yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

IAM UMN 1201 Version

Browse Source 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: weihongmin1 <weihongmin1@huawei.com>
Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
This commit is contained in:
Wei, Hongmin
2026-01-23 13:39:42 +00:00
committed by zuul
parent 856eead9f0
commit 09469dcb98
69 changed files with 589 additions and 635 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
docs/iam/umn/ALL_META.TXT.json
View File

File diff suppressed because it is too large Load Diff

261
docs/iam/umn/CLASS.TXT.json
View File

File diff suppressed because it is too large Load Diff

BIN
docs/iam/umn/en-us_image_0000001209613221.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.1 KiB

After

Width:  |  Height:  |  Size: 4.8 KiB

BIN
docs/iam/umn/en-us_image_0000001209614103.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
docs/iam/umn/en-us_image_0000001646661553.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 311 B

After

Width:  |  Height:  |  Size: 341 B

0
docs/iam/umn/en-us_image_0000001100309480.png → docs/iam/umn/en-us_image_0000001924150268.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

0
docs/iam/umn/en-us_image_0000001146589991.png → docs/iam/umn/en-us_image_0000001924309660.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 23 KiB

BIN
docs/iam/umn/en-us_image_0000001925383938.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

0
docs/iam/umn/en-us_image_0000001646415725.png → docs/iam/umn/en-us_image_0000001951269481.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
docs/iam/umn/en-us_image_0000001146708849.png → docs/iam/umn/en-us_image_0000001951429117.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 47 KiB

BIN
docs/iam/umn/en-us_image_0000002162336158.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 337 B

2
docs/iam/umn/en-us_topic_0046611269.html
View File

@ -6,7 +6,7 @@
</div></div>
</p></li><li id="en-us_topic_0046611269__la3352beb5df44860b8f7ed621884e09f"><span>Click <span class="uicontrol" id="en-us_topic_0046611269__uicontrol835913281425"><b>OK</b></span>.</span><p><p id="en-us_topic_0046611269__ae95b4587c0894d58bad84b876a8ee99d">The user group is displayed in the user group list.</p>
</p></li><li id="en-us_topic_0046611269__en-us_topic_0111879498_li2918054318"><span>In the row containing the user group, click <strong id="en-us_topic_0046611269__b18588864173">Authorize</strong> in the <strong id="en-us_topic_0046611269__b5320131414170">Operation</strong> column.</span></li><li id="en-us_topic_0046611269__li5217237183211"><span>On the <strong id="en-us_topic_0046611269__b20950191771811">Authorize User Group</strong> page, select the permissions to be assigned to the user group. You can also click <strong id="en-us_topic_0046611269__b10996164481816">Go to Old Edition</strong> to use the old version for authorization.</span><p><p id="en-us_topic_0046611269__p14614448153414">If the system-defined policies do not meet your requirements, you can click <strong id="en-us_topic_0046611269__b202021780193">Create Policy</strong> in the upper right to create custom policies for fine-grained permissions control. For details, see <a href="iam_01_0016.html">Creating a Custom Policy</a>.</p>
<div class="fignone" id="en-us_topic_0046611269__fig41851951835"><span class="figcap"><b>Figure 1 </b>Selecting permissions</span><br><span><img id="en-us_topic_0046611269__image181852512316" src="en-us_image_0000001656493417.png" height="212.4675" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="en-us_topic_0046611269__fig41851951835"><span class="figcap"><b>Figure 1 </b>Selecting permissions</span><br><span><img id="en-us_topic_0046611269__image181852512316" src="en-us_image_0000001656493417.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046611269__li1444519351044"><span>Click <strong id="en-us_topic_0046611269__b196303152112">Next</strong>.</span></li><li id="en-us_topic_0046611269__li18217237103214"><span>Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. <a href="#en-us_topic_0046611269__table13959113218281">Table 1</a> describes all the authorization scopes provided by IAM.</span><p>
<div class="tablenoborder"><a name="en-us_topic_0046611269__table13959113218281"></a><a name="table13959113218281"></a><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046611269__table13959113218281" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Authorization scopes</caption><thead align="left"><tr id="en-us_topic_0046611269__row119591322288"><th align="left" class="cellrowborder" valign="top" width="14.01%" id="mcps1.3.2.2.9.2.1.2.3.1.1"><p id="en-us_topic_0046611269__p11958133215282">Scope</p>
</th>

2
docs/iam/umn/en-us_topic_0046611276.html
View File

@ -3,7 +3,7 @@
<h1 class="topictitle1">IAM Features</h1>
<div id="body1503736806649"><p id="en-us_topic_0046611276__p5240337613233">IAM provides the following basic functions:</p>
<ul id="en-us_topic_0046611276__ul411171964111"><li id="en-us_topic_0046611276__li41111199417">Refined permissions management<p id="en-us_topic_0046611276__p24061390153515"><a name="en-us_topic_0046611276__li41111199417"></a><a name="li41111199417"></a>You can control user access to different projects and grant different permissions to users for the same project. For example, you can grant some users permissions to manage Object Storage Service (OBS), and grant other users only the permissions to read data from OBS.</p>
<div class="fignone" id="en-us_topic_0046611276__fig47322305144745"><span class="figcap"><b>Figure 1 </b>Permissions management model</span><br><span><img id="en-us_topic_0046611276__image25353776154931" src="en-us_image_0274187240.png" width="438.90000000000003" height="203.88900000000004" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="en-us_topic_0046611276__fig47322305144745"><span class="figcap"><b>Figure 1 </b>Permissions management model</span><br><span><img id="en-us_topic_0046611276__image25353776154931" src="en-us_image_0274187240.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0046611276__p6056022715518"></p>
</li><li id="en-us_topic_0046611276__li26142662132115">Simplified authorization<p id="en-us_topic_0046611276__p33957371132115"><a name="en-us_topic_0046611276__li26142662132115"></a><a name="li26142662132115"></a>You can authorize users in just two steps:</p>
<ol id="en-us_topic_0046611276__ol37180886132115"><li id="en-us_topic_0046611276__li66192520132115">Plan user groups according to users' responsibilities and grant permissions to each user group.</li><li id="en-us_topic_0046611276__li58861770132115">Add a user to the user group that matches the user's responsibilities.</li></ol>

38
docs/iam/umn/en-us_topic_0046611300.html
View File

File diff suppressed because it is too large Load Diff

12
docs/iam/umn/en-us_topic_0046613147.html
View File

@ -1,13 +1,13 @@
<a name="en-us_topic_0046613147"></a><a name="en-us_topic_0046613147"></a>
<h1 class="topictitle1">Creating an Agency (by a Delegating Party)</h1>
<h1 class="topictitle1">Creating an Agency and Assigning Permissions</h1>
<div id="body1484205204048"><p id="en-us_topic_0046613147__en-us_topic_0170090713_p54443803141539">By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password or access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.</p>
<div class="section" id="en-us_topic_0046613147__en-us_topic_0170090713_section8461153510110"><h4 class="sectiontitle">Prerequisites</h4><p id="en-us_topic_0046613147__en-us_topic_0170090713_p15905144410368">Before creating an agency, complete the following operations:</p>
<ul id="en-us_topic_0046613147__en-us_topic_0170090713_ul6238854161714"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li32381254121719">Understand the <a href="en-us_topic_0046611276.html">basic concepts</a> of permissions.</li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li17692133582712">Determine the <a href="https://docs.otc.t-systems.com/additional/permissions.html" target="_blank" rel="noopener noreferrer">permissions</a> to be assigned to the agency, and check whether the permissions have dependencies. For more details, see <a href="iam_01_0657.html#iam_01_0657">Assigning Dependency Roles</a>.</li></ul>
<ul id="en-us_topic_0046613147__en-us_topic_0170090713_ul6238854161714"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li32381254121719">Understand the <a href="en-us_topic_0046611276.html">basic concepts</a> of permissions.</li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li17692133582712">Determine the <a href="https://docs.otc.t-systems.com/additional/permissions.html" target="_blank" rel="noopener noreferrer">permissions</a> to be assigned to the agency, and check whether the permissions have dependencies. If yes, assign dependent permissions by referring to <a href="iam_01_0657.html#iam_01_0657">Assigning Dependency Roles</a>.</li></ul>
</div>
<div class="section" id="en-us_topic_0046613147__en-us_topic_0170090713_section2672115"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613147__en-us_topic_0170090713_ol49998812"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li11128296159"><span>Log in to the IAM console.</span></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li1546779817427"><span>On the IAM console, choose <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b183711578367">Agencies</strong> from the left navigation pane, and click <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b14428573365">Create Agency</strong> in the upper right corner.</span><p><div class="fignone" id="en-us_topic_0046613147__en-us_topic_0170090713_fig0737181164117"><span class="figcap"><b>Figure 1 </b>Creating an agency</span><br><span><img id="en-us_topic_0046613147__en-us_topic_0170090713_image573711110414" src="en-us_image_0000001511524692.png" height="118.7025" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li63471691104814"><span>Enter an agency name.</span><p><div class="fignone" id="en-us_topic_0046613147__en-us_topic_0170090713_fig1866281034218"><span class="figcap"><b>Figure 2 </b>Setting the agency name</span><br><span><img id="en-us_topic_0046613147__en-us_topic_0170090713_image1366211054214" src="en-us_image_0000001562564797.png" height="310.09987400000006" width="465.83250000000004" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li4558455145011"><span>Specify the agency type as <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b141201757224">Account</strong>, and enter the name of a delegated account.</span><p><div class="note" id="en-us_topic_0046613147__en-us_topic_0170090713_note660374821820"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046613147__en-us_topic_0170090713_ul1360364851812"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li860334841812"><strong id="en-us_topic_0046613147__en-us_topic_0170090713_b79222852216">Account</strong>: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.</li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li196031248121815"><strong id="en-us_topic_0046613147__en-us_topic_0170090713_b124915392320">Cloud service</strong>: Delegate a specific service to access other services. For more information, see <a href="iam_06_0004.html">Cloud Service Agency</a>.</li></ul>
<div class="section" id="en-us_topic_0046613147__en-us_topic_0170090713_section2672115"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613147__en-us_topic_0170090713_ol49998812"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li11128296159"><span>Log in to the IAM console.</span></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li1546779817427"><span>On the IAM console, choose <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b183711578367">Agencies</strong> from the left navigation pane, and click <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b14428573365">Create Agency</strong> in the upper right corner.</span><p><div class="fignone" id="en-us_topic_0046613147__en-us_topic_0170090713_fig0737181164117"><span class="figcap"><b>Figure 1 </b>Creating an agency</span><br><span><img id="en-us_topic_0046613147__en-us_topic_0170090713_image573711110414" src="en-us_image_0000001511524692.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li63471691104814"><span>Enter an agency name.</span><p><div class="fignone" id="en-us_topic_0046613147__en-us_topic_0170090713_fig1866281034218"><span class="figcap"><b>Figure 2 </b>Setting the agency name</span><br><span><img id="en-us_topic_0046613147__en-us_topic_0170090713_image1366211054214" src="en-us_image_0000001562564797.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li4558455145011"><span>Specify the agency type as <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b141201757224">Account</strong>, and enter the name of a delegated account.</span><p><div class="note" id="en-us_topic_0046613147__en-us_topic_0170090713_note660374821820"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046613147__en-us_topic_0170090713_ul1360364851812"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li860334841812"><strong id="en-us_topic_0046613147__en-us_topic_0170090713_b79222852216">Account</strong>: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.</li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li196031248121815"><strong id="en-us_topic_0046613147__en-us_topic_0170090713_b124915392320">Cloud service</strong>: Delegate a specific service to access other services. For more information, see <a href="iam_06_0004.html">Delegating Another Service for Resource Management</a>.</li></ul>
</div></div>
</p></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li21344527114840"><span>Set the validity period and enter a description for the agency.</span></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li1694181217579"><span>Click <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b15726203610118">Next</strong>.</span></li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li65324613265"><span>Select the policies or roles to be attached to the agency, click <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b9767325341">Next</strong>, and select the authorization scope.</span><p><div class="note" id="en-us_topic_0046613147__en-us_topic_0170090713_note164823561285"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046613147__en-us_topic_0170090713_ul5482115682816"><li id="en-us_topic_0046613147__en-us_topic_0170090713_li2482195618283">Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see <a href="en-us_topic_0079496985.html">Assigning Permissions to an IAM User</a>.</li><li id="en-us_topic_0046613147__en-us_topic_0170090713_li18482195614284">Agencies cannot be assigned the <strong id="en-us_topic_0046613147__en-us_topic_0170090713_b12141738184415">Security Administrator</strong> role. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).</li></ul>
</div></div>
@ -18,7 +18,7 @@
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Account Delegation</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></div>
</div>
</div>

16
docs/iam/umn/en-us_topic_0046613148.html
View File

@ -1,22 +1,22 @@
<a name="en-us_topic_0046613148"></a><a name="en-us_topic_0046613148"></a>
<h1 class="topictitle1">Switching Roles (by a Delegated Party)</h1>
<div id="body1548236199962"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p3704131518217">When an account establishes a trust relationship with your account, you become a delegated party. The IAM users that are granted agency permissions can switch to the delegating account and manage resources under the account based on the granted permissions.</p>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section8625973163627"><h4 class="sectiontitle">Prerequisites</h4><ul id="en-us_topic_0046613148__en-us_topic_0170090706_ul88321119164115"><li id="en-us_topic_0046613148__en-us_topic_0170090706_li8832619154112">A trust relationship has been established between your account and another account.</li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li1083291944119">You have obtained the delegating account name and agency name.</li></ul>
<h1 class="topictitle1">Managing Delegated Resources</h1>
<div id="body1548236199962"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p3704131518217">When an account establishes a trust relationship with your account, you become a delegated party. The IAM users granted agency permissions can switch to the delegating domain name and manage resources under the account based on the granted permissions.</p>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section8625973163627"><h4 class="sectiontitle">Prerequisites</h4><ul id="en-us_topic_0046613148__en-us_topic_0170090706_ul88321119164115"><li id="en-us_topic_0046613148__en-us_topic_0170090706_li8832619154112">A trust relationship has been established between another account and your account.</li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li1083291944119">You have obtained the name of the delegating account and the agency name.</li></ul>
</div>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section1608192323216"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613148__en-us_topic_0170090706_ol1523164310324"><li id="en-us_topic_0046613148__en-us_topic_0170090706_li9238437320"><span>Log in to the management console using your account or log in as the IAM user created in <a href="iam_01_0063.html#iam_01_0063__en-us_topic_0170090700_li695863494610">2</a>.</span><p><div class="note" id="en-us_topic_0046613148__en-us_topic_0170090706_note173853818336"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p173993812333">The IAM user created in <a href="iam_01_0063.html#iam_01_0063__en-us_topic_0170090700_li695863494610">2</a> can switch roles to manage resources for the delegating party.</p>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section1608192323216"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613148__en-us_topic_0170090706_ol1523164310324"><li id="en-us_topic_0046613148__en-us_topic_0170090706_li9238437320"><span>Log in to the management console using your account, or log in as the IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)".</span><p><div class="note" id="en-us_topic_0046613148__en-us_topic_0170090706_note173853818336"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p173993812333">The IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)" has permission to manage agencies and switch roles.</p>
</div></div>
</p></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li223144317322"><span>Hover the mouse pointer over the username in the upper right corner and choose <strong id="en-us_topic_0046613148__en-us_topic_0170090706_b113441924163819">Switch Role</strong>.</span></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li1623124320322"><span>On the <span class="wintitle" id="en-us_topic_0046613148__en-us_topic_0170090706_wintitle1623625841113"><b>Switch Role</b></span> page, enter the domain name of the delegating party.</span><p><div class="p" id="en-us_topic_0046613148__en-us_topic_0170090706_p171044544561"><div class="note" id="en-us_topic_0046613148__en-us_topic_0170090706_note11259104465416"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p31891546134011">After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.</p>
</p></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li223144317322"><span>Move the cursor to the username in the upper right corner and choose <span class="uicontrol" id="en-us_topic_0046613148__en-us_topic_0170090706_uicontrol773314127317"><b>Switch Role</b></span>.</span></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li1623124320322"><span>On the <span class="wintitle" id="en-us_topic_0046613148__en-us_topic_0170090706_wintitle26214253314"><b>Switch Role</b></span> page, enter the domain name of the delegating party.</span><p><div class="p" id="en-us_topic_0046613148__en-us_topic_0170090706_p171044544561"><div class="note" id="en-us_topic_0046613148__en-us_topic_0170090706_note11259104465416"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__en-us_topic_0170090706_p31891546134011">After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.</p>
</div></div>
</div>
</p></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li32394312324"><span>Click <strong id="en-us_topic_0046613148__en-us_topic_0170090706_b1735216175567">OK</strong> to switch to the delegating account.</span></li></ol>
</p></li><li id="en-us_topic_0046613148__en-us_topic_0170090706_li32394312324"><span>Click <strong id="en-us_topic_0046613148__en-us_topic_0170090706_b1686618443318">OK</strong> to switch to the delegating Domain name.</span></li></ol>
</div>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section633104085020"><h4 class="sectiontitle">Follow-Up Procedure</h4><p id="en-us_topic_0046613148__en-us_topic_0170090706_p1491910416500">To return to your own account, hover the mouse pointer over the username in the upper right corner, choose <strong id="en-us_topic_0046613148__en-us_topic_0170090706_b389212303112">Switch Role</strong>, and select your account.</p>
<div class="section" id="en-us_topic_0046613148__en-us_topic_0170090706_section633104085020"><h4 class="sectiontitle">Follow-Up Procedure</h4><p id="en-us_topic_0046613148__en-us_topic_0170090706_p1491910416500">Move the cursor to the username in the upper right corner and choose <span class="uicontrol" id="en-us_topic_0046613148__en-us_topic_0170090706_uicontrol1856215597313"><b>Switch Role</b></span>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Account Delegation</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></div>
</div>
</div>

