158,56 @@
    • Disabling operation protection
    • Disabling login protection
    • Changing the mobile number
    • Changing the email address
    • Changing the login password
    • Changing the login authentication method
    • Deleting an IAM user
    • Disabling an IAM user
    • Deleting an agency
    • Deleting a user group
    • Deleting a policy
    • Deleting permissions
    • Creating an access key
    • Deleting an access key
    • Disabling an access key
    • Deleting a project
    • Modifying the status of access key management

    Application

    +

    Management & Deployment

    Simple Message Notification (SMN)

    +
    • Deleting a topic
    • Deleting a subscription
    • Deleting a message template
    • Deleting a subscriber
    +

    Distributed Cache Service (DCS)

    • Resetting the password of a DCS instance
    • Deleting a DCS instance
    • Clearing DCS instance data
    +
    • Resetting the password
    • Deleting a DCS instance
    • Clearing DCS instance data
    +

    Distributed Message Service (DMS) for Kafka

    +

    Deleting an instance

    +

    Distributed Message Service (DMS) for RabbitMQ

    +

    Deleting an instance

    +

    Distributed Message Service (DMS) for RocketMQ

    +

    Deleting an instance

    Database

    RDS for MySQL

    • Resetting the administrator password
    • Deleting a DB instance
    • Deleting a database backup
    • Switching between primary and standby DB instances
    • Changing the database port
    • Deleting a database account
    • Deleting a database
    • Unbinding an EIP
    • Downloading a full backup
    +
    • Resetting the administrator password
    • Deleting a DB instance
    • Deleting a database backup
    • Switching between primary and standby DB instances
    • Changing the database port
    • Deleting a database account
    • Deleting a database
    • Unbinding an EIP
    • Downloading a full backup
    • Downloading a Binlog backup
    • Changing a private domain name
    • Changing a public domain name
    • Modifying a host IP address
    • Stopping an instance
    • Starting an instance
    • Restarting an instance
    • Resetting a password for a database account
    +

    Database

    +

    RDS for SQL Server

    +
    • Resetting the administrator password
    • Deleting a DB instance
    • Deleting a database backup
    • Switching between primary and standby nodes
    • Changing the database port
    • Deleting a database
    • Changing a floating IP address
    • Changing a private domain name
    • Changing a public domain name
    • Unbinding an EIP
    • Stopping an instance
    • Starting an instance
    • Restarting an instance
    • Downloading a full backup
    • Changing a private domain name
    • Downloading an incremental backup file
    • Restoring a DB instance from a backup file
    • Restoring a DB instance to a point in time

    Database

    Document Database Service (DDS)

    • Resetting the password
    • Restarting or deleting a DB instance
    • Restarting a node
    • Switching the primary and secondary nodes of a replica set
    • Deleting a security group rule
    • Enabling IP addresses of shard and config nodes
    • Restoring the current DB instance from a backup
    • Restoring an existing DB instance from a backup
    +
    • Resetting the password
    • Restarting or deleting a DB instance
    • Restarting a node
    • Switching the primary and secondary nodes of a replica set
    • Deleting a security group rule
    • Enabling IP addresses of shard and config nodes
    • Restoring the current DB instance from a backup
    • Restoring an existing DB instance from a backup
    • Restoring instance- and table-level backups
    • Applying for a private domain name
    • Upgrading a minor version
    • Changing an AZ
    • Deleting a backup
    • Downloading backups
    • Deleting a read replica
    - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Table 1 Parameter description

    Parameter

    -

    Description

    -

    Value

    -

    Version

    -

    Role version.

    -

    1.0: indicates role-based access control.

    -

    Statement

    -

    Action

    -

    Operations to be performed on the service.

    -

    Format: "Service name:Resource type:Operation".

    -

    DNS:Zone:*: Permissions for performing all operations on Domain Name Service (DNS) zones.

    -

    Effect

    -

    Determines whether to allow or deny the operations defined in the action.

    -
    • Allow
    • Deny
    -
    NOTE:

    If a role grants both Allow and Deny effects for the same action, the Deny takes precedence.

    -
    -

    Depends

    -

    catalog

    -

    Name of the service to which a dependency role belongs.

    -

    Service name. Example: BASE and VPC.

    -

    display_name

    -

    Name of the dependency role.

    -

    Role name.

    -
    NOTE:

    When you assign the DNS Administrator role to a user group, you also need to assign the Tenant Guest and VPC Administrator roles to the group for the same project.

    -

    For more information about dependencies, see "Permissions".

    -
    -
    -
    - - -
    -
    -
    Parent topic: Permissions
    -
    -
    - diff --git a/docs/iam/umn/iam_01_0607.html b/docs/iam/umn/iam_01_0607.html index 90c322a50..7abc90bc9 100644 --- a/docs/iam/umn/iam_01_0607.html +++ b/docs/iam/umn/iam_01_0607.html @@ -4,17 +4,17 @@

    Password Policy

    -

    The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.

    -

    Only the administrator can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

    -

    You can configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.

    +

    The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.

    +

    Only the administrator and an entrusted identity can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

    +

    The administrator or an entrusted identity should configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.

    Password Composition & Reuse

    • Ensure that the password contains 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
    • Set the minimum number of characters that a password must contain. The default value is 6 and the value range is from 6 to 32.
    • (Optional) Enable the Restrict consecutive identical characters option and set the maximum number of times that a character is allowed to be consecutively present in a password. For example, value 1 indicates that consecutive identical characters are not allowed in a password.
    • (Optional) Enable the Disallow previously used passwords option and set the number of previously used passwords that are not allowed. For example, value 3 indicates that the user cannot set the last three passwords that the user has previously used when setting a new password.

    Changes to the password policy take effect the next time you or your IAM users change passwords. The new password policy will also apply to IAM users created later.

    Password Expiration

    Set a validity period for passwords so that users need to change their passwords periodically. The users will be prompted to change their passwords 15 days before password expiration. Expired passwords cannot be used to log in to the cloud platform.

    -

    This option is disabled by default. The validity period ranges from 1 to 180 days.

    +

    This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period range is from 1 day to 180 days.

    The changes will take effect immediately for your account and all IAM users under your account.

    -

    After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old password.

    +
    • After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old one.
    • The password validity period policy applies only to console login. The operations of obtaining a user token through password authentication are not restricted by this policy.

    Minimum Password Age

    To prevent password loss due to frequent password changes, you can set a minimum period after which users are allowed to make a password change.

    This option is disabled by default. The validity period ranges from 0 to 1,440 minutes.

    diff --git a/docs/iam/umn/iam_01_0653.html b/docs/iam/umn/iam_01_0653.html index d01abaf58..fae047a17 100644 --- a/docs/iam/umn/iam_01_0653.html +++ b/docs/iam/umn/iam_01_0653.html @@ -3,12 +3,26 @@ -

    Changing the Login Password of an IAM User

    -

    As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.

    -

    To reset the login password of an IAM user, click Security Settings in the row containing the user, click next to Login Password in the Login Credentials area, and select a password type.

    -
    • You can reset the password of an IAM user on the Security Settings page.
    • IAM users can change their passwords on the Basic Information tab.
    +

    Modifying Security Settings for an IAM User

    +

    As an administrator, you can modify the password, MFA device, login protection, and access keys of an IAM user.

    +

    Constraints

    • IAM users can change their passwords on the Basic Information tab.
    • By default, only the IAM user's MFA device can be changed on the Security Settings tab. The MFA device of the account cannot be changed. To change the MFA device of the account, grant the permissions needed to add and unbind the MFA device.
    • The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.
    +
    +

    Changing the Password of an IAM User

    As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.