5
docs/iam/umn/en-us_topic_0046661675.html
View File

@ -4,7 +4,8 @@
<div id="body1484269500700"><p id="en-us_topic_0046661675__p1699191844810">You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.</p>
<p id="en-us_topic_0046661675__p294752944613">If the job responsibilities of a user are changed, you can change the permissions assigned for that user by changing the groups which the user belongs to. You can also change the virtual MFA device and access keys of the user by choosing <strong id="en-us_topic_0046661675__b1727185533412">More</strong> &gt; <strong id="en-us_topic_0046661675__b15211185710342">Security Settings</strong> in the row containing the target user. If a user forgot their password or access keys, you can modify the login credentials of the user.</p>
<div class="section" id="en-us_topic_0046661675__section17362720871"><p id="en-us_topic_0046661675__p0641185914718">As an administrator, you can modify the basic information about an IAM user, change the security settings of the user and the groups to which the user belongs, and view or delete the assigned permissions. To view or modify user information, click <strong id="en-us_topic_0046661675__b929813392517">Security Settings</strong> in the row containing the IAM user.</p>
<p id="en-us_topic_0046661675__p1016014114476">To adjust the item columns displayed on the list, click <span><img id="en-us_topic_0046661675__image4682335744" src="en-us_image_0000001524684833.png"></span>. The <strong id="en-us_topic_0046661675__b0565114110512">Username</strong> and <strong id="en-us_topic_0046661675__b17565204110515">Operation</strong> columns are displayed by default, and the <strong id="en-us_topic_0046661675__b126598019011555">Status</strong> column cannot be removed. You can also select <strong id="en-us_topic_0046661675__b183805615511555">Description</strong>, <strong id="en-us_topic_0046661675__b43332226011555">Last Login</strong>, <strong id="en-us_topic_0046661675__b72555193811555">Created</strong>, <strong id="en-us_topic_0046661675__b204451079011555">Access Type</strong>, <strong id="en-us_topic_0046661675__b162510438011555">Virtual MFA Device</strong>, <strong id="en-us_topic_0046661675__b172387985011555">Password Age</strong>, and <strong id="en-us_topic_0046661675__b90532330711555">Access Key (Status, Age, and AK)</strong>.</p>
<p id="en-us_topic_0046661675__p1016014114476">To adjust the item columns displayed on the list, click <span><img id="en-us_topic_0046661675__image4682335744" src="en-us_image_0000001524684833.png"></span>. The <strong id="en-us_topic_0046661675__b0565114110512">Username</strong> and <strong id="en-us_topic_0046661675__b17565204110515">Operation</strong> columns are displayed by default, and the <strong id="en-us_topic_0046661675__b126598019011555">Status</strong> column cannot be removed. You can also select <strong id="en-us_topic_0046661675__b183805615511555">Description</strong>, <strong id="en-us_topic_0046661675__b43332226011555">Last Login</strong>, <strong id="en-us_topic_0046661675__b13656405577">Last Activity</strong>, <strong id="en-us_topic_0046661675__b72555193811555">Created</strong>, <strong id="en-us_topic_0046661675__b204451079011555">Access Type</strong>, <strong id="en-us_topic_0046661675__b162510438011555">Virtual MFA Device</strong>, <strong id="en-us_topic_0046661675__b172387985011555">Password Age</strong>, and <strong id="en-us_topic_0046661675__b90532330711555">Access Key (Status, Age, and AK)</strong>.</p>
<p id="en-us_topic_0046661675__p1619061513148"><strong id="en-us_topic_0046661675__b3816185710220">Last Activity</strong> displays the first login time of your account or all the IAM users who have logged in within a 5-minute span. If you just use the account to obtain a token, <strong id="en-us_topic_0046661675__b174224191821">Last Activity</strong> shows last time there was any activity.</p>
</div>
<div class="section" id="en-us_topic_0046661675__section1916211354916"><a name="en-us_topic_0046661675__section1916211354916"></a><a name="section1916211354916"></a><h4 class="sectiontitle">Basic Information</h4><p id="en-us_topic_0046661675__p62242130567">You can modify the basic information of IAM users, but cannot modify the basic information of your account. The username, user ID, and creation time can be viewed but cannot be modified.</p>
<ul id="en-us_topic_0046661675__ul143322252207"><li id="en-us_topic_0046661675__li10481132225010"><strong id="en-us_topic_0046661675__b76866032211555">Status</strong>: New IAM users are enabled by default. You can set <strong id="en-us_topic_0046661675__b434011332111">Status</strong> to <strong id="en-us_topic_0046661675__b39041437181119">Disabled</strong> to disable an IAM user. A disabled user is no longer able to log in to the cloud platform through the management console or programmatic access.</li><li id="en-us_topic_0046661675__li146693231712"><strong id="en-us_topic_0046661675__b57184660911555">Access Type</strong>: You can change the access type of the IAM user.<div class="note" id="en-us_topic_0046661675__note11111719217"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046661675__ul16409193291914"><li id="en-us_topic_0046661675__li19409932131912">Pay attention to the following when you set the access type for an IAM user:<ul id="en-us_topic_0046661675__ul147413541956"><li id="en-us_topic_0046661675__li94741545520">If you intend to enable the user to access cloud services only by using the management console, select <strong id="en-us_topic_0046661675__b671950181215">Management console access</strong>.</li><li id="en-us_topic_0046661675__li347411541654">If you intend to enable the user to access cloud services only by using programmatic access, select <strong id="en-us_topic_0046661675__b8911104611136">Programmatic access</strong>.</li><li id="en-us_topic_0046661675__li154741654059">If the user needs to use a password as the credential for programmatic access to certain APIs, select <strong id="en-us_topic_0046661675__b64080578011555">Programmatic access</strong>.</li><li id="en-us_topic_0046661675__li4474185411512">If the user needs to perform access key verification when using certain services in the console, select both <strong id="en-us_topic_0046661675__b89082016226">Programmatic access</strong> and <strong id="en-us_topic_0046661675__b390172062214">Management console access</strong>.</li></ul>
@ -21,7 +22,7 @@
</div></div>
</li><li id="en-us_topic_0046661675__li12141115123916">Remove the virtual MFA device from the user. For more information about MFA authentication and virtual MFA device, see <a href="iam_10_0002.html">MFA Authentication and Virtual MFA Device</a>.</li></ul>
</li></ul>
<ul id="en-us_topic_0046661675__ul126848275213"><li id="en-us_topic_0046661675__li1268410235213"><strong id="en-us_topic_0046661675__b211888094711555">Login Credentials</strong>: You can change the login password of the IAM user. For more information, see <a href="iam_01_0653.html">Changing the Login Password of an IAM User</a>.</li><li id="en-us_topic_0046661675__li3684102125212"><strong id="en-us_topic_0046661675__b203261012311555">Login Protection</strong>: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.<p id="en-us_topic_0046661675__p146847214521">This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.</p>
<ul id="en-us_topic_0046661675__ul126848275213"><li id="en-us_topic_0046661675__li1268410235213"><strong id="en-us_topic_0046661675__b211888094711555">Login Credentials</strong>: You can change the login password of the IAM user. For more information, see <a href="iam_01_0653.html">Modifying Security Settings for an IAM User</a>.</li><li id="en-us_topic_0046661675__li3684102125212"><strong id="en-us_topic_0046661675__b203261012311555">Login Protection</strong>: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.<p id="en-us_topic_0046661675__p146847214521">This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.</p>
</li><li id="en-us_topic_0046661675__li46842021522"><strong id="en-us_topic_0046661675__b163079549411555">Access Keys</strong>: You can manage access keys of the IAM user.</li></ul>
</div>
</div>

2
docs/iam/umn/en-us_topic_0059870089.html
View File

@ -4,7 +4,7 @@
<div id="body1495091891975"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="en-us_topic_0079620341.html">Introduction</a></strong><br>
<li class="ulchildlink"><strong><a href="en-us_topic_0079620341.html">Overview</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_08_0251.html">Application Scenarios of Virtual User SSO and IAM User SSO</a></strong><br>
</li>

2
docs/iam/umn/en-us_topic_0079496985.html
View File

@ -3,7 +3,7 @@
<h1 class="topictitle1">Assigning Permissions to an IAM User </h1>
<div id="body1536567611765"><p id="en-us_topic_0079496985__p1367911438716"><a href="en-us_topic_0046611303.html">IAM users created</a> without being added to any groups do not have permissions. You can assign permissions to these IAM users on the IAM console. Then the users can use cloud resources based on the assigned permissions.</p>
<p id="en-us_topic_0079496985__p64718305201">An IAM user obtains permissions from the user groups to which the user belongs. After you attach policies or roles to a group and add a user to the group, the user inherits the permissions defined by the policies or roles.</p>
<ul id="en-us_topic_0079496985__ul1542310171018"><li id="en-us_topic_0079496985__li1269115557578">If you do not add an IAM user to any group, the user will not have permissions for accessing any cloud services. For details on how to assign permissions to an IAM user, see <a href="en-us_topic_0046611269.html">Creating a User Group and Assigning Permissions</a> and <a href="iam_03_0002.html">Adding Users to or Removing Users from a User Group</a>.</li><li id="en-us_topic_0079496985__li144231108102">If you have been added to the default group <strong id="en-us_topic_0079496985__b145217448517">admin</strong>, you have administrator permissions and you can perform all operations on all cloud services.</li><li id="en-us_topic_0079496985__li1830412710115">For the system-defined permissions of all cloud services supported by IAM, see "Permissions".</li><li id="en-us_topic_0079496985__li123551922135512">If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.</li></ul>
<ul id="en-us_topic_0079496985__ul1542310171018"><li id="en-us_topic_0079496985__li1269115557578">If you do not add an IAM user to any group, the user will not have permissions for accessing any cloud services. For details on how to assign permissions to an IAM user, see <a href="en-us_topic_0046611269.html">Creating a User Group and Assigning Permissions</a> and <a href="iam_03_0002.html">Adding IAM Users to or Removing IAM Users from a User Group</a>.</li><li id="en-us_topic_0079496985__li144231108102">If you have been added to the default group <strong id="en-us_topic_0079496985__b145217448517">admin</strong>, you have administrator permissions and you can perform all operations on all cloud services.</li><li id="en-us_topic_0079496985__li1830412710115">For the system-defined permissions of all cloud services supported by IAM, see "Permissions".</li><li id="en-us_topic_0079496985__li123551922135512">If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.</li></ul>
<div class="section" id="en-us_topic_0079496985__section1574417223919"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0079496985__ol20559158192317"><li id="en-us_topic_0079496985__li85591058192314"><span>In the user list, click <strong id="en-us_topic_0079496985__b96541281967">Authorize</strong> in the row that contains the target user.</span></li><li id="en-us_topic_0079496985__li2349810123119"><span>On the <strong id="en-us_topic_0079496985__b1365217161661">Authorize User</strong> page, select an authorization mode and permissions.</span><p><ul id="en-us_topic_0079496985__ul5803174018355"><li id="en-us_topic_0079496985__li680311401351"><strong id="en-us_topic_0079496985__b13340133416614">Inherit permissions from user groups</strong>: Add the IAM user to certain groups to inherit their permissions.<p id="en-us_topic_0079496985__p19437792571">If you select this option, select the user groups to which the user will belong.</p>
</li><li id="en-us_topic_0079496985__li87040132495"><strong id="en-us_topic_0079496985__b380312773913">Select permissions</strong>: Directly assign specific permissions to the IAM user<p id="en-us_topic_0079496985__p660010825818">If you select this option, select the permissions to be assigned and click <strong id="en-us_topic_0079496985__b1843214521867">Next</strong> in the lower right corner to select the authorization scope.</p>
</li></ul>

4
docs/iam/umn/en-us_topic_0079496986.html
View File

@ -4,9 +4,9 @@
<div id="body1507717801361"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="iam_01_0054.html">Account Delegation</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_06_0004.html">Cloud Service Agency</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_06_0004.html">Delegating Another Service for Resource Management</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0730.html">Deleting or Modifying Agencies</a></strong><br>
</li>

10
docs/iam/umn/en-us_topic_0079620341.html
View File

@ -1,7 +1,7 @@
<a name="en-us_topic_0079620341"></a><a name="en-us_topic_0079620341"></a>
<h1 class="topictitle1">Introduction</h1>
<div id="body1507796925646"><p id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_p3444342426">The cloud platform provides <span class="keyword" id="en-us_topic_0079620341__en-us_topic_0177310145_keyword10765163916218">identity federation</span> based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).</p>
<h1 class="topictitle1">Overview</h1>
<div id="body1507796925646"><p id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_p3444342426">The cloud platform provides <span class="keyword" id="en-us_topic_0079620341__en-us_topic_0177310145_keyword131553249451">identity federation</span> based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).</p>
<div class="section" id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_section1938813653310"><h4 class="sectiontitle">Basic Concepts</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0079620341__en-us_topic_0177310145_table192841634019" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Basic concepts</caption><thead align="left"><tr id="en-us_topic_0079620341__en-us_topic_0177310145_row828141684014"><th align="left" class="cellrowborder" valign="top" width="27.99%" id="mcps1.3.2.2.2.3.1.1"><p id="en-us_topic_0079620341__en-us_topic_0177310145_p32819161407">Concept</p>
</th>
@ -50,7 +50,7 @@
</div>
<div class="section" id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_section969112502211"><h4 class="sectiontitle">Advantages of Identity Federation</h4><ul id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_ul4409204783417"><li id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_li184885263377">Easy identity management<p id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_p682793183817"><a name="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_li184885263377"></a><a name="en-us_topic_0177310145_en-us_topic_0175818742_li184885263377"></a>With an identity provider, the administrator can manage workforce identities outside of the cloud platform and give these external workforce identities permissions to use resources on the cloud platform.</p>
</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_li77551533163917">Simplified operations<p id="en-us_topic_0079620341__en-us_topic_0177310145_p1739271581517"><a name="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818742_li77551533163917"></a><a name="en-us_topic_0177310145_en-us_topic_0175818742_li77551533163917"></a>Workforce users can use their existing accounts in the enterprise to access the cloud platform through SSO.</p>
<div class="fignone" id="en-us_topic_0079620341__en-us_topic_0177310145_fig209622546363"><span class="figcap"><b>Figure 1 </b>Advantages of identity federation</span><br><span><img id="en-us_topic_0079620341__en-us_topic_0177310145_image5962154133618" src="en-us_image_0000001117174928.png" height="297.92" width="465.5" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="en-us_topic_0079620341__en-us_topic_0177310145_fig209622546363"><span class="figcap"><b>Figure 1 </b>Advantages of identity federation</span><br><span><img id="en-us_topic_0079620341__en-us_topic_0177310145_image5962154133618" src="en-us_image_0000001117174928.png" title="Click to enlarge" class="imgResize"></span></div>
</li></ul>
</div>
<div class="section" id="en-us_topic_0079620341__en-us_topic_0177310145_section19798142411114"><h4 class="sectiontitle">SSO Type</h4><p id="en-us_topic_0079620341__en-us_topic_0177310145_p58871485365">IAM supports two SSO types: virtual user SSO and IAM user SSO. For details about how to choose an SSO type, see <a href="iam_08_0251.html#iam_08_0251">Application Scenarios of Virtual User SSO and IAM User SSO</a>.</p>
@ -58,7 +58,7 @@
</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li2902924123718">IAM user SSO<p id="en-us_topic_0079620341__en-us_topic_0177310145_p65191038163711"><a name="en-us_topic_0079620341__en-us_topic_0177310145_li2902924123718"></a><a name="en-us_topic_0177310145_li2902924123718"></a>After a federated user logs in to the cloud platform, the system automatically maps the <a href="en-us_topic_0046661675.html#en-us_topic_0046661675__li13713193419317">external identity ID</a> to an IAM user so that the federated user has the permissions of the mapped IAM user.</p>
</li></ul>
<p id="en-us_topic_0079620341__en-us_topic_0177310145_p14716843191810">Currently, IAM supports two federated login methods: browser-based SSO (web SSO) and SSO via API calling.</p>
<ul id="en-us_topic_0079620341__en-us_topic_0177310145_ul14945234163616"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li894553493615">Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers. </li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li1494510344366">SSO via API calling: Enterprise employees call APIs using development tools (such as OpenStack Client and ShibbolethECP Client) to access the cloud platform.</li></ul>
<ul id="en-us_topic_0079620341__en-us_topic_0177310145_ul14945234163616"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li894553493615">Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers. </li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li1494510344366">API calling: Development tools (such as OpenStackClient and Shibboleth ECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access the cloud platform by calling APIs.</li></ul>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0079620341__en-us_topic_0177310145_table6372234181513" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Federated logins</caption><thead align="left"><tr id="en-us_topic_0079620341__en-us_topic_0177310145_row193731434121515"><th align="left" class="cellrowborder" valign="top" width="9.54095409540954%" id="mcps1.3.4.6.2.8.1.1"><p id="en-us_topic_0079620341__en-us_topic_0177310145_p13731734201512">SSO Type</p>
</th>
@ -110,7 +110,7 @@
</table>
</div>
</div>
<div class="section" id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818705_section421816517461"><h4 class="sectiontitle">Precautions</h4><ul id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818705_ul18726545014"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li169421533124715">Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li8960128142617">The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following restrictions:<ul id="en-us_topic_0079620341__en-us_topic_0177310145_ul1330394714915"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li83033473920">Federated users do not need to perform a 2-step verification when performing critical operations even though <a href="iam_01_0029.html#iam_01_0029">critical operation protection</a> (login protection or operation protection) is enabled.</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li17303104718918">Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.<p id="en-us_topic_0079620341__en-us_topic_0177310145_p8697185421212"><a name="en-us_topic_0079620341__en-us_topic_0177310145_li17303104718918"></a><a name="en-us_topic_0177310145_li17303104718918"></a>If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.</p>
<div class="section" id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818705_section421816517461"><h4 class="sectiontitle">Precautions</h4><ul id="en-us_topic_0079620341__en-us_topic_0177310145_en-us_topic_0175818705_ul18726545014"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li169421533124715">Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li8960128142617">The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following constraints:<ul id="en-us_topic_0079620341__en-us_topic_0177310145_ul1330394714915"><li id="en-us_topic_0079620341__en-us_topic_0177310145_li83033473920">Federated users do not need to perform a 2-step verification when performing critical operations even though <a href="iam_01_0029.html#iam_01_0029">critical operation protection</a> (login protection or operation protection) is enabled.</li><li id="en-us_topic_0079620341__en-us_topic_0177310145_li17303104718918">Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.<p id="en-us_topic_0079620341__en-us_topic_0177310145_p8697185421212"><a name="en-us_topic_0079620341__en-us_topic_0177310145_li17303104718918"></a><a name="en-us_topic_0177310145_li17303104718918"></a>If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.</p>
</li></ul>
</li></ul>
</div>

2
docs/iam/umn/iam_01_0003.html
View File

@ -7,7 +7,7 @@
<p id="iam_01_0003__p69271453125714">For more information, see <a href="iam_10_0002.html">MFA Authentication and Virtual MFA Device</a>.</p>
<div class="section" id="iam_01_0003__section62446212165914"><h4 class="sectiontitle">Prerequisites</h4><p id="iam_01_0003__p37510634165923">You have installed an MFA application (for example, Google Authenticator) on your smartphone.</p>
</div>
<div class="section" id="iam_01_0003__section27800412164913"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0003__ol25454498165752"><li id="iam_01_0003__li21572507165752"><span>On the management console, hover the mouse pointer over the username in the upper right corner and choose <strong id="iam_01_0003__b4119115175216">My Credentials</strong> from the drop-down list.</span></li><li id="iam_01_0003__li22883496165752"><span>On the <strong id="iam_01_0003__b37863209528">My Credentials</strong> page, click <strong id="iam_01_0003__b1479111207521">Bind</strong> next to the <strong id="iam_01_0003__b679172019524">Virtual MFA Device</strong> parameter.</span></li><li id="iam_01_0003__li55236718165752"><span>Go to the <strong id="iam_01_0003__b11170155110617">Bind Virtual MFA Device</strong> page.</span><p><div class="fignone" id="iam_01_0003__fig599215242196"><span class="figcap"><b>Figure 1 </b>Binding a virtual MFA device</span><br><span><img id="iam_01_0003__image14992182414194" src="en-us_image_0000001088289742.png" height="144.526711" width="465.5" title="Click to enlarge" class="imgResize"></span></div>
<div class="section" id="iam_01_0003__section27800412164913"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0003__ol25454498165752"><li id="iam_01_0003__li21572507165752"><span>On the management console, hover the mouse pointer over the username in the upper right corner and choose <strong id="iam_01_0003__b4119115175216">My Credentials</strong> from the drop-down list.</span></li><li id="iam_01_0003__li22883496165752"><span>On the <strong id="iam_01_0003__b37863209528">My Credentials</strong> page, click <strong id="iam_01_0003__b1479111207521">Bind</strong> next to the <strong id="iam_01_0003__b679172019524">Virtual MFA Device</strong> parameter.</span></li><li id="iam_01_0003__li55236718165752"><span>Go to the <strong id="iam_01_0003__b11170155110617">Bind Virtual MFA Device</strong> page.</span><p><div class="fignone" id="iam_01_0003__fig599215242196"><span class="figcap"><b>Figure 1 </b>Binding a virtual MFA device</span><br><span><img id="iam_01_0003__image14992182414194" src="en-us_image_0000001088289742.png" title="Click to enlarge" class="imgResize"></span></div>
<div class="p" id="iam_01_0003__p1022661314174"><div class="note" id="iam_01_0003__note622691313174"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0003__p322615139176">The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.</p>
</div></div>
</div>

4
docs/iam/umn/iam_01_0013.html
View File

@ -5,8 +5,8 @@
<div class="section" id="iam_01_0013__section85961038162216"><h4 class="sectiontitle">Viewing IAM Audit Logs</h4><ol id="iam_01_0013__ol1194546193110"><li id="iam_01_0013__li10838950182817"><span>Log in to the management console.</span></li><li id="iam_01_0013__li155741795333"><span>Click <strong id="iam_01_0013__b3796124865619">Service List</strong> in the upper part of the page and choose <strong id="iam_01_0013__b880216481565">Cloud Trace Service</strong> under <strong id="iam_01_0013__b680214875610">Management &amp; Deployment</strong>.</span></li><li id="iam_01_0013__li8240924153816"><span>In the navigation pane, choose <strong id="iam_01_0013__b1085537195718">Trace List</strong>.</span></li><li id="iam_01_0013__li1199125415539"><span>Click <strong id="iam_01_0013__b928021795715">Filter</strong> in the upper right corner of the trace list to set filter conditions.</span><p><div class="p" id="iam_01_0013__p1348504172220">The following filters are available:<ul class="subitemlist" id="iam_01_0013__ul4173195016221"><li id="iam_01_0013__li25120207165721"><strong id="iam_01_0013__b842352706161410">Trace Source</strong>, <strong id="iam_01_0013__b84235270616143">Resource Type</strong>, and <strong id="iam_01_0013__b842352706161359">Search By</strong><ul id="iam_01_0013__ul138358421566"><li id="iam_01_0013__li422110403562">Select a filter criteria from the drop-down list. Specifically, select <strong id="iam_01_0013__b842352706161141">IAM</strong> from the <strong id="iam_01_0013__b842352706161230">Trace Source</strong> drop-down list.</li><li id="iam_01_0013__li5224174025618">If you select <strong id="iam_01_0013__b842352706153249">Trace name</strong> for <strong id="iam_01_0013__b1803301537153246">Search By</strong>, select a trace name.</li><li id="iam_01_0013__li222614017560">If you select <strong id="iam_01_0013__b1369790384153349">Resource ID</strong> for <strong id="iam_01_0013__b1590770393153349">Search By</strong>, select or enter a resource ID.</li><li id="iam_01_0013__li1822754014568">If you select <strong id="iam_01_0013__b565110228153447">Resource name</strong> for <strong id="iam_01_0013__b1329536783153447">Search By</strong>, select or enter a resource name.</li></ul>
</li><li id="iam_01_0013__li16990144143538"><strong id="iam_01_0013__b842352706153633">Operator</strong>: Select an operator (a user rather than domain).</li><li id="iam_01_0013__li2227630716221"><strong id="iam_01_0013__b842352706153531">Trace Status</strong>: Available options include <strong id="iam_01_0013__b1447794024144642">All trace statuses</strong>, <strong id="iam_01_0013__b842352706153558">normal</strong>, <span class="parmvalue" id="iam_01_0013__parmvalue9654017118"><b>incident,</b></span> and <strong id="iam_01_0013__b84235270615364">warning</strong>.</li><li id="iam_01_0013__li2484476616221">Specify the start time and end time for querying traces.</li></ul>
</div>
</p></li><li id="iam_01_0013__li1326512181411"><span>Click <strong id="iam_01_0013__b842352706161557">Query</strong>.</span></li><li id="iam_01_0013__li11445413104011"><span>Expand the details of a trace, as shown in <a href="#iam_01_0013__fig181771925164317">Figure 1</a>.</span><p><div class="fignone" id="iam_01_0013__fig181771925164317"><a name="iam_01_0013__fig181771925164317"></a><a name="fig181771925164317"></a><span class="figcap"><b>Figure 1 </b>Expanding trace details</span><br><span><img id="iam_01_0013__image317762564313" src="en-us_image_0000001135554103.png" height="71.82000000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_01_0013__li157172804213"><span>Click <strong id="iam_01_0013__b842352706154059">View Trace</strong> in the <strong id="iam_01_0013__b18195288151449">Operation</strong> column. In the <strong id="iam_01_0013__b25439609151522">View Trace</strong> dialog box as shown in <a href="#iam_01_0013__fig9310171012116">Figure 2</a>, the trace details are displayed.</span><p><div class="fignone" id="iam_01_0013__fig9310171012116"><a name="iam_01_0013__fig9310171012116"></a><a name="fig9310171012116"></a><span class="figcap"><b>Figure 2 </b>Viewing a trace</span><br><span><img id="iam_01_0013__image2112195535814" src="en-us_image_0274187205.png" height="269.02575" width="492.06675000000007" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_01_0013__li1326512181411"><span>Click <strong id="iam_01_0013__b842352706161557">Query</strong>.</span></li><li id="iam_01_0013__li11445413104011"><span>Expand the details of a trace, as shown in <a href="#iam_01_0013__fig181771925164317">Figure 1</a>.</span><p><div class="fignone" id="iam_01_0013__fig181771925164317"><a name="iam_01_0013__fig181771925164317"></a><a name="fig181771925164317"></a><span class="figcap"><b>Figure 1 </b>Expanding trace details</span><br><span><img id="iam_01_0013__image317762564313" src="en-us_image_0000001135554103.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_01_0013__li157172804213"><span>Click <strong id="iam_01_0013__b842352706154059">View Trace</strong> in the <strong id="iam_01_0013__b18195288151449">Operation</strong> column. In the <strong id="iam_01_0013__b25439609151522">View Trace</strong> dialog box as shown in <a href="#iam_01_0013__fig9310171012116">Figure 2</a>, the trace details are displayed.</span><p><div class="fignone" id="iam_01_0013__fig9310171012116"><a name="iam_01_0013__fig9310171012116"></a><a name="fig9310171012116"></a><span class="figcap"><b>Figure 2 </b>Viewing a trace</span><br><span><img id="iam_01_0013__image2112195535814" src="en-us_image_0274187205.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li></ol>
</div>
</div>

2
docs/iam/umn/iam_01_0015.html
View File

@ -6,8 +6,6 @@
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="iam_01_019.html">Basic Concepts</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0601.html">Roles</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0017.html">Policy Syntax</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0016.html">Creating a Custom Policy</a></strong><br>

2
docs/iam/umn/iam_01_0016.html
View File

@ -13,7 +13,7 @@
</thead>
<tbody><tr id="iam_01_0016__row1023512410207"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.4.2.1.5.1.2.3.1.1 "><p id="iam_01_0016__p1123514412016">Condition Key</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.4.2.1.5.1.2.3.1.2 "><p id="iam_01_0016__p1235184122019">A key in the <strong id="iam_01_0016__b684427105311">Condition</strong> element of a statement. There are global and service-level condition keys. Global condition keys (starting with <strong id="iam_01_0016__b47103763010">g:</strong>) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as <strong id="iam_01_0016__b987914143305">obs:</strong>) are available only for operations of the corresponding service.</p>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.4.2.1.5.1.2.3.1.2 "><p id="iam_01_0016__p1235184122019">A key in the <strong id="iam_01_0016__b684427105311">Condition</strong> element of a statement. There are global and service-specific condition keys. Global condition keys (starting with <strong id="iam_01_0016__b47103763010">g:</strong>) are available for operations of all services, while service-specific condition keys (starting with a service abbreviation name such as <strong id="iam_01_0016__b987914143305">obs:</strong>) are available only for operations of the corresponding service.</p>
</td>
</tr>
<tr id="iam_01_0016__row1123514182018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.4.2.1.5.1.2.3.1.1 "><p id="iam_01_0016__p523518422018">Operator</p>

4
docs/iam/umn/iam_01_0017.html
View File

@ -2,7 +2,7 @@
<h1 class="topictitle1">Policy Syntax</h1>
<div id="body1521875590642"><div class="section" id="iam_01_0017__section106463610252"><h4 class="sectiontitle">Policy Content</h4><p id="iam_01_0017__p12888110445">A fine-grained policy consists of the policy version (the <strong id="iam_01_0017__b1853255718165">Version</strong> field) and statement (the <strong id="iam_01_0017__b35331157111611">Statement</strong> field).</p>
<p id="iam_01_0017__p194704573259"><span><img id="iam_01_0017__image16884194718491" src="en-us_image_0000001180570109.png" height="337.298108" width="497.42" title="Click to enlarge" class="imgResize"></span></p>
<p id="iam_01_0017__p194704573259"><span><img id="iam_01_0017__image16884194718491" src="en-us_image_0000001180570109.png" title="Click to enlarge" class="imgResize"></span></p>
<ul id="iam_01_0017__ul57930886173354"><li id="iam_01_0017__li15836462154039"><strong id="iam_01_0017__b1810485317174">Version</strong>: Distinguishes between role-based access control (RBAC) and fine-grained policies.<ul id="iam_01_0017__ul2002846815829"><li id="iam_01_0017__li2458727515829"><strong id="iam_01_0017__b1877711723519">1.0</strong>: RBAC policies, which are preset in the system and used to grant permissions for each service as a whole. After such a policy is granted to a user, the user has all permissions of the corresponding service.</li><li id="iam_01_0017__li13966918555"><strong id="iam_01_0017__b128615125312">1.1</strong>: Fine-grained policies, which enable more refined authorization based on service APIs. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system-defined and custom policies.<ul id="iam_01_0017__ul2011870181019"><li id="iam_01_0017__li61184016102">System-defined policies: read-only and administrator permissions for different services.</li><li id="iam_01_0017__li1211813015108">Custom policies: created and managed by users to supplement system-defined policies. For example, you can create a custom policy to allow users only to modify ECS specifications.</li></ul>
</li></ul>
</li></ul>
@ -141,7 +141,7 @@
</li></ul>
</div>
<div class="section" id="iam_01_0017__section565017773111"><h4 class="sectiontitle">Authentication Process</h4><p id="iam_01_0017__p113850961512">IAM authenticates users according to the permissions granted to the users. The following diagram shows the authentication process.</p>
<div class="fignone" id="iam_01_0017__fig4148178111014"><span class="figcap"><b>Figure 1 </b>Authentication process</span><br><span><img class="imgResize" id="iam_01_0017__image7541541101416" src="en-us_image_0274187277.png" width="312.21750000000003" height="380.23303500000003" title="Click to enlarge"></span></div>
<div class="fignone" id="iam_01_0017__fig4148178111014"><span class="figcap"><b>Figure 1 </b>Authentication process</span><br><span><img class="imgResize" id="iam_01_0017__image7541541101416" src="en-us_image_0274187277.png" title="Click to enlarge"></span></div>
<div class="note" id="iam_01_0017__note1469502165619"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0017__p1169518295612">The actions in each policy bear the OR relationship.</p>
</div></div>
<ol id="iam_01_0017__ol173684558404"><li id="iam_01_0017__li1126012426413">A user accesses the system and initiates an operation request.</li><li id="iam_01_0017__li9861041152420">The system evaluates all the permissions policies assigned to the user.</li><li id="iam_01_0017__li24996913162311">The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.</li><li id="iam_01_0017__li953633414512">If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.</li><li id="iam_01_0017__li977251615286">If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.</li></ol>

4
docs/iam/umn/iam_01_0023.html
View File

@ -4,10 +4,10 @@
<div id="body1503913294037"><p id="iam_01_0023__p427028131810">You can manage users in your account and their security credentials. In addition, you can configure identity federation so that users in other systems can access the cloud platform through SSO.</p>
<div class="section" id="iam_01_0023__section1475194083513"><h4 class="sectiontitle">Domain</h4><p id="iam_01_0023__p26559307143857">A domain, also called an "account", is created upon successful registration with the cloud platform. The domain has full access permissions for its cloud services and resources.</p>
<p id="iam_01_0023__p1214512437357">For security purposes, create a security administrator and grant them <strong id="iam_01_0023__b4691102018252">Security Administrator</strong> permissions to manage users and their permissions in your account.</p>
<div class="fignone" id="iam_01_0023__fig10960172283211"><span class="figcap"><b>Figure 1 </b>Account management model</span><br><span><img id="iam_01_0023__image131616505186" src="en-us_image_0274187193.png" width="NaN" height="NaN"></span></div>
<div class="fignone" id="iam_01_0023__fig10960172283211"><span class="figcap"><b>Figure 1 </b>Account management model</span><br><span><img id="iam_01_0023__image131616505186" src="en-us_image_0274187193.png"></span></div>
</div>
<div class="section" id="iam_01_0023__section201417411614"><h4 class="sectiontitle">User</h4><p id="iam_01_0023__p49102262144454">You or other administrators can create users for employees, systems, or applications in IAM. The users can log in to the console or access APIs using their own identity credentials (passwords and access keys).</p>
<div class="fignone" id="iam_01_0023__fig133971733114"><span class="figcap"><b>Figure 2 </b>Relationship between an account and users</span><br><span><img id="iam_01_0023__image683623184719" src="en-us_image_0274186863.png" width="222.44250000000002" height="332.1675" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_01_0023__fig133971733114"><span class="figcap"><b>Figure 2 </b>Relationship between an account and users</span><br><span><img id="iam_01_0023__image683623184719" src="en-us_image_0274186863.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="iam_01_0023__section126697618197"><h4 class="sectiontitle">Federated User</h4><p id="iam_01_0023__p9511624145917">Federated users access the cloud platform through identity federation.</p>
<p id="iam_01_0023__p19985118212">After being authenticated by an identity provider (IdP), users can access resources in a service provider (SP) without needing re-authentication.</p>