    +
    +
    1. Log in to the IAM console as the administrator.
    2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
    3. Click the Security Settings tab. In the Login Credentials area, click in the Login Password row to reset the login password for the IAM user.

      • Set by user: A one-time login URL will be emailed to the user. The user can then click the link to set a password.
      • Automatically generated: A password will be automatically generated and then sent to the user by email.
      • Set now: You set a new password and send the new password to the user.
      +

    +

    Changing the MFA Device for an IAM User

    You can only change the MFA device for an IAM user, but not for the account.

    +
    1. Log in to the IAM console as the administrator.
    2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
    3. Click the Security Settings tab and change the MFA device of the IAM user.

      • Change the mobile number or email address of the user.

        The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.

        -
        • Set by user: A one-time login URL will be emailed to the user. The user can then click on the link to set a password.
        • Automatically generated: A password will be automatically generated and then sent to the user by email.
        • Set now: You set a new password and send the new password to the user.
        +
      • Reset the MFA device for a user. For more information about MFA and virtual MFA device, see MFA Authentication and Virtual MFA Device.
      +

    +
    +

    Modifying the Login Protection Configuration for an IAM User

    Login protection is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.

    +
    1. Log in to the IAM console as the administrator.
    2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
    3. Click the Security Settings tab and modify the login protection configuration of the IAM user. This option is disabled by default. You can choose from the following methods for secondary verification:

      • SMS
      • Email address
      • Virtual MFA device
      +

    +
    +

    Related Operations

    +
    diff --git a/docs/iam/umn/iam_01_0655.html b/docs/iam/umn/iam_01_0655.html index ed08e97cc..f65974b8e 100644 --- a/docs/iam/umn/iam_01_0655.html +++ b/docs/iam/umn/iam_01_0655.html @@ -7,13 +7,13 @@
    • Creating a User Group and Assigning Permissions
      • -
    • Adding Users to or Removing Users from a User Group
      +
    • Adding IAM Users to or Removing IAM Users from a User Group
    • Deleting User Groups
    • Viewing and Modifying User Group Information
      • -
    • Revoking Permissions of a User Group
      +
    • Managing Permissions of a User Group
    • Assigning Dependency Roles
      • diff --git a/docs/iam/umn/iam_01_0657.html b/docs/iam/umn/iam_01_0657.html index 75e4d3ef6..13868ef65 100644 --- a/docs/iam/umn/iam_01_0657.html +++ b/docs/iam/umn/iam_01_0657.html @@ -4,7 +4,7 @@

      Assigning Dependency Roles

      -

      Cloud services interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services.

      +

      Cloud services interwork with each other. Therefore, the administrator needs to assign both the required roles and their dependent roles for the authorization to take effect. Policies, however, do not require dependencies.

      Procedure

      1. Log in to the as the administrator.
      2. In the user group list, click Authorize in the row that contains the created user group.
      3. On the displayed page, search for a role in the search box in the upper right corner.
      4. Select the target role. The system automatically selects the dependency roles.
      5. Click next to the role to view the dependencies.

        For example, the DNS Administrator role contains the Depends parameter which specifies the dependency roles. When you assign the DNS Administrator role to a user group, you also need to assign the Tenant Guest and VPC Administrator roles to the group for the same project.

      6. Click OK.
      diff --git a/docs/iam/umn/iam_01_0703.html b/docs/iam/umn/iam_01_0703.html index 930db06a4..9e6af60e7 100644 --- a/docs/iam/umn/iam_01_0703.html +++ b/docs/iam/umn/iam_01_0703.html @@ -8,7 +8,7 @@
      • A mobile number or an email address can be bound only to one account or IAM user.
      • Only one mobile number, email address, and virtual MFA device can be bound to an account or IAM user.

      Changing the Login Password, Mobile Number, Virtual MFA Device, or Email Address

      The methods for changing the login password, mobile number, virtual MFA device, and email address are similar. To change the login password, do as follows:

      -
      1. Go to the Security Settings page.
      2. Click the Basic Information tab, and click Change in the Login Password row.
      3. (Optional) Select email address or mobile number verification, and enter the verification code.

        If neither email address nor mobile number is bound, no verification is required.

        +
        1. Go to the Security Settings page.
        2. Click the Basic Information tab, and click Change in the Login Password row.
        3. (Optional) Select email address or mobile number verification, and enter the verification code.

          If no email address or mobile number is bound, no verification is required.

        4. Enter the old password and new password, and enter the new password again.

          • The password cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
          • To prevent password cracking, the administrator can configure the password policy to define password requirements, such as minimum password length. For details, see Password Policy.
          diff --git a/docs/iam/umn/iam_01_0704.html b/docs/iam/umn/iam_01_0704.html index 159435dce..69bc5d460 100644 --- a/docs/iam/umn/iam_01_0704.html +++ b/docs/iam/umn/iam_01_0704.html @@ -5,25 +5,25 @@

          Login Authentication Policy

          The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom Information settings. These settings take effect for both your account and the IAM users created using the account.

          -

          Only the administrator can configure the login authentication policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

          +

          Only the administrator and entrusted identities can configure the login authentication policy. IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

          Session Timeout

          Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.

          -
          Figure 1 Session Timeout
          +
          Figure 1 Session Timeout

          The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1 hour.

          Account Lockout

          Set a duration to lock users out if a specific number of unsuccessful login attempts has been reached within a certain period. You cannot unlock your own account or an IAM user's account. Wait until the lock time expires.

          -
          Figure 2 Account Lockout
          -

          The administrator can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.

          -
          • Time for resetting the account lockout counter: The value ranges from 15 to 60 minutes, and the default value is 15 minutes.
          • Maximum number of unsuccessful login attempts: The value ranges from 3 to 10, and the default value is 5.
          • Lockout duration: The value ranges from 15 to 30 minutes, and the default value is 15 minutes.
          +
          Figure 2 Account Lockout
          +

          The administrator and entrusted identities can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.

          +
          • Time for resetting the account lockout counter: The value range is from 15 to 60 minutes, and the default value is 15 minutes.
          • Maximum number of unsuccessful login attempts: The value range is from 3 to 10, and the default value is 5.
          • Lockout duration: The value range is from 15 to 30 minutes, and the default value is 15 minutes.

          Account Disabling

          Set a validity period to disable IAM users if they have not accessed the cloud platform using the console or APIs within a certain period.

          -

          This option is disabled by default. The validity period ranges from 1 to 240 days.

          -

          If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.

          +

          This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period is from 1 day to 240 days.

          +

          If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.

          Recent Login Information

          Configure whether you want the system to display the previous login information after you log in. If incorrect login information is displayed on the Login Verification page, change your password immediately.

          -

          This option is disabled by default and can be enabled by the administrator.

          +

          This option is disabled by default and can be enabled by the administrator or an entrusted identity.

          -

          Custom Information

          Set custom information that will be displayed upon successful login. For example, enter the word Welcome.

          -

          This option is disabled by default and can be enabled by the administrator.

          +

          Custom Information

          The administrator or an entrusted identity can set custom information (for example, Welcome) that will be displayed upon successful login.

          +

          This option is disabled by default and can be enabled by the administrator or an entrusted identity.

          You and all the IAM users created using your account will see the same information upon successful login.

          diff --git a/docs/iam/umn/iam_01_0730.html b/docs/iam/umn/iam_01_0730.html index 6e4d3d196..f0102b549 100644 --- a/docs/iam/umn/iam_01_0730.html +++ b/docs/iam/umn/iam_01_0730.html @@ -5,15 +5,15 @@

          Deleting or Modifying Agencies

          Modifying an Agency

          To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.

          -
          Figure 1 Modifying an agency
          +
          Figure 1 Modifying an agency
          • You can change the cloud service, validity period, description, and permissions of cloud service agencies, but you cannot change the agency name and type.
          • Modifying the permissions of cloud service agencies may affect the usage of certain functions of cloud services. Exercise caution when performing this operation.
          -

          Deleting an Agency

          To delete an agency, click Delete in the row containing the agency to be deleted and click Yes.

          -
          Figure 2 Deleting an agency
          +

          Deleting an Agency

          To delete an agency, click Delete in the row containing the agency to be deleted and click OK.

          +
          Figure 2 Deleting an agency

          Batch Deleting Agencies

          To delete multiple agencies, select the agencies to be deleted in the list and click Delete above the list.

          -
          Figure 3 Batch deleting agencies
          +
          Figure 3 Batch deleting agencies

          After you delete an agency, all permissions granted to the delegated accounts will be revoked.

          diff --git a/docs/iam/umn/iam_02_0004.html b/docs/iam/umn/iam_02_0004.html index f27868a2c..62e671f76 100644 --- a/docs/iam/umn/iam_02_0004.html +++ b/docs/iam/umn/iam_02_0004.html @@ -1,7 +1,7 @@

          Deleting an IAM User

          -
          After an IAM user is deleted, they can no longer log in and their username, password, access keys, and authorizations will be cleared and cannot be recovered. +
          After an IAM user is deleted, they can no longer log in and their username, password, access keys, and authorizations will be cleared and cannot be recovered.

          Deleting an IAM User

          1. Log in to the IAM console. In the navigation pane, choose Users.
          2. Click Delete in the row containing the IAM user you want to delete, and click Yes.
          diff --git a/docs/iam/umn/iam_03_0002.html b/docs/iam/umn/iam_03_0002.html index 7882f7665..86d830641 100644 --- a/docs/iam/umn/iam_03_0002.html +++ b/docs/iam/umn/iam_03_0002.html @@ -3,11 +3,11 @@ -

          Adding Users to or Removing Users from a User Group

          +

          Adding IAM Users to or Removing IAM Users from a User Group

          A user inherits permissions from the groups which the user belongs to. To change the permissions of a user, add the user to a new group or remove the user from an existing group.

          -

          Adding Users to a User Group

          1. In the user group list, click Manage User in the row containing the target user group.
          2. In the Manage User dialog box, select the usernames to be added.
          3. Click OK.
          +

          Adding Users to a User Group

          1. In the user group list, click Manage User in the row containing the target user group.
          2. In the Manage User dialog box, select the usernames to be added.
          3. Click OK.
          -

          Removing Users from a User Group

          1. In the user group list, click Manage User in the row containing the target user group.
          2. In the Selected Users area, locate the user to be removed and click the ×. Then, click OK.
          +

          Removing Users from a User Group

          1. In the user group list, click Manage User in the row containing the target user group.
          2. In the Selected Users area, locate the user to be removed and click the ×. Then, click OK.
          diff --git a/docs/iam/umn/iam_03_0004.html b/docs/iam/umn/iam_03_0004.html index 5466256ae..e08b56e54 100644 --- a/docs/iam/umn/iam_03_0004.html +++ b/docs/iam/umn/iam_03_0004.html @@ -3,12 +3,13 @@ -

          Revoking Permissions of a User Group

          -

          Procedure

          To revoke a policy or role attached to a user group, do the following:

          +

          Managing Permissions of a User Group

          +

          You can modify or delete permissions of a user group on its details page.

          +

          Revoking Permissions of a User Group

          To revoke a policy or role attached to a user group, do the following:

          -
          1. Log in to the . In the navigation pane, choose User Groups.
          2. Click the name of the user group to go to the group details page.
          3. On the Permissions tab, click Delete in the row that contains the role or policy you want to delete.
          4. In the displayed dialog box, click Yes.
          -

          Batch Revoking Permissions of a User Group

          To revoke multiple policies or roles attached to a user group, do as follows:

          -
          1. Log in to the . In the navigation pane, choose User Groups.
          2. Click the name of the user group to go to the group details page.
          3. On the Permissions page, select the roles or policies you want to delete and click Delete above the list.
          4. In the displayed dialog box, click Yes.
          +
          1. Log in to the . In the navigation pane, choose User Groups.
          2. Click the name of the user group to go to the group details page.
          3. On the Permissions tab, click Delete in the row that contains the role or policy you want to delete.
          4. In the displayed dialog box, click OK.
          +

          Batch Deleting Permissions of a User Group

          To revoke multiple policies or roles attached to a user group, do as follows:

          +
          1. Log in to the . In the navigation pane, choose User Groups.
          2. Click the name of the user group to go to the group details page.
          3. On the Permissions page, select the roles or policies you want to delete and click Delete above the list.
          4. In the displayed dialog box, click OK.
          diff --git a/docs/iam/umn/iam_06_0001.html b/docs/iam/umn/iam_06_0001.html index f35b06aee..3e2127000 100644 --- a/docs/iam/umn/iam_06_0001.html +++ b/docs/iam/umn/iam_06_0001.html @@ -1,21 +1,21 @@ -

          Delegating Resource Access to Another Account

          +

          Process for Account Delegation

          The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.

          -

          You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.

          +

          You can delegate resource access only to accounts, rather than IAM users.

          The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.

          -
          1. Account A creates an agency in IAM to delegate resource access to account B.

            Figure 1 (Account A) Creating an agency
            +
            1. Account A creates an agency in IAM to delegate resource access to account B.

              Figure 1 (Account A) Creating an agency

            2. (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.

              1. Create a user group, and grant it permissions required to manage account A's resources.
              2. Create a user and add the user to the user group.
              -
              Figure 2 (Account B) Authorizing an IAM user to manage delegated resources
              +
              Figure 2 (Account B) Authorizing an IAM user to manage delegated resources

            3. Account B or the authorized user manages account A's resources.

              1. Use account B to log in and switch the role to account A.
              2. Switch to region A and manage account A's resources in this region.
              -
              Figure 3 (Account B) Switching the role
              +
              Figure 3 (Account B) Switching the role

          diff --git a/docs/iam/umn/iam_06_0004.html b/docs/iam/umn/iam_06_0004.html index 3f746df48..b3c40e6bd 100644 --- a/docs/iam/umn/iam_06_0004.html +++ b/docs/iam/umn/iam_06_0004.html @@ -3,15 +3,15 @@ -

          Cloud Service Agency

          +

          Delegating Another Service for Resource Management

          Services on the cloud platform interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services and perform resource O&M, create an agency for the service.

          IAM provides two methods to create a cloud service agency:

          1. Creating a cloud service agency on the IAM console

            For example, create an agency for OBS and grant it permissions to read monitoring data from AOM.

          2. Automatically creating a cloud service agency to use certain resources

            The following takes Scalable File Service (SFS) as an example to describe the procedure for automatically creating a cloud service agency:

            1. Go to the SFS console.
            2. On the Create File System page, enable static data encryption.
            3. A dialog box is displayed requesting you to confirm the creation of an SFS agency. After you click OK, the system automatically creates an SFS agency with KMS CMKFullAccess permissions for the current project. With the agency, SFS can obtain KMS keys for encrypting or decrypting file systems.
            4. You can view the agency in the agency list on the IAM console.
          -

          Creating a Cloud Service Agency on the IAM Console

          1. Log in to the IAM console.
          2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency.
          3. Enter an agency name.