2
docs/iam/umn/iam_01_0024.html
View File

@ -10,7 +10,7 @@
<div class="section" id="iam_01_0024__section20199181713619"><h4 class="sectiontitle">Granting Permissions to Other Accounts</h4><p id="iam_01_0024__p27134311363">You (account A) can grant permissions to another account (account B) by creating an agency. Account B can then grant the <strong id="iam_01_0024__b015815239292">Agent Operator</strong> permissions to a user so that the user can manage resources in your account (account A).</p>
</div>
<div class="section" id="iam_01_0024__section219852720165"><h4 class="sectiontitle">Granting Permissions to Federated Users</h4><p id="iam_01_0024__p7752162911169">You can federate external users to IAM and grant permissions to the users to access cloud resources by creating an identity provider and identity conversion rules.</p>
<div class="fignone" id="iam_01_0024__fig644812451338"><span class="figcap"><b>Figure 2 </b>Identity conversion of federated users</span><br><span><img id="iam_01_0024__image13601359454" src="en-us_image_0274186856.png" width="331.66875000000005" height="116.70750000000001" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_01_0024__fig644812451338"><span class="figcap"><b>Figure 2 </b>Identity conversion of federated users</span><br><span><img id="iam_01_0024__image13601359454" src="en-us_image_0274186856.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
</div>
<div>

142
docs/iam/umn/iam_01_0029.html
View File

File diff suppressed because it is too large Load Diff

2
docs/iam/umn/iam_01_0034.html
View File

@ -6,7 +6,7 @@
<div class="section" id="iam_01_0034__section1637975175510"><h4 class="sectiontitle">Example</h4><p id="iam_01_0034__p1287110412569">The following is an example of how to use IAM.</p>
</div>
<p id="iam_01_0034__p96222039152018">Assume that there are three user groups in your enterprise: security administrators (<strong id="iam_01_0034__b88339253482">admin</strong>), developers, and testers. Each user group can contain multiple users, and a user can belong to multiple user groups.</p>
<div class="fignone" id="iam_01_0034__fig1012494020203"><span class="figcap"><b>Figure 1 </b>User management model</span><br><span><img id="iam_01_0034__image4124140112016" src="en-us_image_0000001088564514.png" height="373.23657000000003" width="477.8025" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_01_0034__fig1012494020203"><span class="figcap"><b>Figure 1 </b>User management model</span><br><span><img id="iam_01_0034__image4124140112016" src="en-us_image_0000001088564514.png" title="Click to enlarge" class="imgResize"></span></div>
<ol id="iam_01_0034__ol555973162418"><li id="iam_01_0034__li39391730191418">Create a security administrator <strong id="iam_01_0034__b2171164214521">Franklin</strong> and add <strong id="iam_01_0034__b13176154210527">Franklin</strong> to the default user group <strong id="iam_01_0034__b21774422528">admin</strong>.</li><li id="iam_01_0034__li865166101515">Log in as <strong id="iam_01_0034__b1031525316522">Franklin</strong>, create another security administrator <strong id="iam_01_0034__b193298532527">Lawrence</strong>, and add <strong id="iam_01_0034__b1632916533522">Lawrence</strong> to the default user group <strong id="iam_01_0034__b193291553165218">admin</strong>.</li><li id="iam_01_0034__li12464943182513">Log in as <strong id="iam_01_0034__b31597885521035">Franklin</strong> or <strong id="iam_01_0034__b83853826121035">Lawrence</strong>, create user groups <strong id="iam_01_0034__b84235270617845">Developers</strong> and <strong id="iam_01_0034__b84235270617858">Testers</strong>, and grant the required permissions to each user group.</li><li id="iam_01_0034__li16378162211168">Log in as <strong id="iam_01_0034__b10217181525312">Franklin</strong> or <strong id="iam_01_0034__b322217153531">Lawrence</strong>, create developers <strong id="iam_01_0034__b5223715175312">Elizabeth</strong> and <strong id="iam_01_0034__b32232156537">Randolph</strong>, and add them to the <strong id="iam_01_0034__b2223515115315">Developers</strong> user group. Then create tester <strong id="iam_01_0034__b182241215155317">Jennifer</strong>, and add <strong id="iam_01_0034__b16224101565310">Jennifer</strong> and <strong id="iam_01_0034__b17224151565312">Randolph</strong> to the <strong id="iam_01_0034__b1922541510533">Testers</strong> user group.</li><li id="iam_01_0034__li29431721162214">Users <strong id="iam_01_0034__b115041841165410">Elizabeth</strong>, <strong id="iam_01_0034__b85041541155416">Jennifer</strong>, and <strong id="iam_01_0034__b175041241155420">Randolph</strong> log in using their own credentials.<div class="note" id="iam_01_0034__note1095731811452"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0034__p3150700011452">Security administrators and users are IAM users who have different permissions depending on the user groups to which they belong. All IAM users have their own security credentials (username and password) to log in to the system.</p>
</div></div>
</li></ol>

10
docs/iam/umn/iam_01_0054.html
View File

@ -3,17 +3,17 @@
<h1 class="topictitle1">Account Delegation</h1>
<h1 class="topictitle1">Delegating Another Account for Resource Management</h1>
<div id="body0000001562632637"></div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="iam_06_0001.html">Delegating Resource Access to Another Account</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_06_0001.html">Process for Account Delegation</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0046613147.html">Creating an Agency (by a Delegating Party)</a></strong><br>
<li class="ulchildlink"><strong><a href="en-us_topic_0046613147.html">Creating an Agency and Assigning Permissions</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0063.html">(Optional) Assigning Permissions to an IAM User (by a Delegated Party)</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_01_0063.html">Assigning Agency Permissions to an IAM User</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0046613148.html">Switching Roles (by a Delegated Party)</a></strong><br>
<li class="ulchildlink"><strong><a href="en-us_topic_0046613148.html">Managing Delegated Resources</a></strong><br>
</li>
</ul>

18
docs/iam/umn/iam_01_0063.html
View File

@ -1,34 +1,34 @@
<a name="iam_01_0063"></a><a name="iam_01_0063"></a>
<h1 class="topictitle1">(Optional) Assigning Permissions to an IAM User (by a Delegated Party)</h1>
<div id="body1484205204048"><p id="iam_01_0063__en-us_topic_0170090700_p1990517262426">When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the <strong id="iam_01_0063__en-us_topic_0170090700_b939911403512">admin</strong> group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.</p>
<h1 class="topictitle1">Assigning Agency Permissions to an IAM User</h1>
<div id="body1484205204048"><p id="iam_01_0063__en-us_topic_0170090700_p1990517262426">When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the <strong id="iam_01_0063__en-us_topic_0170090700_b873519122915">admin</strong> group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.</p>
<p id="iam_01_0063__en-us_topic_0170090700_p113724394279">You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.</p>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section8625973163627"><h4 class="sectiontitle">Prerequisites</h4><ul id="iam_01_0063__en-us_topic_0170090700_ul29219768113237"><li id="iam_01_0063__en-us_topic_0170090700_li6222311493312">A trust relationship has been established between your account and another account.</li><li id="iam_01_0063__en-us_topic_0170090700_li55189331113237">You have obtained the name of the delegating account and the name and ID of the created agency.</li></ul>
</div>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section126738501115"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0063__en-us_topic_0170090700_ol12911218193512"><li id="iam_01_0063__en-us_topic_0170090700_li135311310144613"><a name="iam_01_0063__en-us_topic_0170090700_li135311310144613"></a><a name="en-us_topic_0170090700_li135311310144613"></a><span>Create a user group and grant permissions to it.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol185478381413"><li id="iam_01_0063__en-us_topic_0170090700_lbf179c35bf344bd6880e02f7987e3646">On the <strong id="iam_01_0063__en-us_topic_0170090700_a77708ffee09d4381b4dfc8f4ee4a58fe">User Groups</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611269_b362570492353">Create User Group</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lc5c9922fb20841fab6f29ae09468afcc">Enter a user group name.</li><li id="iam_01_0063__en-us_topic_0170090700_lb24e36a0bdae42dba9d4aecca47a38b6">Click <strong id="iam_01_0063__en-us_topic_0170090700_b89714992012">OK</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0111879498_li2918054318">In the row containing the user group, click <strong id="iam_01_0063__en-us_topic_0170090700_b25011226518">Authorize</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li7818855162215">Create a custom policy.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note1936081162414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p336012115247">This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to <a href="#iam_01_0063__en-us_topic_0170090700_li027318403345">1.f</a>.</p>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section126738501115"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0063__en-us_topic_0170090700_ol12911218193512"><li id="iam_01_0063__en-us_topic_0170090700_li135311310144613"><a name="iam_01_0063__en-us_topic_0170090700_li135311310144613"></a><a name="en-us_topic_0170090700_li135311310144613"></a><span>Create a user group and grant permissions to it.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol185478381413"><li id="iam_01_0063__en-us_topic_0170090700_lbf179c35bf344bd6880e02f7987e3646">On the <strong id="iam_01_0063__en-us_topic_0170090700_a77708ffee09d4381b4dfc8f4ee4a58fe">User Groups</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611269_b362570492353">Create User Group</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lc5c9922fb20841fab6f29ae09468afcc">Enter a user group name.</li><li id="iam_01_0063__en-us_topic_0170090700_lb24e36a0bdae42dba9d4aecca47a38b6">Click <strong id="iam_01_0063__en-us_topic_0170090700_b89714992012">OK</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0111879498_li2918054318">In the row containing the user group, click <strong id="iam_01_0063__en-us_topic_0170090700_b75010273298">Authorize</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li7818855162215">Create a custom policy.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note1936081162414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p336012115247">This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to step <a href="#iam_01_0063__en-us_topic_0170090700_li027318403345">6</a>.</p>
</div></div>
<ol class="substepthirdol" id="iam_01_0063__en-us_topic_0170090700_ol441072882414"><li id="iam_01_0063__en-us_topic_0170090700_li541082814245">On the <strong id="iam_01_0063__en-us_topic_0170090700_b15655103525214">Select Policy/Role</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_b035264217521">Create Policy</strong> in the upper right corner of the permission list.</li><li id="iam_01_0063__en-us_topic_0170090700_li24106288249">Enter a policy name.</li><li id="iam_01_0063__en-us_topic_0170090700_li10410528122413">Select <strong id="iam_01_0063__en-us_topic_0170090700_b19217161175316">JSON</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b1121712117538">Policy View</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li134101228182419">In the <span class="parmname" id="iam_01_0063__en-us_topic_0170090700_parmname673129492"><b>Policy Content</b></span> area, enter the following content:<pre class="screen" id="iam_01_0063__en-us_topic_0170090700_screen7410102852411">{
<ol class="substepthirdol" id="iam_01_0063__en-us_topic_0170090700_ol441072882414"><li id="iam_01_0063__en-us_topic_0170090700_li541082814245">On the <strong id="iam_01_0063__en-us_topic_0170090700_b15655103525214">Select Policy/Role</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_b035264217521">Create Policy</strong> in the upper right corner of the permission list.</li><li id="iam_01_0063__en-us_topic_0170090700_li24106288249">Enter a policy name.</li><li id="iam_01_0063__en-us_topic_0170090700_li10410528122413">Select <strong id="iam_01_0063__en-us_topic_0170090700_b19217161175316">JSON</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b1121712117538">Policy View</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li134101228182419">In the <span class="parmname" id="iam_01_0063__en-us_topic_0170090700_parmname1269566891"><b>Policy Content</b></span> area, enter the following content:<pre class="screen" id="iam_01_0063__en-us_topic_0170090700_screen7410102852411">{
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:agencies:assume"
"iam:tokens:assume"
],
"Resource": {
"uri": [
"/iam/agencies/b36b1258b5dc41a4aa8255508xxx..."
"/iam/agencies/agencyTest"
]
},
"Effect": "Allow"
}
]
}</pre>
<div class="note" id="iam_01_0063__en-us_topic_0170090700_note14410928162419"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0063__en-us_topic_0170090700_ul1241020281240"><li id="iam_01_0063__en-us_topic_0170090700_li741015282242">Replace <em id="iam_01_0063__en-us_topic_0170090700_i452989001">b36b1258b5dc41a4aa8255508xxx...</em> with the agency ID obtained from a delegating party. Do not make any other changes.</li><li id="iam_01_0063__en-us_topic_0170090700_li15410328112415">For more information about permissions, see <a href="iam_01_0015.html">Permissions</a>.</li></ul>
<div class="note" id="iam_01_0063__en-us_topic_0170090700_note14410928162419"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0063__en-us_topic_0170090700_ul1241020281240"><li id="iam_01_0063__en-us_topic_0170090700_li741015282242">Replace <strong id="iam_01_0063__en-us_topic_0170090700_b585112403616">agencyTest</strong> with the agency name obtained from a delegating party. Copy the other content without making any changes.</li><li id="iam_01_0063__en-us_topic_0170090700_li15410328112415">For more information about permissions, see <a href="iam_01_0015.html">Permissions</a>.</li></ul>
</div></div>
</li><li id="iam_01_0063__en-us_topic_0170090700_li44101728132415">Click <strong id="iam_01_0063__en-us_topic_0170090700_b684191413531">Next</strong>.</li></ol>
</li><li id="iam_01_0063__en-us_topic_0170090700_li027318403345"><a name="iam_01_0063__en-us_topic_0170090700_li027318403345"></a><a name="en-us_topic_0170090700_li027318403345"></a>Select the policy created in the previous step or the <span class="parmvalue" id="iam_01_0063__en-us_topic_0170090700_parmvalue58281727155316"><b>Agent Operator</b></span> role and click <strong id="iam_01_0063__en-us_topic_0170090700_b12369931155519">Next</strong>.<ul id="iam_01_0063__en-us_topic_0170090700_ul420813653713"><li id="iam_01_0063__en-us_topic_0170090700_li14514154073710">Custom policy: Allows a user to manage resources only for an agency identified by a specific ID.</li><li id="iam_01_0063__en-us_topic_0170090700_li451415401377"><strong id="iam_01_0063__en-us_topic_0170090700_b73021448105510">Agent Operator</strong> role: Allows a user to manage resources for all agencies.</li></ul>
</li><li id="iam_01_0063__en-us_topic_0170090700_li2784645193516">Specify the authorization scope.</li><li id="iam_01_0063__en-us_topic_0170090700_lf9efb0c8fbcf4319876dfb166db82d93">Click <strong id="iam_01_0063__en-us_topic_0170090700_b1736119357239">OK</strong>.</li></ol>
</p></li><li id="iam_01_0063__en-us_topic_0170090700_li695863494610"><span>Create an IAM user and add the user to the user group.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol1973131318477"><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611303_li19845579">On the <strong id="iam_01_0063__en-us_topic_0170090700_a806108f280b94df388a55abcd07ffd75">Users</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_a5e6c8cf39bbc4493a122994663de10ea">Create User</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_leff3e1e7fed4402aa331ea7848149a5d">On the <strong id="iam_01_0063__en-us_topic_0170090700_b16514132925511">Create User</strong> page, enter a username.</li><li id="iam_01_0063__en-us_topic_0170090700_l325822f9287240eb9847d7175bcc7196">Select <strong id="iam_01_0063__en-us_topic_0170090700_b1236755731016">Management console access</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b01597117574">Access Type</strong> and then select <strong id="iam_01_0063__en-us_topic_0170090700_b132081954191018">Set by user</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b136131148165610">Credential Type</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li179817611281">Enable login protection and click <strong id="iam_01_0063__en-us_topic_0170090700_b82544931311">Next</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lae070020d47a4845b25fd84d72d5e582">Select the user group created in <a href="#iam_01_0063__en-us_topic_0170090700_li135311310144613">1</a> and click <strong id="iam_01_0063__en-us_topic_0170090700_b41421028165815">Create</strong>.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note6447104555618"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p171308275572">After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.</p>
</p></li><li id="iam_01_0063__en-us_topic_0170090700_li695863494610"><span>Create an IAM user and add the user to the user group.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol1973131318477"><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611303_li19845579">On the <strong id="iam_01_0063__en-us_topic_0170090700_a806108f280b94df388a55abcd07ffd75">Users</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_a5e6c8cf39bbc4493a122994663de10ea">Create User</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_leff3e1e7fed4402aa331ea7848149a5d">On the <strong id="iam_01_0063__en-us_topic_0170090700_b16514132925511">Create User</strong> page, enter a username.</li><li id="iam_01_0063__en-us_topic_0170090700_l325822f9287240eb9847d7175bcc7196">Select <strong id="iam_01_0063__en-us_topic_0170090700_b1236755731016">Management console access</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b01597117574">Access Type</strong> and then select <strong id="iam_01_0063__en-us_topic_0170090700_b132081954191018">Set by user</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b136131148165610">Credential Type</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li179817611281">Enable login protection and click <strong id="iam_01_0063__en-us_topic_0170090700_b82544931311">Next</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lae070020d47a4845b25fd84d72d5e582">Select the user group created in step <a href="#iam_01_0063__en-us_topic_0170090700_li135311310144613">1</a> and click <strong id="iam_01_0063__en-us_topic_0170090700_b41421028165815">Create</strong>.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note6447104555618"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p171308275572">After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.</p>
</div></div>
</li></ol>
</p></li></ol>
@ -38,7 +38,7 @@
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Account Delegation</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></div>
</div>
</div>