            Figure 1 Cloud service agency name
            -

          4. Select the Cloud service agency type, and then select a service.
          5. Select a validity period.
          6. (Optional) Enter a description for the agency to facilitate identification.
          7. Click Next.
          8. Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
          9. Click OK.
          +

          Creating a Cloud Service Agency on the IAM Console

          1. Log in to the IAM console.
          2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency.
          3. Enter an agency name.

            Figure 1 Cloud service agency name
            +

          4. Select the Cloud service agency type, and then select a service.
          5. Select a validity period.
          6. (Optional) Enter a description for the agency to facilitate identification.
          7. Click Next.
          8. Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
          9. Set the authorization scope, and select the permissions you want to grant to the agency.
          10. Click OK.
          diff --git a/docs/iam/umn/iam_07_0001.html b/docs/iam/umn/iam_07_0001.html index 2e94f1841..f28557506 100644 --- a/docs/iam/umn/iam_07_0001.html +++ b/docs/iam/umn/iam_07_0001.html @@ -4,8 +4,8 @@

          Security Settings Overview

          -

          You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.

          -

          Intended Audience

          Table 1 lists the intended audience of different functions provided on the Security Settings page and their access permissions for the functions.

          +

          You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.

          +

          Intended Audience

          Table 1 lists the intended audience of different functions provided on the Security Settings page and their access permissions for the functions.

          @@ -20,29 +20,29 @@ - - - -
          Table 1 Intended audience

          Function

          Critical Operations

          		 +
          • Administrator: Full access
          • IAM users: Read-only access

          Login Authentication Policy

          		 +
          • Administrator and an entrusted identity: Full access
          • IAM users: Read-only access

          Password Policy

          		 +
          • Administrator and an entrusted identity: Full access
          • IAM users: Read-only access

          ACL

          		 +
          • Administrator and an entrusted identity: Full access
          • IAM users: Read-only access
          -

          Accessing the Security Settings Page

          1. Log in to the IAM console as an administrator.
          2. In the left navigation pane, choose Security Settings.
          +

          Accessing the Security Settings Page

          1. Log in to the IAM console as an administrator or an entrusted identity.
          2. In the left navigation pane, choose Security Settings.
          • You and all IAM users created using your account can access the Security Settings page from the management console.
            1. Log in to the IAM console.
            2. In the left navigation pane, choose Security Settings.
          diff --git a/docs/iam/umn/iam_07_0003.html b/docs/iam/umn/iam_07_0003.html index 8f4509207..37ed95d7d 100644 --- a/docs/iam/umn/iam_07_0003.html +++ b/docs/iam/umn/iam_07_0003.html @@ -4,19 +4,19 @@

          ACL

          -

          The ACL tab of the Security Settings page provides the IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP address ranges, IPv4 CIDR blocks, or VPC endpoints.

          -

          Only the administrator can configure the ACL. If an IAM user needs to configure the ACL, the user can request the administrator to perform the configuration or grant the required permissions.

          -
          Access type:
          • Console Access (recommended): The ACL takes effect only for IAM users who are created using your account and have access to the console.
          • API Access: The ACL controls users' API access through API Gateway and takes effect only for IAM users two hours after you complete the configuration.
          +

          The ACL tab of the Security Settings page provides the IP Address Ranges, CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP address ranges, CIDR blocks, or VPC endpoints.

          +

          Only the administrator or an entrusted identity can configure the ACL to control access of all IAM users under the account from specific IP address ranges, CIDR blocks, or VPC endpoints.

          +
          Access type:
          • Console Access (recommended): The ACL takes effect only for IAM users who are created using your account and have access to the console.
          • API Access: The ACL controls users' API access through API Gateway and takes effect only for your account and IAM users under your account 15 minutes after you complete the configuration.
          -
          • You can configure a maximum of 200 access control items.
          +
          • You can configure a maximum of 200 access control items.
          • Both IPv4 and IPv6 addresses can be used for console access, and only IPv4 addresses can be used for API access.
          -

          IP Address Ranges

          Figure 1 IP Address Ranges
          -

          Specify IP address ranges from 0.0.0.0 to 255.255.255.255 to allow access to the cloud platform. The default value is 0.0.0.0–255.255.255.255. If this parameter is left blank or the default value is used, your IAM users can access the management console from anywhere.

          +

          IP Address Ranges

          You can specify the IP address range from 0.0.0.0 to 255.255.255.255 to control access to the cloud platform. The default setting is 0.0.0.0-255.255.255.255. If you do not specify a range or use the default range, your IAM users can access the cloud platform from IP addresses.

          -

          IPv4 CIDR Blocks

          Specify IPv4 CIDR blocks to allow access to the cloud platform. For example, set IPv4 CIDR block to 10.10.10.10/32.

          +

          CIDR Blocks

          Specify CIDR blocks to control access to the cloud platform. For example, set CIDR Block to 10.10.10.10/32.

          -

          VPC Endpoints

          Specify VPC endpoints, such as 0ccad098-b8f4-495a-9b10-613e2a5exxxx, to allow API-based access to the cloud platform. If access control is not configured, you can access APIs from all VPC endpoints by default.

          -
          • User access is allowed if any of IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints is met.
          • To restore IP Address Ranges to the default settings (0.0.0.0–255.255.255.255) and clear the settings in IPv4 CIDR Blocks and VPC Endpoints, click Restore Defaults.
          +

          VPC Endpoints

          Specify access to the cloud platform APIs only from the VPC Endpoint with the specified ID, for example, 0ccad098-b8f4-495a-9b10-613e2a5exxxx. You can set the VPC endpoint only on the API Access tab. If access control is not configured, you can access APIs from all VPC endpoints by default.

          +
          Figure 1 VPC endpoints
          +
          • User access is allowed if any of IP Address Ranges, CIDR Blocks, and VPC Endpoints is met.
          • To restore IP Address Ranges to the default settings (0.0.0.0-255.255.255.255) and clear the settings in CIDR Blocks and VPC Endpoints, click Restore Defaults.
          diff --git a/docs/iam/umn/iam_08_0002.html b/docs/iam/umn/iam_08_0002.html index 51ed0a108..0a1f063c1 100644 --- a/docs/iam/umn/iam_08_0002.html +++ b/docs/iam/umn/iam_08_0002.html @@ -6,15 +6,15 @@ diff --git a/docs/iam/umn/iam_08_0003.html b/docs/iam/umn/iam_08_0003.html index 9d6da57b8..3d965782f 100644 --- a/docs/iam/umn/iam_08_0003.html +++ b/docs/iam/umn/iam_08_0003.html @@ -1,8 +1,8 @@ -

          Step 1: Create an IdP Entity

          +

          Creating an IdP Entity

          To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an IdP entity and upload the metadata file of the enterprise IdP on the IAM console.

          -

          Prerequisites

          You have read the documentation of the enterprise IdP or have understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's metadata file and how to upload the metadata file of the cloud platform to the enterprise IdP, see the IdP help documentation.

          +

          Prerequisites

          The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's metadata file and how to upload the metadata file of the cloud platform to the enterprise IdP, see the IdP help documentation.

          Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform

          The metadata file of the cloud platform needs to be configured in the enterprise IdP to establish a trust relationship between the two systems.

          1. Download the metadata file of the cloud platform.

          Creating an IdP Entity on the Cloud Platform

          To create an IdP entity on the IAM console, do as follows:

          -
          1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

            Figure 1 Creating an IdP entity
            -

          2. Specify the name, protocol, SSO type, status, and description of the IdP entity.

            Figure 2 Setting IdP parameters
            +
            1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

              Figure 1 Creating an IdP entity
              +

            2. Specify the name, protocol, SSO type, status, and description of the IdP entity.

              Figure 2 Setting IdP parameters
              @@ -48,12 +48,12 @@

              Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

              To configure the metadata file of the enterprise IdP in the cloud platform, you can upload the metadata file or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

              For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.

              -
              • Upload a metadata file.
                1. Click Modify in the row containing the IdP.
                  Figure 3 Modifying an IdP
                  -
                2. Click Select File and select the metadata file of the enterprise IdP.
                  Figure 4 Uploading a metadata file
                  +
                  • Upload a metadata file.
                    1. Click Modify in the row containing the IdP.
                      Figure 3 Modifying an IdP
                      +
                    2. Click Select File and select the metadata file of the enterprise IdP.
                      Figure 4 Uploading a metadata file
                    3. Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
                      • If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
                      • If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
                    4. Click OK.
                  -
                  • Manually configure metadata.
                    1. Click Manually configure.
                      Figure 5 Manually configuring metadata
                      +
                      • Manually configure metadata.
                        1. Click Manually configure.
                          Figure 5 Manually configuring metadata
                        2. In the Configure Metadata dialog box, set the metadata parameters, such as Entity ID, Signing Certificate, and SingleSignOnService.
              Table 1 Basic parameters of an IdP

              Parameter

              @@ -119,16 +119,16 @@

              Parameter

              The following example shows the metadata file of an enterprise IdP and the manually configured metadata.

              -
              Figure 6 Metadata file of an enterprise IdP
              +
              Figure 6 Metadata file of an enterprise IdP
            3. Click OK.
    -

    Related Operations

    • Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata configuration, and identity conversion rules.

      To modify the configuration of an IdP, click Modify at the bottom of the details page.

      +

      Related Operations

      • Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.

        To modify the configuration of an IdP, click Modify at the bottom of the details page.

        -
      • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
      • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.
      +
    • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
    • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click OK in the displayed dialog box.
    -

    Follow-Up Procedure

    • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
    • Configure identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Step 3: Configure Identity Conversion Rules.
    • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Step 4: Verify the Federated Login.
    +

    Follow-Up Procedure

    • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
    • Configure identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Configuring Identity Conversion Rules.
    • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Verifying the Login.
    diff --git a/docs/iam/umn/iam_08_0004.html b/docs/iam/umn/iam_08_0004.html index 6888535f2..eb08389a8 100644 --- a/docs/iam/umn/iam_08_0004.html +++ b/docs/iam/umn/iam_08_0004.html @@ -1,15 +1,15 @@ -

    Step 3: Configure Identity Conversion Rules

    +

    Configuring Identity Conversion Rules

    After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user on the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.

    You can configure the following parameters for federated users:

    • Username: Usernames of federated users in the cloud platform.
    • User permissions: Permissions assigned to federated users in the cloud platform. You need to map the federated users to IAM user groups. In this way, the federated users can obtain the permissions of the user groups to use cloud resources. Ensure that user groups have been created. For details about how to create a user group, see Creating a User Group and Assigning Permissions.
    • Modifications to identity conversion rules will take effect the next time federated users log in.
    • To modify the permissions of a user, modify the permissions of the user group which the user belongs to. Then restart the enterprise IdP for the modifications to take effect.
    -

    Prerequisites

    +

    Prerequisites

    -

    Procedure

    If you configure identity conversion rules by clicking Create Rule, IAM will convert your specified parameters to the JSON format. Alternatively, you can click Edit Rule to directly configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.

    -
    • Creating Rules
      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
      2. In the IdP list, click Modify in the row containing the IdP.
      3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
        +

        Procedure

        If you configure identity conversion rules by clicking Create Rule, IAM converts your specified parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.

        +
        • Creating Rules
          1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
          2. In the IdP list, click Modify in the row containing the IdP.
          3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
            - @@ -31,7 +31,7 @@ - @@ -48,11 +48,12 @@
            Table 1 Parameter description

            Parameter

            Description

            @@ -22,8 +22,8 @@

            Username of federated users in the cloud platform.

            To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

            -
            NOTICE:
            • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
            • The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
            +

            To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

            +
            NOTICE:
            • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
            • The username can be any string that does not contain <, >, {, or }, or you can use a placeholder {0..n}. {0} indicates the first attribute of the user information in remote, and {1} indicates the second attribute.

            User groups which the federated users belong to in the cloud platform.

            The federated users will inherit permissions from the groups to which they belong. You can select a user group that has already been created.

            +

            The federated users will inherit permissions from their user groups. You can select a user group that has already been created.

            Rule Conditions

            @@ -39,8 +39,8 @@

            Conditions that a federated user must meet to obtain permissions from the selected user groups.

            Federated users who do not meet these conditions cannot access the cloud platform. You can create a maximum of 10 conditions for an identity conversion rule.

            -

            The Attribute and Value parameters are used for the enterprise IdP to transfer user information to the cloud platform through SAML assertions. The Condition parameter can be set to empty, any_one_of, or not_any_of. For details about these parameters, see Syntax of Identity Conversion Rules.

            -
            NOTE:
            • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
            • An IdP can have multiple identity conversion rules. If a federated user does not meet any of the conditions, the user will be denied to access the cloud platform.
            +

            The Attribute and Value parameters are used for the enterprise IdP to transfer user information to the cloud platform through SAML assertions. The Condition parameter can be set to empty, any_one_of, or not_any_of. For details about these parameters, see Syntax of Identity Conversion Rules.

            +
            NOTE:
            • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
            • An IdP can have multiple identity conversion rules. If none of the rules apply to a federated user, the federated user is not allowed to access the cloud platform.
            +

            For example, set an identity conversion rule for administrators in the enterprise management system.

            -
            • Username: FederationUser-IdP_admin
            • User group: admin
            • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

              Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

              +
              • Username: FederationUser-IdP_admin
              • User group: admin
              • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

                Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

            • In the Create Rule dialog box, click OK.
            • On the Modify Identity Provider page, click OK.
          -
        • Editing Rules
          1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
          2. In the IdP list, click Modify in the row containing the IdP.
          3. In the Identity Conversion Rules area, click Edit Rule.
          4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
          5. Click Validate to verify the syntax of the rules.
          6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

            If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

            +
          7. Editing Rules
            1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
            2. In the IdP list, click Modify in the row containing the IdP.
            3. In the Identity Conversion Rules area, click Edit Rule.
            4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
            5. Click Validate to verify the syntax of the rules.
            6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

              If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

        diff --git a/docs/iam/umn/iam_08_0005.html b/docs/iam/umn/iam_08_0005.html index 39c012cd9..5e1d4204d 100644 --- a/docs/iam/umn/iam_08_0005.html +++ b/docs/iam/umn/iam_08_0005.html @@ -1,12 +1,12 @@ -

        (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP

        +

        Configuring a Federated Login Entry in the Enterprise IdP

        Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

        -

        Prerequisites

        • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
        • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
        +

        Prerequisites

        • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Creating an IdP Entity.
        • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
        -

        Procedure

        1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
        2. Click View in the row containing the IdP.

          Figure 1 Viewing IdP details
          -

        3. Copy the login link by clicking in the Login Link row.

          Figure 2 Copying the login link
          -

        4. Add the following statement to the page file of the enterprise management system:

          <a href="<Login link>"> Cloud platform login entry </a>
          +

          Procedure

          1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
          2. Click View in the row containing the IdP.