4
docs/iam/umn/iam_01_0430.html
View File

@ -6,9 +6,9 @@
<h1 class="topictitle1">Deleting User Groups</h1>
<div id="body0000001474724360"><div class="section" id="iam_01_0430__en-us_topic_0000001280434532_section73474101524"><h4 class="sectiontitle">Procedure</h4><p id="iam_01_0430__en-us_topic_0000001280434532_p17218137521">To delete a user group, do the following:</p>
</div>
<ol id="iam_01_0430__en-us_topic_0000001280434532_ol1771074165311"><li id="iam_01_0430__en-us_topic_0000001280434532_li771064165312"><span>Log in to the IAM console. In the navigation pane, choose <strong id="iam_01_0430__en-us_topic_0000001280434532_b98431314165112">User Groups</strong>.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li123855243548"><span>In the user group list, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b98701484424843">Delete</strong> in the row that contains the user group to be deleted.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li12439230310"><span>In the displayed dialog box, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b176037717438">Yes</strong>.</span></li></ol>
<ol id="iam_01_0430__en-us_topic_0000001280434532_ol1771074165311"><li id="iam_01_0430__en-us_topic_0000001280434532_li771064165312"><span>Log in to the IAM console. In the navigation pane, choose <strong id="iam_01_0430__en-us_topic_0000001280434532_b1996118483105">User Groups</strong>.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li123855243548"><span>In the user group list, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b98701484424843">Delete</strong> in the row that contains the user group to be deleted.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li12439230310"><span>In the displayed dialog box, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b176037717438">OK</strong>.</span></li></ol>
<div class="section" id="iam_01_0430__en-us_topic_0000001280434532_section2924729124712"><h4 class="sectiontitle">Batch Deleting User Groups</h4><p id="iam_01_0430__en-us_topic_0000001280434532_p1971532144717">To delete multiple user groups at a time, do the following:</p>
<ol id="iam_01_0430__en-us_topic_0000001280434532_ol15628332641"><li id="iam_01_0430__en-us_topic_0000001280434532_li26285329413"><span>Log in to the IAM console. In the navigation pane, choose <strong id="iam_01_0430__en-us_topic_0000001280434532_b1755922914513">User Groups</strong>.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li102171242143"><span>In the user group list, select the user groups to be deleted and click <strong id="iam_01_0430__en-us_topic_0000001280434532_b13135859195316">Delete</strong> above the list.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li074717495264"><span>In the displayed dialog box, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b183184214543">Yes</strong>.</span></li></ol>
<ol id="iam_01_0430__en-us_topic_0000001280434532_ol15628332641"><li id="iam_01_0430__en-us_topic_0000001280434532_li26285329413"><span>Log in to the IAM console. In the navigation pane, choose <strong id="iam_01_0430__en-us_topic_0000001280434532_b1180514152317">User Groups</strong>.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li102171242143"><span>In the user group list, select the user groups to be deleted and click <strong id="iam_01_0430__en-us_topic_0000001280434532_b13135859195316">Delete</strong> above the list.</span></li><li id="iam_01_0430__en-us_topic_0000001280434532_li074717495264"><span>In the displayed dialog box, click <strong id="iam_01_0430__en-us_topic_0000001280434532_b183184214543">OK</strong>.</span></li></ol>
</div>
</div>
<div>

4
docs/iam/umn/iam_01_0552.html
View File

@ -3,12 +3,12 @@
<h1 class="topictitle1">Logging In as an IAM User</h1>
<div id="body0000001524856013"><p id="iam_01_0552__p48381358173814">You can log in to the console as an IAM user or obtain the IAM user login link from the administrator and then use the link to log in.</p>
<div class="section" id="iam_01_0552__section6213194672614"><h4 class="sectiontitle">Method 1: Logging In by Clicking IAM User Login</h4><ol id="iam_01_0552__ol69967181426"><li id="iam_01_0552__li09152323544"><span>On the login page, enter the domain name, username/email address/mobile number, and password.</span><p><ul id="iam_01_0552__ul028102663113"><li id="iam_01_0552__li41981256132720"><strong id="iam_01_0552__b152524519314">Domain name</strong>: The name of the account that was used to create the IAM user. You can obtain the domain name from the administrator.</li><li id="iam_01_0552__li1428162616311"><strong id="iam_01_0552__b5570674415">Username/Email address/Mobile number</strong>: The username, email address, or mobile number of the IAM user. You can obtain the username and password from the administrator.</li><li id="iam_01_0552__li2281126193115"><strong id="iam_01_0552__b870815186410">Password</strong>: The password of the IAM user.</li></ul>
</p></li><li id="iam_01_0552__li799651814210"><span>Click <strong id="iam_01_0552__b202443251416">Log In</strong>.</span><p><div class="note" id="iam_01_0552__note13996131811427"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0552__ul1999691834219"><li id="iam_01_0552__li099631884218">If you have not been added to any group, you do not have permissions for accessing any cloud services. In this case, contact the administrator and request for required permissions (see <a href="iam_01_0030.html">Creating a User Group and Assigning Permissions</a> and <a href="iam_03_0002.html">Adding Users to or Removing Users from a User Group</a>).</li><li id="iam_01_0552__li29962018104217">If you have been added to the default group <strong id="iam_01_0552__b151139591410">admin</strong>, you have administrator permissions and you can perform all operations on all cloud services.</li></ul>
</p></li><li id="iam_01_0552__li799651814210"><span>Click <strong id="iam_01_0552__b202443251416">Log In</strong>.</span><p><div class="note" id="iam_01_0552__note13996131811427"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0552__ul1999691834219"><li id="iam_01_0552__li099631884218">If you have not been added to any group, you do not have permissions for accessing any cloud services. In this case, contact the administrator and request for required permissions (see <a href="iam_01_0030.html">Creating a User Group and Assigning Permissions</a> and <a href="iam_03_0002.html">Adding IAM Users to or Removing IAM Users from a User Group</a>).</li><li id="iam_01_0552__li29962018104217">If you have been added to the default group <strong id="iam_01_0552__b151139591410">admin</strong>, you have administrator permissions and you can perform all operations on all cloud services.</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="section" id="iam_01_0552__section18827123192713"><h4 class="sectiontitle">Method 2: Logging In Using the IAM User Login Link</h4><p id="iam_01_0552__p26501644114012">You can obtain the IAM user login link from the administrator and then log in using this link. When you visit the link, the system displays the login page and automatically populates the domain name. You only need to enter your username/email address/mobile number and password.</p>
<ol id="iam_01_0552__ol781783120291"><li id="iam_01_0552__li881719314297"><span>Obtain the IAM user login link from the administrator.</span><p><div class="fignone" id="iam_01_0552__fig0802128181611"><span class="figcap"><b>Figure 1 </b>IAM user login link</span><br><span><img id="iam_01_0552__image10802328201611" src="en-us_image_0000001474176978.png" height="109.72500000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<ol id="iam_01_0552__ol781783120291"><li id="iam_01_0552__li881719314297"><span>Obtain the IAM user login link from the administrator.</span><p><div class="fignone" id="iam_01_0552__fig0802128181611"><span class="figcap"><b>Figure 1 </b>IAM user login link</span><br><span><img id="iam_01_0552__image10802328201611" src="en-us_image_0000001474176978.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_01_0552__li322331013377"><span>Paste the link into the address bar of a browser, press <strong id="iam_01_0552__b85936149510">Enter</strong>, and enter the IAM username/email address/mobile number and password, and click <strong id="iam_01_0552__b6593114458">Log In</strong>.</span></li></ol>
</div>
</div>

2
docs/iam/umn/iam_01_06.html
View File

@ -14,7 +14,7 @@
</li>
<li class="ulchildlink"><strong><a href="iam_02_0004.html">Deleting an IAM User</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0653.html">Changing the Login Password of an IAM User</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_01_0653.html">Modifying Security Settings for an IAM User</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0080335069.html">Modifying User Permissions</a></strong><br>
</li>

98
docs/iam/umn/iam_01_0601.html
View File

@ -1,98 +0,0 @@
<a name="iam_01_0601"></a><a name="iam_01_0601"></a>
<h1 class="topictitle1">Roles</h1>
<div id="body0000001525381333"><p id="iam_01_0601__en-us_topic_0171219944_p91265371914">Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles for permissions management.</p>
<p id="iam_01_0601__en-us_topic_0171219944_p655605595111">Services on the cloud platform interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services. For more information, see <a href="iam_01_0657.html#iam_01_0657">Assigning Dependency Roles</a>.</p>
<div class="section" id="iam_01_0601__en-us_topic_0171219944_en-us_topic_0165687178_section9359105292516"><h4 class="sectiontitle">Role Content</h4><p id="iam_01_0601__en-us_topic_0171219944_en-us_topic_0165687178_p132586537566">When using roles to assign permissions, you can select a role and click <span><img id="iam_01_0601__en-us_topic_0171219944_image2829113414613" src="en-us_image_0000001162246460.png"></span> to view the details of the role. This section uses the <strong id="iam_01_0601__en-us_topic_0171219944_b67991852101718">DNS Administrator</strong> role as an example to describe the role content.</p>
<pre class="screen" id="iam_01_0601__en-us_topic_0171219944_en-us_topic_0165687178_screen13374111692618">{
"Version": "1.0",
"Statement": [
{
"Action": [
"DNS:Zone:*",
"DNS:RecordSet:*",
"DNS:PTRRecord:*"
],
"Effect": "Allow"
}
],
"Depends": [
{
"catalog": "BASE",
"display_name": "Tenant Guest"
},
{
"catalog": "VPC",
"display_name": "VPC Administrator"
}
]
}</pre>
</div>
<div class="section" id="iam_01_0601__en-us_topic_0171219944_en-us_topic_0165687178_section1057124415300"><h4 class="sectiontitle">Parameter Description</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="iam_01_0601__en-us_topic_0171219944_table263109993745" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameter description</caption><thead align="left"><tr id="iam_01_0601__en-us_topic_0171219944_row5964380593745"><th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.4.2.2.5.1.1"><p id="iam_01_0601__en-us_topic_0171219944_p3840680793745">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.4.2.2.5.1.2"><p id="iam_01_0601__en-us_topic_0171219944_p2394366493745">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.4.2.2.5.1.3"><p id="iam_01_0601__en-us_topic_0171219944_p6038866693745">Value</p>
</th>
</tr>
</thead>
<tbody><tr id="iam_01_0601__en-us_topic_0171219944_row33603866145041"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p6202570314511">Version</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.2 "><p id="iam_01_0601__en-us_topic_0171219944_en-us_topic_0171219944_p5802604114511">Role version.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.3 "><p id="iam_01_0601__en-us_topic_0171219944_p12283164818190"><strong id="iam_01_0601__en-us_topic_0171219944_b3871949201014">1.0</strong>: indicates role-based access control.</p>
</td>
</tr>
<tr id="iam_01_0601__en-us_topic_0171219944_row3390115193745"><td class="cellrowborder" rowspan="2" valign="top" width="14.2%" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p2571453445">Statement</p>
</td>
<td class="cellrowborder" valign="top" width="14.280000000000001%" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p15225242142620">Action</p>
</td>
<td class="cellrowborder" valign="top" width="17.25%" headers="mcps1.3.4.2.2.5.1.2 "><p id="iam_01_0601__en-us_topic_0171219944_p22261942112610">Operations to be performed on the service.</p>
</td>
<td class="cellrowborder" valign="top" width="54.269999999999996%" headers="mcps1.3.4.2.2.5.1.3 "><p id="iam_01_0601__en-us_topic_0171219944_p22471177492">Format: "<em id="iam_01_0601__en-us_topic_0171219944_i194011150132215">Service name</em>:<em id="iam_01_0601__en-us_topic_0171219944_i54032509224">Resource type</em>:<em id="iam_01_0601__en-us_topic_0171219944_i740335072211">Operation</em>".</p>
<p id="iam_01_0601__en-us_topic_0171219944_p1780485644612"><strong id="iam_01_0601__en-us_topic_0171219944_b12703161112018">DNS:Zone:*</strong>: Permissions for performing all operations on Domain Name Service (DNS) zones.</p>
</td>
</tr>
<tr id="iam_01_0601__en-us_topic_0171219944_row14410123292620"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p154997388265">Effect</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p1043912593493">Determines whether to allow or deny the operations defined in the action.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.2 "><ul id="iam_01_0601__en-us_topic_0171219944_ul10506203862610"><li id="iam_01_0601__en-us_topic_0171219944_li14507173842613">Allow</li><li id="iam_01_0601__en-us_topic_0171219944_li750916385268">Deny</li></ul>
<div class="note" id="iam_01_0601__en-us_topic_0171219944_note273204052719"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="iam_01_0601__en-us_topic_0171219944_p1074104019279">If a role grants both Allow and Deny effects for the same action, the Deny takes precedence.</p>
</div></div>
</td>
</tr>
<tr id="iam_01_0601__en-us_topic_0171219944_row1374963893745"><td class="cellrowborder" rowspan="2" valign="top" width="14.2%" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p128610994517">Depends</p>
</td>
<td class="cellrowborder" valign="top" width="14.280000000000001%" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p2969357393745">catalog</p>
</td>
<td class="cellrowborder" valign="top" width="17.25%" headers="mcps1.3.4.2.2.5.1.2 "><p id="iam_01_0601__en-us_topic_0171219944_p7299184515112">Name of the service to which a dependency role belongs.</p>
</td>
<td class="cellrowborder" valign="top" width="54.269999999999996%" headers="mcps1.3.4.2.2.5.1.3 "><p id="iam_01_0601__en-us_topic_0171219944_p250437493745">Service name. Example: <strong id="iam_01_0601__en-us_topic_0171219944_b360222192915">BASE</strong> and <strong id="iam_01_0601__en-us_topic_0171219944_b13361063238">VPC</strong>.</p>
</td>
</tr>
<tr id="iam_01_0601__en-us_topic_0171219944_row1979566093745"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p5663788193745">display_name</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.1 "><p id="iam_01_0601__en-us_topic_0171219944_p0173165825112">Name of the dependency role.</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.2.5.1.2 "><p id="iam_01_0601__en-us_topic_0171219944_p1935892693745">Role name.</p>
<div class="note" id="iam_01_0601__en-us_topic_0171219944_note1885115616538"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="iam_01_0601__en-us_topic_0171219944_p19372161025415">When you assign the <strong id="iam_01_0601__en-us_topic_0171219944_b17338164613119">DNS Administrator</strong> role to a user group, you also need to assign the <strong id="iam_01_0601__en-us_topic_0171219944_b8742162116327">Tenant Guest</strong> and <strong id="iam_01_0601__en-us_topic_0171219944_b1042219184328">VPC Administrator</strong> roles to the group for the same project.</p>
<p id="iam_01_0601__en-us_topic_0171219944_p4931192513538">For more information about dependencies, see "Permissions".</p>
</div></div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0015.html">Permissions</a></div>
</div>
</div>

10
docs/iam/umn/iam_01_0607.html
View File

@ -4,17 +4,17 @@
<h1 class="topictitle1">Password Policy</h1>
<div id="body0000001524972825"><p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p13197174193518">The <strong id="iam_01_0607__en-us_topic_0177717041_b953475416218">Password Policy</strong> tab of the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page provides the <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section222481512916">Password Composition &amp; Reuse</a>, <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section104571219917">Password Expiration</a>, and <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section86671628898">Minimum Password Age</a> settings.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p1187015426389">Only the <a href="iam_01_0023.html#iam_01_0023__section1475194083513">administrator</a> can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p4241234114613">You can configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.</p>
<div id="body0000001524972825"><p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p13197174193518">The <strong id="iam_01_0607__en-us_topic_0177717041_b77216338429">Password Policy</strong> tab of the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page provides the <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section222481512916">Password Composition &amp; Reuse</a>, <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section104571219917">Password Expiration</a>, and <a href="#iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section86671628898">Minimum Password Age</a> settings.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p1187015426389">Only the administrator and an entrusted identity can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p4241234114613">The administrator or an entrusted identity should configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.</p>
<div class="section" id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section222481512916"><a name="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section222481512916"></a><a name="en-us_topic_0177717041_en-us_topic_0176803439_section222481512916"></a><h4 class="sectiontitle">Password Composition &amp; Reuse</h4><ul id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_ul92484013198"><li id="iam_01_0607__en-us_topic_0177717041_li57238117312">Ensure that the password contains 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.</li><li id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_li4249409199">Set the minimum number of characters that a password must contain. The default value is 6 and the value range is from 6 to 32.</li><li id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_li32751235102154">(Optional) Enable the <strong id="iam_01_0607__en-us_topic_0177717041_b658972713200">Restrict consecutive identical characters</strong> option and set the maximum number of times that a character is allowed to be consecutively present in a password. For example, value <strong id="iam_01_0607__en-us_topic_0177717041_b14807101114320">1</strong> indicates that consecutive identical characters are not allowed in a password.</li><li id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_li6392046810225">(Optional) Enable the <strong id="iam_01_0607__en-us_topic_0177717041_b10478544202010">Disallow previously used passwords</strong> option and set the number of previously used passwords that are not allowed. For example, value <strong id="iam_01_0607__en-us_topic_0177717041_b129741751152014">3</strong> indicates that the user cannot set the last three passwords that the user has previously used when setting a new password.</li></ul>
<p id="iam_01_0607__en-us_topic_0177717041_p1915794210538">Changes to the password policy take effect the next time you or your IAM users change passwords. The new password policy will also apply to IAM users created later.</p>
</div>
<div class="section" id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section104571219917"><a name="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section104571219917"></a><a name="en-us_topic_0177717041_en-us_topic_0176803439_section104571219917"></a><h4 class="sectiontitle">Password Expiration</h4><p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p69405108576">Set a validity period for passwords so that users need to change their passwords periodically. The users will be prompted to change their passwords 15 days before password expiration. Expired passwords cannot be used to log in to the cloud platform.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p142851226101717">This option is disabled by default. The validity period ranges from 1 to 180 days.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p142851226101717">This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period range is from 1 day to 180 days.</p>
<p id="iam_01_0607__en-us_topic_0177717041_p41406261525">The changes will take effect immediately for your account and all IAM users under your account.</p>
</div>
<div class="note" id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_note48203233014"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0607__en-us_topic_0177717041_p1651012446616">After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old password.</p>
<div class="note" id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_note48203233014"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0607__en-us_topic_0177717041_ul511820123817"><li id="iam_01_0607__en-us_topic_0177717041_li1211162013816">After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old one.</li><li id="iam_01_0607__en-us_topic_0177717041_li111162083813">The password validity period policy applies only to console login. The operations of obtaining a user token through password authentication are not restricted by this policy.</li></ul>
</div></div>
<div class="section" id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section86671628898"><a name="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_section86671628898"></a><a name="en-us_topic_0177717041_en-us_topic_0176803439_section86671628898"></a><h4 class="sectiontitle">Minimum Password Age</h4><p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p107381353125710">To prevent password loss due to frequent password changes, you can set a minimum period after which users are allowed to make a password change.</p>
<p id="iam_01_0607__en-us_topic_0177717041_en-us_topic_0176803439_p103951122162619">This option is disabled by default. The validity period ranges from 0 to 1,440 minutes.</p>