            Figure 1 Viewing IdP details
            +

          3. Copy the login link by clicking in the Login Link row.

            Figure 2 Copying the login link
            +

          4. Add the following statement to the page file of the enterprise management system:

            <a href="<Login link>"> Cloud platform login entry </a>

          5. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
        diff --git a/docs/iam/umn/iam_08_0007.html b/docs/iam/umn/iam_08_0007.html index 4d269ab0a..d08eec4aa 100644 --- a/docs/iam/umn/iam_08_0007.html +++ b/docs/iam/umn/iam_08_0007.html @@ -1,12 +1,12 @@ -

        (Optional) Step 3: Configure Login Link in the Enterprise Management System

        +

        Configuring a Federated Login Entry in the Enterprise IdP

        Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

        -

        Prerequisites

        • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
        • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
        +

        Prerequisites

        • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Creating an IdP Entity.
        • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
        -

        Procedure

        1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
        2. Click View in the row containing the IdP.

          Figure 1 Viewing IdP details
          -

        3. Copy the login link by clicking in the Login Link row.

          Figure 2 Copying the login link
          -

        4. Add the following statement to the page file of the enterprise management system:

          <a href="<Login link>"> Cloud platform login entry </a>
          +

          Procedure

          1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
          2. Click View in the row containing the IdP.

            Figure 1 Viewing IdP details
            +

          3. Copy the login link by clicking in the Login Link row.

            Figure 2 Copying the login link
            +

          4. Add the following statement to the page file of the enterprise management system:

            <a href="<Login link>"> Cloud platform login entry </a>

          5. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
        diff --git a/docs/iam/umn/iam_08_0008.html b/docs/iam/umn/iam_08_0008.html index 9b5ab3454..ce690fa92 100644 --- a/docs/iam/umn/iam_08_0008.html +++ b/docs/iam/umn/iam_08_0008.html @@ -1,14 +1,14 @@ -

        Step 2: Configure Identity Conversion Rules

        -

        Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:

        +

        Configuring Identity Conversion Rules

        +

        Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:

        • Display enterprise users with different names in the cloud platform.
        • Assign permissions to enterprise users to use the cloud platform resources by mapping these users to IAM user groups. Ensure that you have created the required user groups. For details, see Creating a User Group and Assigning Permissions.
        • Modifications to identity conversion rules will take effect the next time federated users log in.
        • To modify the permissions of a user, modify the permissions of the user group which the user belongs to. Then restart the enterprise IdP for the modifications to take effect.
        -

        Prerequisites

        An IdP entity has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP entity, see Step 1: Create an IdP Entity.)

        +

        Prerequisites

        An IdP entity has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP entity, see Creating an IdP Entity.)

        Procedure

        If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.

        -
        • Creating Rules
          1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
          2. In the IdP list, click Modify in the row containing the IdP.
          3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
            +
            • Creating Rules
              1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
              2. In the IdP list, click Modify in the row containing the IdP.
              3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                - @@ -38,7 +38,7 @@ @@ -47,15 +47,15 @@

                For example, set an identity conversion rule for administrators in the enterprise management system.

                -
                • Username: FederationUser-IdP_admin
                • User group: admin
                • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

                  Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

                  +
                  • Username: FederationUser-IdP_admin
                  • User group: admin
                  • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

                    Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

                • In the Create Rule dialog box, click OK.
                • On the Modify Identity Provider page, click OK.
                  • -
                • Editing Rules
                  1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                  2. In the IdP list, click Modify in the row containing the IdP.
                  3. In the Identity Conversion Rules area, click Edit Rule.
                  4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                  5. Click Validate to verify the syntax of the rules.
                  6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                    If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                    +
                  7. Editing Rules
                    1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                    2. In the IdP list, click Modify in the row containing the IdP.
                    3. In the Identity Conversion Rules area, click Edit Rule.
                    4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                    5. Click Validate to verify the syntax of the rules.
                    6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                      If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                Verifying Federated User Permissions

                After configuring identity conversion rules, verify the permissions of federated users.

                -
                1. Log in as a federated user.

                  On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                  +
                  1. Log in as a federated user.

                    On the Identity Providers page of the , click View in the row containing the IdP. Click to copy the login link displayed on the IdP details page, open the link using a browser, and then enter the username and password used in the enterprise management system.

                  2. Check that the federated user has the permissions assigned to their user group.

                    For example, configure an identity conversion rule to map federated user ID1 to the admin user group so that ID1 will have full permissions for all cloud services. On the management console, select a cloud service, and check if you can access the service.

                diff --git a/docs/iam/umn/iam_08_0009.html b/docs/iam/umn/iam_08_0009.html index 95441e03c..a7caa7812 100644 --- a/docs/iam/umn/iam_08_0009.html +++ b/docs/iam/umn/iam_08_0009.html @@ -1,20 +1,20 @@ -

                Step 1: Create an IdP Entity

                +

                Creating an IdP Entity

                To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On the IAM console, create an IdP entity and configure authorization information.

                Prerequisites

                • The enterprise administrator has created an account on the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
                • The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain an enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.
                -

                Creating OAuth 2.0 Credentials in the Enterprise IdP

                1. Set redirect URIs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
                2. Obtain OAuth 2.0 credentials of the enterprise IdP.
                +

                Creating OAuth 2.0 Credentials in the Enterprise IdP

                1. Set redirect URIs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
                2. Obtain OAuth 2.0 credentials of the enterprise IdP.

                Creating an IdP Entity on the Cloud Platform

                Create an IdP entity and configure authorization information in IAM to establish a trust relationship between the enterprise IdP and IAM.

                -
                1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

                  Figure 1 Creating an IdP entity
                  -

                2. Enter an IdP name, select OpenID Connect and Enabled, and click OK.

                  Figure 2 Setting IdP parameters
                  +
                  1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

                    Figure 1 Creating an IdP entity
                    +

                  2. Enter an IdP name, select OpenID Connect and Enabled, and click OK.

                    Figure 2 Setting IdP parameters

                    The IdP name must be unique under your account. You are advised to use the domain name.

                -

                Configuring Authorization Information in the Cloud Platform

                1. Click Modify in the Operation column of the row containing the IdP you want to modify.

                  Figure 3 Modifying an IdP
                  -

                2. Select an access type.

                  Figure 4 Access type
                  +

                  Configuring Authorization Information in the Cloud Platform

                  1. Click Modify in the Operation column of the row containing the IdP you want to modify.

                    Figure 3 Modifying an IdP
                    +

                  2. Select an access type.

                    Figure 4 Access type
                Table 1 Parameter description

                Parameter

                Description

                @@ -21,8 +21,8 @@

                Username of federated users in the cloud platform.

                To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

                -
                NOTICE:
                • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                • The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
                +

                To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

                +
                NOTICE:
                • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                • The username can be any string that does not contain <, >, {, or }, or you can use a placeholder {0..n}. {0} indicates the first attribute of the user information in remote, and {1} indicates the second attribute.

                Conditions that a federated user must meet to obtain permissions from the selected user groups.

                Federated users who do not meet these conditions cannot access the cloud platform. You can create a maximum of 10 conditions for an identity conversion rule.

                -
                NOTE:
                • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
                • An IdP can have multiple identity conversion rules. If a federated user does not meet any of the conditions, the user will be denied to access the cloud platform.
                +
                NOTE:
                • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
                • An IdP can have multiple identity conversion rules. If none of the rules apply to a federated user, the federated user is not allowed to access the cloud platform.
                @@ -93,18 +93,18 @@

              4. Click OK.
                5. -

                Verifying the Federated Login

                1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.

                  1. On the Identity Providers page, click Modify in the Operation column of the identity provider.
                  2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
                    Figure 5 Copying the login link
                    +

                    Verifying the Federated Login

                    1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.

                      1. On the Identity Providers page of the , click Modify in the Operation column of the identity provider.
                      2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
                        Figure 5 Copying the login link
                      3. If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.

                    2. Enter the username and password of a user that was created in the enterprise management system.

                      • If the login is successful, add the login link to the enterprise management system.
                      • If the login fails, check the username and password.
                      -

                      Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Step 2: Configure Identity Conversion Rules.

                      +

                      Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Configuring Identity Conversion Rules.

                    -

                    Related Operations

                    • Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata configuration, and identity conversion rules.

                      To modify the configuration of an IdP, click Modify at the bottom of the details page.

                      +

                      Related Operations

                      • Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.

                        To modify the configuration of an IdP, click Modify at the bottom of the details page.

                        -
                      • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
                      • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.
                      +
                    • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
                    • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click OK in the displayed dialog box.
                    -

                    Follow-Up Procedure

                    +

                    Follow-Up Procedure

                    diff --git a/docs/iam/umn/iam_08_0010.html b/docs/iam/umn/iam_08_0010.html index 6d8029ceb..74055f9bc 100644 --- a/docs/iam/umn/iam_08_0010.html +++ b/docs/iam/umn/iam_08_0010.html @@ -9,7 +9,7 @@
                    1. Create an IdP entity and establish a trust relationship: Create OAuth 2.0 credentials in the enterprise IdP. On the cloud platform, create an IdP entity and establish a trust relationship between the two systems.
                    2. Configure identity conversion rules: Configure identity conversion rules on the cloud platform to map the users, user groups, and permissions in the enterprise IdP to the cloud platform.
                    3. Configure a federated login entry: Configure the login link in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.

                    How Identity Federation Works

                    Figure 1 shows the identity federation process between an enterprise management system and the cloud platform.

                    -
                    Figure 1 How identity federation works
                    +
                    Figure 1 How identity federation works

                    The process of identity federation is as follows:

                    1. A user opens the login link obtained from the IAM console in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the configuration of the enterprise IdP and constructs an OpenID Connect request to the browser.
                    3. The browser forwards the OpenID Connect request to the enterprise IdP.
                    4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
                    5. The browser responds and forwards the OpenID Connect response to the cloud platform.
                    6. The cloud platform parses the ID token in the OpenID Connect response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The SSO login is successful.
                    diff --git a/docs/iam/umn/iam_08_0021.html b/docs/iam/umn/iam_08_0021.html index 5d4494aae..6407dfd9e 100644 --- a/docs/iam/umn/iam_08_0021.html +++ b/docs/iam/umn/iam_08_0021.html @@ -8,14 +8,14 @@

                    Ensure that your enterprise IdP supports SAML 2.0.

                    Configuring Identity Federation

                    The following describes how to configure your enterprise IdP and the cloud platform to trust each other.

                    -
                    Figure 1 Configuration of virtual user SSO via SAML
                    -
                    1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                      Figure 2 Exchanging metadata files
                      -
                    2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                    3. Configure identity conversion rules: Configure identity conversion rules to determine the IdP user identities and permissions on the cloud platform.
                      Figure 3 Mapping external identities to virtual users
                      -
                    4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                    5. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                      Figure 4 SSO login model
                      +
                      Figure 1 Configuration of virtual user SSO via SAML
                      +
                      1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                        Figure 2 Exchanging metadata files
                        +
                      2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                      3. Configure identity conversion rules: Configure identity conversion rules to determine the IdP user identities and permissions on the cloud platform.
                        Figure 3 Mapping external identities to virtual users
                        +
                      4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                      5. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                        Figure 4 SSO login model

                    How Identity Federation Works

                    Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.

                    -
                    Figure 5 How identity federation works
                    +
                    Figure 5 How identity federation works

                    To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.

                    As shown in Figure 5, the process of identity federation is as follows:

                    diff --git a/docs/iam/umn/iam_08_0022.html b/docs/iam/umn/iam_08_0022.html index 5ac0d79b3..c983fe84e 100644 --- a/docs/iam/umn/iam_08_0022.html +++ b/docs/iam/umn/iam_08_0022.html @@ -6,11 +6,11 @@ diff --git a/docs/iam/umn/iam_08_0025.html b/docs/iam/umn/iam_08_0025.html index bf72d4c6a..fce97a3c5 100644 --- a/docs/iam/umn/iam_08_0025.html +++ b/docs/iam/umn/iam_08_0025.html @@ -3,17 +3,16 @@ -

                    Step 4: Verify the Federated Login

                    +

                    Verifying the Login

                    Verifying the Federated Login

                    Federated users can initiate a login from the IdP or SP.

                    • Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
                    • Initiating a login from the SP (the cloud platform). You can obtain the login link from the IdP details page on the IAM console.

                    The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.

                    1. Log in as a federated user.

                      On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                      -

                      -
                      Figure 1 Login link
                      +
                      Figure 1 Login link

                    2. Check that the federated user has the permissions assigned to their user group.

                    Redirecting to a Specified Region or Service

                    You can specify the target page which the federated user will be redirected to after login.

                    -
                    • Configuring the login link on the SP

                      Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.

                      +
                      • Configuring the login link on the SP

                        Combine the login link obtained from the console with the specified URL encoded using UrlEncode. The combination format is Login link&service=Specified URL encoded using UrlEncode.

                      • Configuring the login link on the IdP

                        Configure IAM_SAML_Attributes_redirect_url (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                    diff --git a/docs/iam/umn/iam_08_0252.html b/docs/iam/umn/iam_08_0252.html index 1963fc074..e7a3f632a 100644 --- a/docs/iam/umn/iam_08_0252.html +++ b/docs/iam/umn/iam_08_0252.html @@ -3,7 +3,7 @@ -

                    Step 2: Configure the Enterprise IdP

                    +

                    Configuring an Enterprise IdP

                    You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information and identity conversion rules.

                    Common Parameters in an Enterprise IdP

                Table 1 Access type description

                Access Type
                Table 1 Common parameters in an enterprise IdP

                Parameter

                diff --git a/docs/iam/umn/iam_08_0253.html b/docs/iam/umn/iam_08_0253.html index af28a4f0a..4f27efa9c 100644 --- a/docs/iam/umn/iam_08_0253.html +++ b/docs/iam/umn/iam_08_0253.html @@ -9,15 +9,15 @@ diff --git a/docs/iam/umn/iam_08_0254.html b/docs/iam/umn/iam_08_0254.html index dfd296889..740915055 100644 --- a/docs/iam/umn/iam_08_0254.html +++ b/docs/iam/umn/iam_08_0254.html @@ -9,14 +9,14 @@

                Ensure that your enterprise IdP supports SAML 2.0.

                Configuring Identity Federation

                The following describes how to configure your enterprise IdP and the cloud platform to trust each other.

                -
                Figure 1 Configuration of IAM user SSO via SAML
                -
                1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                  Figure 2 Exchanging metadata files
                  -
                2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                3. Configure an external identity ID: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
                  Figure 3 Mapping external identities to IAM users
                  -
                4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                5. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                  Figure 4 SSO login model
                  +
                  Figure 1 Configuration of IAM user SSO via SAML
                  +
                  1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                    Figure 2 Exchanging metadata files
                    +
                  2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                  3. Configure an external identity ID: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
                    Figure 3 Mapping external identities to IAM users
                    +
                  4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                  5. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                    Figure 4 SSO login model

                How Identity Federation Works

                Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.

                -
                Figure 5 How identity federation works
                +
                Figure 5 How identity federation works

                To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.