24
docs/iam/umn/iam_01_0653.html
View File

@ -3,12 +3,26 @@
<h1 class="topictitle1">Changing the Login Password of an IAM User</h1>
<div id="body0000001474404544"><p id="iam_01_0653__en-us_topic_0170814265_p935515128234">As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.</p>
<p id="iam_01_0653__en-us_topic_0170814265_p13926203012228">To reset the login password of an IAM user, click <strong id="iam_01_0653__en-us_topic_0170814265_b125616249400">Security Settings</strong> in the row containing the user, click <span><img id="iam_01_0653__en-us_topic_0170814265_image18997559037" src="en-us_image_0000001207368543.png"></span> next to <strong id="iam_01_0653__en-us_topic_0170814265_b14682202454111">Login Password</strong> in the <strong id="iam_01_0653__en-us_topic_0170814265_b9931526174117">Login Credentials</strong> area, and select a password type.</p>
<div class="note" id="iam_01_0653__en-us_topic_0170814265_note15818143613917"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0653__en-us_topic_0170814265_ul078232195515"><li id="iam_01_0653__en-us_topic_0170814265_li1563414589314">You can reset the password of an IAM user on the <strong id="iam_01_0653__en-us_topic_0170814265_b145682919401">Security Settings</strong> page.</li><li id="iam_01_0653__en-us_topic_0170814265_li1178173225510">IAM users can change their passwords on the <a href="iam_01_0703.html#iam_01_0703">Basic Information</a> tab. </li></ul>
<h1 class="topictitle1">Modifying Security Settings for an IAM User</h1>
<div id="body0000001474404544"><p id="iam_01_0653__en-us_topic_0170814265_p165273974819">As an administrator, you can modify the password, MFA device, login protection, and access keys of an IAM user.</p>
<div class="section" id="iam_01_0653__en-us_topic_0170814265_section159092474112"><h4 class="sectiontitle">Constraints</h4><ul id="iam_01_0653__en-us_topic_0170814265_ul078232195515"><li id="iam_01_0653__en-us_topic_0170814265_li1178173225510">IAM users can change their passwords on the <a href="iam_01_0703.html#iam_01_0703">Basic Information</a> tab. </li><li id="iam_01_0653__en-us_topic_0170814265_li226593332614">By default, only the IAM user's MFA device can be changed on the <strong id="iam_01_0653__en-us_topic_0170814265_b16719241306">Security Settings</strong> tab. The MFA device of the account cannot be changed. To change the MFA device of the account, grant the permissions needed to add and unbind the MFA device.</li><li id="iam_01_0653__en-us_topic_0170814265_li1750611598264">The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.</li></ul>
</div>
<div class="section" id="iam_01_0653__en-us_topic_0170814265_section1764805116463"><h4 class="sectiontitle">Changing the Password of an IAM User</h4><p id="iam_01_0653__en-us_topic_0170814265_p1825512479377">As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user. </p>
</div>
<ol id="iam_01_0653__en-us_topic_0170814265_ol2661105414373"><li id="iam_01_0653__en-us_topic_0170814265_li6645813811"><span>Log in to the IAM console as the administrator.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li15648816389"><span>In the user list, click a username or click <strong id="iam_01_0653__en-us_topic_0170814265_b425752720209">Security Settings</strong> in the <strong id="iam_01_0653__en-us_topic_0170814265_b2025732752011">Operation</strong> column to access the user details page.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li719015117385"><span>Click the <strong id="iam_01_0653__en-us_topic_0170814265_b842203613209">Security Settings</strong> tab. In the <strong id="iam_01_0653__en-us_topic_0170814265_b29535014369">Login Credentials</strong> area, click <span><img id="iam_01_0653__en-us_topic_0170814265_image2411132392" src="en-us_image_0000002162336158.png"></span> in the <strong id="iam_01_0653__en-us_topic_0170814265_b1795121617197">Login Password</strong> row to reset the login password for the IAM user.</span><p><ul id="iam_01_0653__en-us_topic_0170814265_ul3465547124215"><li id="iam_01_0653__en-us_topic_0170814265_li11221732105017"><strong id="iam_01_0653__en-us_topic_0170814265_b210212310520">Set by user</strong>: A one-time login URL will be emailed to the user. The user can then click the link to set a password.</li><li id="iam_01_0653__en-us_topic_0170814265_li29689429508"><strong id="iam_01_0653__en-us_topic_0170814265_b178589547547">Automatically generated</strong>: A password will be automatically generated and then sent to the user by email.</li><li id="iam_01_0653__en-us_topic_0170814265_li3466114714429"><strong id="iam_01_0653__en-us_topic_0170814265_b56554725995245">Set now</strong>: You set a new password and send the new password to the user.</li></ul>
</p></li></ol>
<div class="section" id="iam_01_0653__en-us_topic_0170814265_section2095312682613"><h4 class="sectiontitle">Changing the MFA Device for an IAM User</h4><p id="iam_01_0653__en-us_topic_0170814265_p197599169266">You can only change the MFA device for an IAM user, but not for the account.</p>
<ol id="iam_01_0653__en-us_topic_0170814265_ol875145282713"><li id="iam_01_0653__en-us_topic_0170814265_li137281658102715"><span>Log in to the IAM console as the administrator.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li19729115810273"><span>In the user list, click a username or click <strong id="iam_01_0653__en-us_topic_0170814265_b34426181253">Security Settings</strong> in the <strong id="iam_01_0653__en-us_topic_0170814265_b444218183251">Operation</strong> column to access the user details page.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li10140608282"><span>Click the <strong id="iam_01_0653__en-us_topic_0170814265_b15337172317258">Security Settings</strong> tab and change the MFA device of the IAM user.</span><p><ul id="iam_01_0653__en-us_topic_0170814265_ul153341166395"><li id="iam_01_0653__en-us_topic_0170814265_li1388974755917">Change the mobile number or email address of the user. <div class="note" id="iam_01_0653__en-us_topic_0170814265_note947485511013"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0653__en-us_topic_0170814265_p96400765313">The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.</p>
</div></div>
<ul id="iam_01_0653__en-us_topic_0170814265_ul6247112615108"><li id="iam_01_0653__en-us_topic_0170814265_li11221732105017"><strong id="iam_01_0653__en-us_topic_0170814265_b88021941581">Set by user</strong>: A one-time login URL will be emailed to the user. The user can then click on the link to set a password.</li><li id="iam_01_0653__en-us_topic_0170814265_li29689429508"><strong id="iam_01_0653__en-us_topic_0170814265_b178589547547">Automatically generated</strong>: A password will be automatically generated and then sent to the user by email.</li><li id="iam_01_0653__en-us_topic_0170814265_li542152441015"><strong id="iam_01_0653__en-us_topic_0170814265_b20191249125214">Set now</strong>: You set a new password and send the new password to the user.</li></ul>
</li><li id="iam_01_0653__en-us_topic_0170814265_li12141115123916">Reset the MFA device for a user. For more information about MFA and virtual MFA device, see <a href="iam_10_0002.html">MFA Authentication and Virtual MFA Device</a>.</li></ul>
</p></li></ol>
</div>
<div class="section" id="iam_01_0653__en-us_topic_0170814265_section1480771719378"><h4 class="sectiontitle">Modifying the Login Protection Configuration for an IAM User</h4><p id="iam_01_0653__en-us_topic_0170814265_p103593376">Login protection is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.</p>
<ol id="iam_01_0653__en-us_topic_0170814265_ol1751474053920"><li id="iam_01_0653__en-us_topic_0170814265_li145141740183912"><span>Log in to the IAM console as the administrator.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li051511405394"><span>In the user list, click a username or click <strong id="iam_01_0653__en-us_topic_0170814265_b039411115347">Security Settings</strong> in the <strong id="iam_01_0653__en-us_topic_0170814265_b1739415119348">Operation</strong> column to access the user details page.</span></li><li id="iam_01_0653__en-us_topic_0170814265_li1951534043916"><span>Click the <strong id="iam_01_0653__en-us_topic_0170814265_b11843102418352">Security Settings</strong> tab and modify the login protection configuration of the IAM user. This option is disabled by default. You can choose from the following methods for secondary verification:</span><p><ul id="iam_01_0653__en-us_topic_0170814265_ul974353682911"><li id="iam_01_0653__en-us_topic_0170814265_li7743136182913">SMS</li><li id="iam_01_0653__en-us_topic_0170814265_li1774363615293">Email address</li><li id="iam_01_0653__en-us_topic_0170814265_li474393610293">Virtual MFA device</li></ul>
</p></li></ol>
</div>
<div class="section" id="iam_01_0653__en-us_topic_0170814265_section198492811576"><h4 class="sectiontitle">Related Operations</h4><ul id="iam_01_0653__en-us_topic_0170814265_ul257517469584"><li id="iam_01_0653__en-us_topic_0170814265_li857554611583">If you are an IAM user and need to change your mobile number, email address, or virtual MFA device, see <a href="iam_07_0001.html#iam_07_0001">Security Settings Overview</a>.</li><li id="iam_01_0653__en-us_topic_0170814265_li12575164611588">To manage access keys of IAM users, see <a href="en-us_topic_0080335069.html">Modifying User Permissions</a>.</li></ul>
</div>
</div>
<div>
<div class="familylinks">

4
docs/iam/umn/iam_01_0655.html
View File

@ -7,13 +7,13 @@
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="en-us_topic_0046611269.html">Creating a User Group and Assigning Permissions</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_03_0002.html">Adding Users to or Removing Users from a User Group</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_03_0002.html">Adding IAM Users to or Removing IAM Users from a User Group</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0430.html">Deleting User Groups</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0085605493.html">Viewing and Modifying User Group Information</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_03_0004.html">Revoking Permissions of a User Group</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_03_0004.html">Managing Permissions of a User Group</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0657.html">Assigning Dependency Roles</a></strong><br>
</li>

2
docs/iam/umn/iam_01_0657.html
View File

@ -4,7 +4,7 @@
<h1 class="topictitle1">Assigning Dependency Roles</h1>
<div id="body0000001525204373"><p id="iam_01_0657__en-us_topic_0170980185_p6579205152711">Cloud services interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services.</p>
<div id="body0000001525204373"><p id="iam_01_0657__en-us_topic_0170980185_p6579205152711">Cloud services interwork with each other. Therefore, the administrator needs to assign both the required roles and their dependent roles for the authorization to take effect. Policies, however, do not require dependencies.</p>
<div class="section" id="iam_01_0657__en-us_topic_0170980185_section11267040162715"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0657__en-us_topic_0170980185_ol4531185619278"><li id="iam_01_0657__en-us_topic_0170980185_li184531712112910"><span>Log in to the as the administrator.</span></li><li id="iam_01_0657__en-us_topic_0170980185_li5697101412918"><span>In the user group list, click <strong id="iam_01_0657__en-us_topic_0170980185_b14295135152816">Authorize</strong> in the row that contains the created user group.</span></li><li id="iam_01_0657__en-us_topic_0170980185_li53778615254"><span>On the displayed page, search for a role in the search box in the upper right corner.</span></li><li id="iam_01_0657__en-us_topic_0170980185_li174511541114"><span>Select the target role. The system automatically selects the dependency roles.</span></li><li id="iam_01_0657__en-us_topic_0170980185_li1485254420516"><span>Click <span><img id="iam_01_0657__en-us_topic_0170980185_image123771557157" src="en-us_image_0000001162246460.png"></span> next to the role to view the dependencies.</span><p><p id="iam_01_0657__en-us_topic_0170980185_p2058765825017">For example, the <strong id="iam_01_0657__en-us_topic_0170980185_b175360395577">DNS Administrator</strong> role contains the <strong id="iam_01_0657__en-us_topic_0170980185_b19880115115814">Depends</strong> parameter which specifies the dependency roles. When you assign the <strong id="iam_01_0657__en-us_topic_0170980185_b1659062116591">DNS Administrator</strong> role to a user group, you also need to assign the <strong id="iam_01_0657__en-us_topic_0170980185_b11751846175920">Tenant Guest</strong> and <strong id="iam_01_0657__en-us_topic_0170980185_b2424165712590">VPC Administrator</strong> roles to the group for the same project.</p>
</p></li><li id="iam_01_0657__en-us_topic_0170980185_li10532205611270"><span>Click <strong id="iam_01_0657__en-us_topic_0170980185_b136339710114">OK</strong>.</span></li></ol>
</div>

2
docs/iam/umn/iam_01_0703.html
View File

@ -8,7 +8,7 @@
<div class="note" id="iam_01_0703__en-us_topic_0179264309_n5363690dd1f34032ba888da46d1a906a"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0703__en-us_topic_0179264309_u25fb87e7c7324b358ecc5c210befc515"><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li83130194914">A mobile number or an email address can be bound only to one account or IAM user.</li><li id="iam_01_0703__en-us_topic_0179264309_li957865014446">Only one mobile number, email address, and virtual MFA device can be bound to an account or IAM user.</li></ul>
</div></div>
<div class="section" id="iam_01_0703__en-us_topic_0179264309_section16155105164810"><h4 class="sectiontitle">Changing the Login Password, Mobile Number, Virtual MFA Device, or Email Address</h4><p id="iam_01_0703__en-us_topic_0179264309_a6415252298e1421881e7cc4b27670453">The methods for changing the login password, mobile number, virtual MFA device, and email address are similar. To change the login password, do as follows:</p>
<ol id="iam_01_0703__en-us_topic_0179264309_o3c49b535fcfa44a489b6f68bd3ae506a"><li id="iam_01_0703__en-us_topic_0179264309_lfbc469dbb160443780333ce72d6ee0e4"><span>Go to the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page.</span></li><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li12967141516"><span>Click the <strong id="iam_01_0703__en-us_topic_0179264309_b1853014131876">Basic Information</strong> tab, and click <strong id="iam_01_0703__en-us_topic_0179264309_b1553116131670">Change</strong> in the <strong id="iam_01_0703__en-us_topic_0179264309_b1253212132715">Login Password</strong> row.</span></li><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li9961414619"><span>(Optional) Select email address or mobile number verification, and enter the verification code.</span><p><div class="note" id="iam_01_0703__en-us_topic_0179264309_n6895d2b11d7545678f1bd5d3a67fcdcb"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_p11529755351">If neither email address nor mobile number is bound, no verification is required.</p>
<ol id="iam_01_0703__en-us_topic_0179264309_o3c49b535fcfa44a489b6f68bd3ae506a"><li id="iam_01_0703__en-us_topic_0179264309_lfbc469dbb160443780333ce72d6ee0e4"><span>Go to the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page.</span></li><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li12967141516"><span>Click the <strong id="iam_01_0703__en-us_topic_0179264309_b18411246133419">Basic Information</strong><strong id="iam_01_0703__en-us_topic_0179264309_b11411646163417"></strong><strong id="iam_01_0703__en-us_topic_0179264309_b1941113463343"></strong> tab, and click <strong id="iam_01_0703__en-us_topic_0179264309_b34118466349">Change</strong> in the <strong id="iam_01_0703__en-us_topic_0179264309_b341104618345">Login Password</strong> row.</span></li><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li9961414619"><span>(Optional) Select email address or mobile number verification, and enter the verification code.</span><p><div class="note" id="iam_01_0703__en-us_topic_0179264309_n6895d2b11d7545678f1bd5d3a67fcdcb"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_p11529755351">If no email address or mobile number is bound, no verification is required.</p>
</div></div>
</p></li><li id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_li13513818415"><span>Enter the old password and new password, and enter the new password again.</span><p><div class="note" id="iam_01_0703__en-us_topic_0179264309_n238e02a624f743498f8691bc7718903f"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0703__en-us_topic_0179264309_en-us_topic_0178592858_ul92484013198"><li id="iam_01_0703__en-us_topic_0179264309_laa8e8f8374d44e05bdf46da3491c9584">The password cannot be the username or the username spelled backwards. For example, if the username is <strong id="iam_01_0703__en-us_topic_0179264309_b6301131719582">A12345</strong>, the password cannot be <strong id="iam_01_0703__en-us_topic_0179264309_b1306817125811">A12345</strong>, <strong id="iam_01_0703__en-us_topic_0179264309_b130711713581">a12345</strong>, <strong id="iam_01_0703__en-us_topic_0179264309_b16307317115811">54321A</strong>, or <strong id="iam_01_0703__en-us_topic_0179264309_b1030710179589">54321a</strong>.</li><li id="iam_01_0703__en-us_topic_0179264309_l3991bd040a85492099fcbb7c54f730ae">To prevent password cracking, the administrator can configure the password policy to define password requirements, such as minimum password length. For details, see <a href="iam_01_0607.html#iam_01_0607">Password Policy</a>.</li></ul>
</div></div>

20
docs/iam/umn/iam_01_0704.html
View File

@ -5,25 +5,25 @@
<h1 class="topictitle1">Login Authentication Policy</h1>
<div id="body0000001524812925"><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p13197174193518">The <strong id="iam_01_0704__en-us_topic_0177717040_b14411121033312">Login Authentication Policy</strong> tab of the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page provides the <a href="#iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section10968105732412">Session Timeout</a>, <a href="#iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section13189358">Account Lockout</a>, <a href="#iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section1694311288250">Account Disabling</a>, <a href="#iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section446533912253">Recent Login Information</a>, and <a href="#iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section733474592515">Custom Information</a> settings. These settings take effect for both your account and the IAM users created using the account.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p105601183416">Only the <a href="iam_01_0023.html#iam_01_0023__section1475194083513">administrator</a> can configure the login authentication policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p105601183416">Only the administrator and entrusted identities can configure the login authentication policy. IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.</p>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section10968105732412"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section10968105732412"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section10968105732412"></a><h4 class="sectiontitle">Session Timeout</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p6421105303315">Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.</p>
<div class="fignone" id="iam_01_0704__en-us_topic_0177717040_fig05911116538"><span class="figcap"><b>Figure 1 </b>Session Timeout</span><br><span><img id="iam_01_0704__en-us_topic_0177717040_image8818151220313" src="en-us_image_0000001209613221.png" width="NaN" height="NaN"></span></div>
<div class="fignone" id="iam_01_0704__en-us_topic_0177717040_fig05911116538"><span class="figcap"><b>Figure 1 </b>Session Timeout</span><br><span><img id="iam_01_0704__en-us_topic_0177717040_image8818151220313" src="en-us_image_0000001209613221.png"></span></div>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p143414011376">The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1 hour.</p>
</div>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section13189358"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section13189358"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section13189358"></a><h4 class="sectiontitle">Account Lockout</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p10244919163313">Set a duration to lock users out if a specific number of unsuccessful login attempts has been reached within a certain period. You cannot unlock your own account or an IAM user's account. Wait until the lock time expires.</p>
<div class="fignone" id="iam_01_0704__en-us_topic_0177717040_fig1121494714313"><span class="figcap"><b>Figure 2 </b>Account Lockout</span><br><span><img id="iam_01_0704__en-us_topic_0177717040_image1759210451936" src="en-us_image_0000001209454671.png" width="NaN" height="NaN"></span></div>
<p id="iam_01_0704__en-us_topic_0177717040_p13998194419155">The administrator can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.</p>
<ul id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_ul44421246172915"><li id="iam_01_0704__en-us_topic_0177717040_li1471984717151">Time for resetting the account lockout counter: The value ranges from 15 to 60 minutes, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b639710575119">15 minutes</strong>.</li><li id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_li5442174692916">Maximum number of unsuccessful login attempts: The value ranges from 3 to 10, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b98199271371">5</strong>.</li><li id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_li24428464299">Lockout duration: The value ranges from 15 to 30 minutes, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b5755842976">15 minutes</strong>.</li></ul>
<div class="fignone" id="iam_01_0704__en-us_topic_0177717040_fig1121494714313"><span class="figcap"><b>Figure 2 </b>Account Lockout</span><br><span><img id="iam_01_0704__en-us_topic_0177717040_image1759210451936" src="en-us_image_0000001209454671.png"></span></div>
<p id="iam_01_0704__en-us_topic_0177717040_p13998194419155">The administrator and entrusted identities can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.</p>
<ul id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_ul44421246172915"><li id="iam_01_0704__en-us_topic_0177717040_li1471984717151">Time for resetting the account lockout counter: The value range is from 15 to 60 minutes, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b112171174455">15 minutes</strong>.</li><li id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_li5442174692916">Maximum number of unsuccessful login attempts: The value range is from 3 to 10, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b17427205213449">5</strong>.</li><li id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_li24428464299">Lockout duration: The value range is from 15 to 30 minutes, and the default value is <strong id="iam_01_0704__en-us_topic_0177717040_b1948211312165">15 minutes</strong>.</li></ul>
</div>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section1694311288250"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section1694311288250"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section1694311288250"></a><h4 class="sectiontitle">Account Disabling</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p6306185963618">Set a validity period to disable IAM users if they have not accessed the cloud platform using the console or APIs within a certain period.</p>
<p id="iam_01_0704__en-us_topic_0177717040_p2063220556160">This option is disabled by default. The validity period ranges from 1 to 240 days.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p1588713811815">If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.</p>
<p id="iam_01_0704__en-us_topic_0177717040_p2063220556160">This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period is from 1 day to 240 days.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p1588713811815"><strong id="iam_01_0704__en-us_topic_0177717040_b6453155715347">If you enable this option, the setting will take effect only for IAM users created using your account.</strong> If an IAM user is disabled, the user can request the administrator to enable their account again.</p>
</div>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section446533912253"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section446533912253"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section446533912253"></a><h4 class="sectiontitle">Recent Login Information</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p61841834175413">Configure whether you want the system to display the previous login information after you log in. If incorrect login information is displayed on the <span class="wintitle" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_wintitle44791144114719"><b>Login Verification</b></span> page, change your password immediately.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p15608153223318">This option is disabled by default and can be enabled by the administrator.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p15608153223318">This option is disabled by default and can be enabled by the administrator or an entrusted identity.</p>
</div>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"></a><h4 class="sectiontitle">Custom Information</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p413618192585">Set custom information that will be displayed upon successful login. For example, enter the word <strong id="iam_01_0704__en-us_topic_0177717040_b22955268166">Welcome</strong>.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p1677710305343">This option is disabled by default and can be enabled by the administrator.</p>
<div class="section" id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"><a name="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"></a><a name="en-us_topic_0177717040_en-us_topic_0176803438_section733474592515"></a><h4 class="sectiontitle">Custom Information</h4><p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p413618192585">The administrator or an entrusted identity can set custom information (for example, <em id="iam_01_0704__en-us_topic_0177717040_i4436145319402">Welcome</em>) that will be displayed upon successful login.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p1677710305343">This option is disabled by default and can be enabled by the administrator or an entrusted identity.</p>
<p id="iam_01_0704__en-us_topic_0177717040_en-us_topic_0176803438_p019411513147">You and all the IAM users created using your account will see the same information upon successful login.</p>
</div>
</div>

8
docs/iam/umn/iam_01_0730.html
View File

@ -5,15 +5,15 @@
<h1 class="topictitle1">Deleting or Modifying Agencies</h1>
<div id="body0000001562472741"><div class="section" id="iam_01_0730__en-us_topic_0000001332761521_section31961845145711"><h4 class="sectiontitle">Modifying an Agency</h4><p id="iam_01_0730__en-us_topic_0000001332761521_p1543183417254">To modify the permissions, validity period, and description of an agency, click <strong id="iam_01_0730__en-us_topic_0000001332761521_b1854222082714">Modify</strong> in the row containing the agency you want to modify.</p>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig14817182820"><span class="figcap"><b>Figure 1 </b>Modifying an agency</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image781716815819" src="en-us_image_0000001511856446.png" height="104.73750000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig14817182820"><span class="figcap"><b>Figure 1 </b>Modifying an agency</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image781716815819" src="en-us_image_0000001511856446.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="note" id="iam_01_0730__en-us_topic_0000001332761521_note82241257205115"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0730__en-us_topic_0000001332761521_ul538114442528"><li id="iam_01_0730__en-us_topic_0000001332761521_li143811744185212">You can change the cloud service, validity period, description, and permissions of cloud service agencies, but you cannot change the agency name and type.</li><li id="iam_01_0730__en-us_topic_0000001332761521_li771015460527">Modifying the permissions of cloud service agencies may affect the usage of certain functions of cloud services. Exercise caution when performing this operation.</li></ul>
</div></div>
<div class="section" id="iam_01_0730__en-us_topic_0000001332761521_section17252729205817"><h4 class="sectiontitle">Deleting an Agency</h4><p id="iam_01_0730__en-us_topic_0000001332761521_p13632193912583">To delete an agency, click <strong id="iam_01_0730__en-us_topic_0000001332761521_b034316103919">Delete</strong> in the row containing the agency to be deleted and click <strong id="iam_01_0730__en-us_topic_0000001332761521_b143421693914">Yes</strong>.</p>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig107144181918"><span class="figcap"><b>Figure 2 </b>Deleting an agency</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image67142181890" src="en-us_image_0000001511377602.png" height="104.73750000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<div class="section" id="iam_01_0730__en-us_topic_0000001332761521_section17252729205817"><h4 class="sectiontitle">Deleting an Agency</h4><p id="iam_01_0730__en-us_topic_0000001332761521_p13632193912583">To delete an agency, click <strong id="iam_01_0730__en-us_topic_0000001332761521_b034316103919">Delete</strong> in the row containing the agency to be deleted and click <strong id="iam_01_0730__en-us_topic_0000001332761521_b143421693914">OK</strong>.</p>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig107144181918"><span class="figcap"><b>Figure 2 </b>Deleting an agency</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image67142181890" src="en-us_image_0000001511377602.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="iam_01_0730__en-us_topic_0000001332761521_section9325145165814"><h4 class="sectiontitle">Batch Deleting Agencies</h4><p id="iam_01_0730__en-us_topic_0000001332761521_p1724219554584">To delete multiple agencies, select the agencies to be deleted in the list and click <strong id="iam_01_0730__en-us_topic_0000001332761521_b99212083565">Delete</strong> above the list.</p>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig14828730151014"><span class="figcap"><b>Figure 3 </b>Batch deleting agencies</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image1582923012105" src="en-us_image_0000001511378178.png" height="192.5175" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_01_0730__en-us_topic_0000001332761521_fig14828730151014"><span class="figcap"><b>Figure 3 </b>Batch deleting agencies</span><br><span><img id="iam_01_0730__en-us_topic_0000001332761521_image1582923012105" src="en-us_image_0000001511378178.png" title="Click to enlarge" class="imgResize"></span></div>
<div class="note" id="iam_01_0730__en-us_topic_0000001332761521_note34126361096"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0730__en-us_topic_0000001332761521_p124125361899">After you delete an agency, all permissions granted to the delegated accounts will be revoked.</p>
</div></div>
</div>

2
docs/iam/umn/iam_02_0004.html
View File

@ -1,7 +1,7 @@
<a name="iam_02_0004"></a><a name="iam_02_0004"></a>
<h1 class="topictitle1">Deleting an IAM User</h1>
<div id="body0000001474564532"><div class="caution" id="iam_02_0004__en-us_topic_0239613858_note1753515226191"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><div class="p" id="iam_02_0004__en-us_topic_0239613858_p0121141211273">After an IAM user is deleted, they can no longer log in and their username, password, access keys, and authorizations will be cleared and cannot be recovered.<ul id="iam_02_0004__en-us_topic_0239613858_ul25101449152718"><li id="iam_02_0004__en-us_topic_0239613858_li15510649102714">Make sure that the users to be deleted are no longer needed. If you are not sure, disable them rather than delete them so that they can be enabled if any service failures occur. To temporarily disable an IAM user, see <a href="en-us_topic_0046661675.html#en-us_topic_0046661675__section1916211354916">Basic Information</a>.</li><li id="iam_02_0004__en-us_topic_0239613858_li2510249142717">To remove an IAM user from a user group, see <a href="iam_03_0002.html">Adding Users to or Removing Users from a User Group</a>.</li></ul>
<div id="body0000001474564532"><div class="caution" id="iam_02_0004__en-us_topic_0239613858_note1753515226191"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><div class="p" id="iam_02_0004__en-us_topic_0239613858_p0121141211273">After an IAM user is deleted, they can no longer log in and their username, password, access keys, and authorizations will be cleared and cannot be recovered.<ul id="iam_02_0004__en-us_topic_0239613858_ul25101449152718"><li id="iam_02_0004__en-us_topic_0239613858_li15510649102714">Make sure that the users to be deleted are no longer needed. If you are not sure, disable them rather than delete them so that they can be enabled if any service failures occur. To temporarily disable an IAM user, see <a href="en-us_topic_0046661675.html#en-us_topic_0046661675__section1916211354916">Basic Information</a>.</li><li id="iam_02_0004__en-us_topic_0239613858_li2510249142717">To remove an IAM user from a user group, see <a href="iam_03_0002.html">Adding IAM Users to or Removing IAM Users from a User Group</a>.</li></ul>
</div>
</div></div>
<div class="section" id="iam_02_0004__en-us_topic_0239613858_section5528245204"><h4 class="sectiontitle">Deleting an IAM User</h4><ol id="iam_02_0004__en-us_topic_0239613858_ol15714121420206"><li id="iam_02_0004__en-us_topic_0239613858_li116711299435"><span>Log in to the IAM console. In the navigation pane, choose <strong id="iam_02_0004__en-us_topic_0239613858_b4919161115113">Users</strong>.</span></li><li id="iam_02_0004__en-us_topic_0239613858_li16111523152015"><span>Click <strong id="iam_02_0004__en-us_topic_0239613858_b92321555103">Delete</strong> in the row containing the IAM user you want to delete, and click <strong id="iam_02_0004__en-us_topic_0239613858_b970672211105">Yes</strong>.</span></li></ol>

6
docs/iam/umn/iam_03_0002.html
View File

@ -3,11 +3,11 @@
<h1 class="topictitle1">Adding Users to or Removing Users from a User Group</h1>
<h1 class="topictitle1">Adding IAM Users to or Removing IAM Users from a User Group</h1>
<div id="body0000001524764821"><p id="iam_03_0002__en-us_topic_0170098790_p7142104210285">A user inherits permissions from the groups which the user belongs to. To change the permissions of a user, add the user to a new group or remove the user from an existing group.</p>
<div class="section" id="iam_03_0002__en-us_topic_0170098790_section13174442163212"><h4 class="sectiontitle">Adding Users to a User Group</h4><ol id="iam_03_0002__en-us_topic_0170098790_ol726227133520"><li id="iam_03_0002__en-us_topic_0170098790_li132628793515"><span>In the user group list, click <strong id="iam_03_0002__en-us_topic_0170098790_b5584173820305">Manage User</strong> in the row containing the target user group.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li9127219153716"><span>In the <strong id="iam_03_0002__en-us_topic_0170098790_b179471038163516">Manage User</strong> dialog box, select the usernames to be added.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li477916308379"><span>Click <strong id="iam_03_0002__en-us_topic_0170098790_b74761426163110">OK</strong>.</span></li></ol>
<div class="section" id="iam_03_0002__en-us_topic_0170098790_section13174442163212"><h4 class="sectiontitle">Adding Users to a User Group</h4><ol id="iam_03_0002__en-us_topic_0170098790_ol726227133520"><li id="iam_03_0002__en-us_topic_0170098790_li132628793515"><span>In the user group list, click <strong id="iam_03_0002__en-us_topic_0170098790_b12382195511914">Manage User</strong> in the row containing the target user group.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li9127219153716"><span>In the <strong id="iam_03_0002__en-us_topic_0170098790_b179471038163516">Manage User</strong> dialog box, select the usernames to be added.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li477916308379"><span>Click <strong id="iam_03_0002__en-us_topic_0170098790_b74761426163110">OK</strong>.</span></li></ol>
</div>
<div class="section" id="iam_03_0002__en-us_topic_0170098790_section651117322241"><h4 class="sectiontitle">Removing Users from a User Group</h4><ol id="iam_03_0002__en-us_topic_0170098790_ol4847105416246"><li id="iam_03_0002__en-us_topic_0170098790_li1446218571244"><span>In the user group list, click <strong id="iam_03_0002__en-us_topic_0170098790_b1168634435016">Manage User</strong> in the row containing the target user group.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li121018223257"><span>In the <strong id="iam_03_0002__en-us_topic_0170098790_b134711919163915">Selected Users</strong> area, locate the user to be removed and click the <strong id="iam_03_0002__en-us_topic_0170098790_b104712198392">×</strong>. Then, click <strong id="iam_03_0002__en-us_topic_0170098790_b2471101963915">OK</strong>.</span></li></ol>
<div class="section" id="iam_03_0002__en-us_topic_0170098790_section651117322241"><h4 class="sectiontitle">Removing Users from a User Group</h4><ol id="iam_03_0002__en-us_topic_0170098790_ol4847105416246"><li id="iam_03_0002__en-us_topic_0170098790_li1446218571244"><span>In the user group list, click <strong id="iam_03_0002__en-us_topic_0170098790_b3453435121012">Manage User</strong> in the row containing the target user group.</span></li><li id="iam_03_0002__en-us_topic_0170098790_li121018223257"><span>In the <strong id="iam_03_0002__en-us_topic_0170098790_b134711919163915">Selected Users</strong> area, locate the user to be removed and click the <strong id="iam_03_0002__en-us_topic_0170098790_b104712198392">×</strong>. Then, click <strong id="iam_03_0002__en-us_topic_0170098790_b2471101963915">OK</strong>.</span></li></ol>
</div>
</div>
<div>