                As shown in Figure 5, the process of identity federation is as follows:
                1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
                2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
                3. The browser forwards the SAML request to the enterprise IdP.
                4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
                5. The browser responds and forwards the SAML response to the cloud platform.
                6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                7. The SSO login is successful.
                diff --git a/docs/iam/umn/iam_08_0255.html b/docs/iam/umn/iam_08_0255.html index dc533a831..222506996 100644 --- a/docs/iam/umn/iam_08_0255.html +++ b/docs/iam/umn/iam_08_0255.html @@ -3,7 +3,7 @@ -

                Step 1: Create an IdP Entity

                +

                Creating an IdP Entity

                To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an IdP entity and upload the metadata file of the enterprise IdP on the IAM console.

                Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform

                Configure the metadata file of the cloud platform on the enterprise IdP to establish a trust.

                1. Download the metadata file of the cloud platform.

                Creating an IdP Entity on the Cloud Platform

                To create an IdP entity on the IAM console, do as follows:

                -
                1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

                  Figure 1 Creating an IdP entity
                  -

                2. Specify the name, protocol, SSO type, status, and description of the IdP entity.

                  Figure 2 Setting IdP parameters
                  +
                  1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

                    Figure 1 Creating an IdP entity
                    +

                  2. Specify the name, protocol, SSO type, status, and description of the IdP entity.

                    Figure 2 Setting IdP parameters
                    @@ -49,12 +49,12 @@

                    Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

                    You can upload the metadata file or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

                    For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.

                    -
                    • Upload a metadata file.
                      1. Click Modify in the row containing the IdP.
                        Figure 3 Modifying an IdP
                        -
                      2. Click Select File and select the metadata file of the enterprise IdP.
                        Figure 4 Uploading a metadata file
                        +
                        • Upload a metadata file.
                          1. Click Modify in the row containing the IdP.
                            Figure 3 Modifying an IdP
                            +
                          2. Click Select File and select the metadata file of the enterprise IdP.
                            Figure 4 Uploading a metadata file
                          3. Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
                            • If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
                            • If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
                          4. Click OK to save the settings.
                        -
                        • Manually configure metadata.
                          1. Click Manually configure.
                            Figure 5 Manually configuring metadata
                            +
                            • Manually configure metadata.
                              1. Click Manually configure.
                                Figure 5 Manually configuring metadata
                              2. In the Configure Metadata dialog box, set the metadata parameters, such as Entity ID, Signing Certificate, and SingleSignOnService.
                    Table 1 Basic parameters of an IdP

                    Parameter

                    @@ -120,7 +120,7 @@

                    Parameter

                    The following example shows the metadata file of an enterprise IdP and the manually configured metadata.

                    -
                    Figure 6 Metadata file of an enterprise IdP
                    +
                    Figure 6 Metadata file of an enterprise IdP
                  3. Click OK to save the settings.
                diff --git a/docs/iam/umn/iam_08_0256.html b/docs/iam/umn/iam_08_0256.html index 65d485bf6..093bdbab0 100644 --- a/docs/iam/umn/iam_08_0256.html +++ b/docs/iam/umn/iam_08_0256.html @@ -3,7 +3,7 @@ -

                Step 2: Configure the Enterprise IdP

                +

                Configuring an Enterprise IdP

                You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information.

                If the SSO type is IAM user, the enterprise IdP must have the IAM_SAML_Attributes_xUserId assertion configured.

                @@ -21,7 +21,7 @@

                ID of an enterprise IdP user (federated user)

                This parameter is mandatory when the SSO type is IAM user.

                -

                Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.

                +

                Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.

                IAM_SAML_Attributes_redirect_url

                diff --git a/docs/iam/umn/iam_08_0257.html b/docs/iam/umn/iam_08_0257.html index 021a7beb8..3bfde2ff6 100644 --- a/docs/iam/umn/iam_08_0257.html +++ b/docs/iam/umn/iam_08_0257.html @@ -3,14 +3,14 @@ -

                Step 3: Configure an External Identity ID

                +

                Configuring an External Identity ID

                For the IAM user SSO type, you must configure an external identity ID for the IAM user which the federated user maps to on the cloud platform. The external identity ID must be the same as the IAM_SAML_Attributes_xUserId value of the enterprise IdP user (federated user). You can create an IAM user and configure an external identity ID for it, or change the external identity ID of an existing IAM user.

                -

                Creating an IAM User and Configuring an External Identity ID

                1. Log in to the IAM console as an administrator.
                2. On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.
                3. In the User Details area, configure an external identity ID. For details about other settings, see Creating a User.

                  Figure 1 Configuring an external identity ID
                  +

                  Creating an IAM User and Configuring an External Identity ID

                  1. Log in to the as the administrator.
                  2. On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.
                  3. In the User Details area, configure an external identity ID. For details about other settings, see Creating a User.

                    Figure 1 Configuring an external identity ID

                  Changing the External Identity ID of an Existing IAM User

                  In the IAM user list, click a username or choose More > Security Settings in the row containing the user and change the external identity ID.

                  -
                  Figure 2 Changing the external identity ID of an existing IAM user
                  +
                  Figure 2 Changing the external identity ID of an existing IAM user
                diff --git a/docs/iam/umn/iam_08_0258.html b/docs/iam/umn/iam_08_0258.html index c4c312054..ff28b6da7 100644 --- a/docs/iam/umn/iam_08_0258.html +++ b/docs/iam/umn/iam_08_0258.html @@ -3,17 +3,16 @@ -

                Step 4: Verify the Federated Login

                +

                Verifying the Login

                Verifying the Federated Login

                Federated users can initiate a login from the IdP or SP.

                • Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
                • Initiating a login from the SP (the cloud platform). You can obtain the login link from the IdP details page on the IAM console.

                The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.

                1. Log in as a federated user.

                  On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                  -

                  -
                  Figure 1 Login link
                  +
                  Figure 1 Login link

                2. Check whether the federated user is logging in as an IAM user.

                Redirecting to a Specified Region or Service

                You can specify the target page which the federated user will be redirected to after login.

                -
                • Configuring the login link on the SP

                  Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.

                  +
                  • Configuring the login link on the SP

                    Combine the login link obtained from the console with the specified URL encoded using UrlEncode. The combination format is Login link&service=Specified URL encoded using UrlEncode.

                  • Configuring the login link on the IdP

                    Configure IAM_SAML_Attributes_redirect_url (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                diff --git a/docs/iam/umn/iam_08_0259.html b/docs/iam/umn/iam_08_0259.html index d220c6fe5..6dc5732ed 100644 --- a/docs/iam/umn/iam_08_0259.html +++ b/docs/iam/umn/iam_08_0259.html @@ -3,13 +3,13 @@ -

                (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP

                +

                Configuring a Federated Login Entry in the Enterprise IdP

                Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

                -

                Prerequisites

                • An IdP entity has been created on the cloud platform, and the login link for the IdP is available. For details, see Step 1: Create an IdP Entity.
                • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
                +

                Prerequisites

                • An IdP entity has been created on the cloud platform, and the login link for the IdP is available. For details, see Creating an IdP Entity.
                • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
                -

                Procedure

                1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                2. Click View in the row containing the IdP.

                  Figure 1 Viewing IdP details
                  -

                3. Copy the login link by clicking in the Login Link row.

                  Figure 2 Copying the login link
                  -

                4. Add the following statement to the page file of the enterprise management system:

                  <a href="<Login link>"> Cloud platform login entry </a>
                  +

                  Procedure

                  1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                  2. Click View in the row containing the IdP.

                    Figure 1 Viewing IdP details
                    +

                  3. Copy the login link by clicking in the Login Link row.

                    Figure 2 Copying the login link
                    +

                  4. Add the following statement to the page file of the enterprise management system:

                    <a href="<Login link>"> Cloud platform login entry </a>

                  5. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.