11
docs/iam/umn/iam_03_0004.html
View File

@ -3,12 +3,13 @@
<h1 class="topictitle1">Revoking Permissions of a User Group</h1>
<div id="body0000001525364333"><div class="section" id="iam_03_0004__en-us_topic_0239602209_section161534461565"><h4 class="sectiontitle">Procedure</h4><p id="iam_03_0004__en-us_topic_0239602209_p14498145514562">To revoke a policy or role attached to a user group, do the following:</p>
<h1 class="topictitle1">Managing Permissions of a User Group</h1>
<div id="body0000001525364333"><p id="iam_03_0004__en-us_topic_0239602209_p6974141021914">You can modify or delete permissions of a user group on its details page.</p>
<div class="section" id="iam_03_0004__en-us_topic_0239602209_section161534461565"><h4 class="sectiontitle">Revoking Permissions of a User Group</h4><p id="iam_03_0004__en-us_topic_0239602209_p14498145514562">To revoke a policy or role attached to a user group, do the following:</p>
</div>
<ol id="iam_03_0004__en-us_topic_0239602209_ol416792912434"><li id="iam_03_0004__en-us_topic_0239602209_li116711299435"><span>Log in to the . In the navigation pane, choose <strong id="iam_03_0004__en-us_topic_0239602209_b1542713153213">User Groups</strong>.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li131671716174412"><span>Click the name of the user group to go to the group details page.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li17663174174414"><span>On the <strong id="iam_03_0004__en-us_topic_0239602209_b538717423473">Permissions</strong> tab, click <strong id="iam_03_0004__en-us_topic_0239602209_b1701185616476">Delete</strong> in the row that contains the role or policy you want to delete.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li2593851114717"><span>In the displayed dialog box, click <strong id="iam_03_0004__en-us_topic_0239602209_b31171725103913">Yes</strong>.</span></li></ol>
<div class="section" id="iam_03_0004__en-us_topic_0239602209_section1744519371053"><h4 class="sectiontitle">Batch Revoking Permissions of a User Group</h4><p id="iam_03_0004__en-us_topic_0239602209_p194421939250">To revoke multiple policies or roles attached to a user group, do as follows:</p>
<ol id="iam_03_0004__en-us_topic_0239602209_ol5742626718"><li id="iam_03_0004__en-us_topic_0239602209_li27431725711"><span>Log in to the . In the navigation pane, choose <strong id="iam_03_0004__en-us_topic_0239602209_b1921312306212">User Groups</strong>.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li1574314213714"><span>Click the name of the user group to go to the group details page.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li474414212715"><span>On the <strong id="iam_03_0004__en-us_topic_0239602209_b191415471709">Permissions</strong> page, select the roles or policies you want to delete and click <strong id="iam_03_0004__en-us_topic_0239602209_b439713251128">Delete</strong> above the list.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li17441721971"><span>In the displayed dialog box, click <strong id="iam_03_0004__en-us_topic_0239602209_b1825386208">Yes</strong>.</span></li></ol>
<ol id="iam_03_0004__en-us_topic_0239602209_ol416792912434"><li id="iam_03_0004__en-us_topic_0239602209_li116711299435"><span>Log in to the . In the navigation pane, choose <strong id="iam_03_0004__en-us_topic_0239602209_b1251182519111">User Groups</strong>.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li131671716174412"><span>Click the name of the user group to go to the group details page.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li17663174174414"><span>On the <strong id="iam_03_0004__en-us_topic_0239602209_b538717423473">Permissions</strong> tab, click <strong id="iam_03_0004__en-us_topic_0239602209_b1701185616476">Delete</strong> in the row that contains the role or policy you want to delete.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li2593851114717"><span>In the displayed dialog box, click <strong id="iam_03_0004__en-us_topic_0239602209_b31171725103913">OK</strong>.</span></li></ol>
<div class="section" id="iam_03_0004__en-us_topic_0239602209_section1744519371053"><h4 class="sectiontitle">Batch Deleting Permissions of a User Group</h4><p id="iam_03_0004__en-us_topic_0239602209_p194421939250">To revoke multiple policies or roles attached to a user group, do as follows:</p>
<ol id="iam_03_0004__en-us_topic_0239602209_ol5742626718"><li id="iam_03_0004__en-us_topic_0239602209_li27431725711"><span>Log in to the . In the navigation pane, choose <strong id="iam_03_0004__en-us_topic_0239602209_b35614591237">User Groups</strong>.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li1574314213714"><span>Click the name of the user group to go to the group details page.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li474414212715"><span>On the <strong id="iam_03_0004__en-us_topic_0239602209_b191415471709">Permissions</strong> page, select the roles or policies you want to delete and click <strong id="iam_03_0004__en-us_topic_0239602209_b439713251128">Delete</strong> above the list.</span></li><li id="iam_03_0004__en-us_topic_0239602209_li17441721971"><span>In the displayed dialog box, click <strong id="iam_03_0004__en-us_topic_0239602209_b1485159204">OK</strong>.</span></li></ol>
</div>
</div>
<div>

12
docs/iam/umn/iam_06_0001.html
View File

@ -1,21 +1,21 @@
<a name="iam_06_0001"></a><a name="iam_06_0001"></a>
<h1 class="topictitle1">Delegating Resource Access to Another Account</h1>
<h1 class="topictitle1">Process for Account Delegation</h1>
<div id="body1536567226740"><p id="iam_06_0001__en-us_topic_0175851542_p419452619206">The agency function enables you to delegate another account to implement O&amp;M on your resources based on assigned permissions.</p>
<div class="note" id="iam_06_0001__en-us_topic_0175851542_note16465165619914"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_06_0001__en-us_topic_0175851542_p5441123874315">You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.</p>
<div class="note" id="iam_06_0001__en-us_topic_0175851542_note16465165619914"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_06_0001__en-us_topic_0175851542_p5441123874315">You can delegate resource access only to accounts, rather than IAM users.</p>
</div></div>
<p id="iam_06_0001__en-us_topic_0175851542_p14503234175719">The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.</p>
<ol id="iam_06_0001__en-us_topic_0175851542_ol93719291583"><li id="iam_06_0001__en-us_topic_0175851542_li7973436460"><span>Account A creates an agency in IAM to delegate resource access to account B.</span><p><div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig19451183916"><span class="figcap"><b>Figure 1 </b>(Account A) Creating an agency</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image1897310310466" src="en-us_image_0000001146708849.png" width="465.5" height="253.53856500000003" title="Click to enlarge" class="imgResize"></span></div>
<ol id="iam_06_0001__en-us_topic_0175851542_ol93719291583"><li id="iam_06_0001__en-us_topic_0175851542_li7973436460"><span>Account A creates an agency in IAM to delegate resource access to account B.</span><p><div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig19451183916"><span class="figcap"><b>Figure 1 </b>(Account A) Creating an agency</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image17824331574" src="en-us_image_0000001951429117.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="iam_06_0001__en-us_topic_0175851542_p79731315465"></p>
</p></li><li id="iam_06_0001__en-us_topic_0175851542_li39403418580"><span>(Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.</span><p><ol type="a" id="iam_06_0001__en-us_topic_0175851542_ol163021621138"><li id="iam_06_0001__en-us_topic_0175851542_li43022213316">Create a user group, and grant it permissions required to manage account A's resources.</li><li id="iam_06_0001__en-us_topic_0175851542_li185871121039">Create a user and add the user to the user group.</li></ol>
<div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig13920195251916"><span class="figcap"><b>Figure 2 </b>(Account B) Authorizing an IAM user to manage delegated resources</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image132761059148" src="en-us_image_0000001100309480.png" width="464.33625" height="107.38686000000001" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig13920195251916"><span class="figcap"><b>Figure 2 </b>(Account B) Authorizing an IAM user to manage delegated resources</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image1026443912203" src="en-us_image_0000001924150268.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_06_0001__en-us_topic_0175851542_li1955916295913"><span>Account B or the authorized user manages account A's resources.</span><p><ol type="a" id="iam_06_0001__en-us_topic_0175851542_ol141821624908"><li id="iam_06_0001__en-us_topic_0175851542_li1018211241004">Use account B to log in and switch the role to account A.</li><li id="iam_06_0001__en-us_topic_0175851542_li456168133010">Switch to region A and manage account A's resources in this region.</li></ol>
<div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig192209187205"><span class="figcap"><b>Figure 3 </b>(Account B) Switching the role</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image3259945181410" src="en-us_image_0000001146589991.png" width="239.4" height="307.41088" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="iam_06_0001__en-us_topic_0175851542_fig192209187205"><span class="figcap"><b>Figure 3 </b>(Account B) Switching the role</span><br><span><img id="iam_06_0001__en-us_topic_0175851542_image53035168248" src="en-us_image_0000001924309660.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li></ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Account Delegation</a></div>
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></div>
</div>
</div>

6
docs/iam/umn/iam_06_0004.html
View File

@ -3,15 +3,15 @@
<h1 class="topictitle1">Cloud Service Agency</h1>
<h1 class="topictitle1">Delegating Another Service for Resource Management</h1>
<div id="body0000001508162049"><p id="iam_06_0004__en-us_topic_0175653574_p1042135223415">Services on the cloud platform interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services and perform resource O&amp;M, create an agency for the service.</p>
<p id="iam_06_0004__en-us_topic_0175653574_p678627165114">IAM provides two methods to create a cloud service agency:</p>
<ol id="iam_06_0004__en-us_topic_0175653574_ol86339161512"><li id="iam_06_0004__en-us_topic_0175653574_li10633516195119"><a href="#iam_06_0004__en-us_topic_0175653574_section930952513442">Creating a cloud service agency on the IAM console</a><p id="iam_06_0004__en-us_topic_0175653574_p1989320316257">For example, create an agency for OBS and grant it permissions to read monitoring data from AOM.</p>
</li><li id="iam_06_0004__en-us_topic_0175653574_li158086177523">Automatically creating a cloud service agency to use certain resources<p id="iam_06_0004__en-us_topic_0175653574_p12955434175212"><a name="iam_06_0004__en-us_topic_0175653574_li158086177523"></a><a name="en-us_topic_0175653574_li158086177523"></a>The following takes Scalable File Service (SFS) as an example to describe the procedure for automatically creating a cloud service agency:</p>
<ol type="a" id="iam_06_0004__en-us_topic_0175653574_ol5494624194317"><li id="iam_06_0004__en-us_topic_0175653574_li124941244437">Go to the SFS console.</li><li id="iam_06_0004__en-us_topic_0175653574_li974319910443">On the <strong id="iam_06_0004__en-us_topic_0175653574_b1659811274313">Create File System</strong> page, enable static data encryption.</li><li id="iam_06_0004__en-us_topic_0175653574_li17760343134418">A dialog box is displayed requesting you to confirm the creation of an SFS agency. After you click <strong id="iam_06_0004__en-us_topic_0175653574_b66161733194510">OK</strong>, the system automatically creates an SFS agency with <strong id="iam_06_0004__en-us_topic_0175653574_b38971050102011">KMS CMKFullAccess</strong> permissions for the current project. With the agency, SFS can obtain KMS keys for encrypting or decrypting file systems.</li><li id="iam_06_0004__en-us_topic_0175653574_li97291277468">You can view the agency in the agency list on the IAM console.</li></ol>
</li></ol>
<div class="section" id="iam_06_0004__en-us_topic_0175653574_section930952513442"><a name="iam_06_0004__en-us_topic_0175653574_section930952513442"></a><a name="en-us_topic_0175653574_section930952513442"></a><h4 class="sectiontitle">Creating a Cloud Service Agency on the IAM Console</h4><ol id="iam_06_0004__en-us_topic_0175653574_ol49998812"><li id="iam_06_0004__en-us_topic_0175653574_li1780793672315"><span>Log in to the IAM console.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li1546779817427"><span>On the IAM console, choose <strong id="iam_06_0004__en-us_topic_0175653574_b1336032311378">Agencies</strong> from the navigation pane, and click <strong id="iam_06_0004__en-us_topic_0175653574_b336472313374">Create Agency</strong>.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li63471691104814"><span>Enter an agency name.</span><p><div class="fignone" id="iam_06_0004__en-us_topic_0175653574_fig103412552617"><span class="figcap"><b>Figure 1 </b>Cloud service agency name</span><br><span><img id="iam_06_0004__en-us_topic_0175653574_image8343551869" src="en-us_image_0000001562896221.png" height="314.795971" width="454.86" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_06_0004__en-us_topic_0175653574_li4558455145011"><span>Select the <strong id="iam_06_0004__en-us_topic_0175653574_b16137420231">Cloud service</strong> agency type, and then select a service.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li21344527114840"><span>Select a validity period.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li15518122905520"><span>(Optional) Enter a description for the agency to facilitate identification.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li1694181217579"><span>Click <strong id="iam_06_0004__en-us_topic_0175653574_b22361648427">Next</strong>.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li65324613265"><span>Select the permissions to be assigned to the agency, click <strong id="iam_06_0004__en-us_topic_0175653574_b35071599314">Next</strong>, and specify the authorization scope.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li19340339165858"><span>Click <strong id="iam_06_0004__en-us_topic_0175653574_b648018182812">OK</strong>.</span></li></ol>
<div class="section" id="iam_06_0004__en-us_topic_0175653574_section930952513442"><a name="iam_06_0004__en-us_topic_0175653574_section930952513442"></a><a name="en-us_topic_0175653574_section930952513442"></a><h4 class="sectiontitle">Creating a Cloud Service Agency on the IAM Console</h4><ol id="iam_06_0004__en-us_topic_0175653574_ol49998812"><li id="iam_06_0004__en-us_topic_0175653574_li1780793672315"><span>Log in to the IAM console.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li1546779817427"><span>On the IAM console, choose <strong id="iam_06_0004__en-us_topic_0175653574_b1336032311378">Agencies</strong> from the navigation pane, and click <strong id="iam_06_0004__en-us_topic_0175653574_b336472313374">Create Agency</strong>.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li63471691104814"><span>Enter an agency name.</span><p><div class="fignone" id="iam_06_0004__en-us_topic_0175653574_fig103412552617"><span class="figcap"><b>Figure 1 </b>Cloud service agency name</span><br><span><img id="iam_06_0004__en-us_topic_0175653574_image8343551869" src="en-us_image_0000001562896221.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_06_0004__en-us_topic_0175653574_li4558455145011"><span>Select the <strong id="iam_06_0004__en-us_topic_0175653574_b16137420231">Cloud service</strong> agency type, and then select a service.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li21344527114840"><span>Select a validity period.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li15518122905520"><span>(Optional) Enter a description for the agency to facilitate identification.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li1694181217579"><span>Click <strong id="iam_06_0004__en-us_topic_0175653574_b22361648427">Next</strong>.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li65324613265"><span>Select the permissions to be assigned to the agency, click <strong id="iam_06_0004__en-us_topic_0175653574_b35071599314">Next</strong>, and specify the authorization scope.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li18464181412017"><span>Set the authorization scope, and select the permissions you want to grant to the agency.</span></li><li id="iam_06_0004__en-us_topic_0175653574_li19340339165858"><span>Click <strong id="iam_06_0004__en-us_topic_0175653574_b648018182812">OK</strong>.</span></li></ol>
</div>
</div>
<div>

14
docs/iam/umn/iam_07_0001.html
View File

@ -4,8 +4,8 @@
<h1 class="topictitle1">Security Settings Overview</h1>
<div id="body0000001473812946"><p id="iam_07_0001__en-us_topic_0179264308_p1542553217328">You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the <strong id="iam_07_0001__en-us_topic_0179264308_b718918141720">Security Settings</strong> page. For details, see <a href="iam_01_0703.html#iam_01_0703">Basic Information</a>, <a href="iam_01_0029.html#iam_01_0029">Critical Operation Protection</a>, <a href="iam_01_0704.html#iam_01_0704">Login Authentication Policy</a>, <a href="iam_01_0607.html#iam_01_0607">Password Policy</a>, and <a href="iam_07_0003.html#iam_07_0003">ACL</a>. This chapter describes how to access the <strong id="iam_07_0001__en-us_topic_0179264308_b013616592065">Security Settings</strong> page and who is the intended audience.</p>
<div class="section" id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section18538110152210"><h4 class="sectiontitle">Intended Audience</h4><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p1269135614617"><a href="#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_table9148216234">Table 1</a> lists the intended audience of different functions provided on the <strong id="iam_07_0001__en-us_topic_0179264308_b67691654125511">Security Settings</strong> page and their access permissions for the functions.</p>
<div id="body0000001473812946"><p id="iam_07_0001__en-us_topic_0179264308_p1542553217328">You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the <strong id="iam_07_0001__en-us_topic_0179264308_b718918141720">Security Settings</strong> page. For details, see <a href="iam_01_0703.html#iam_01_0703">Basic Information</a>, <a href="iam_01_0029.html#iam_01_0029">Critical Operation Protection</a>, <a href="iam_01_0704.html#iam_01_0704">Login Authentication Policy</a>, <a href="iam_01_0607.html#iam_01_0607">Password Policy</a>, and <a href="iam_07_0003.html#iam_07_0003">ACL</a>. This chapter describes how to access the <strong id="iam_07_0001__en-us_topic_0179264308_b013616592065">Security Settings</strong> page and who is the intended audience.</p>
<div class="section" id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section18538110152210"><h4 class="sectiontitle">Intended Audience</h4><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p1269135614617"><a href="#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_table9148216234">Table 1</a> lists the intended audience of different functions provided on the <strong id="iam_07_0001__en-us_topic_0179264308_b1139231312429">Security Settings</strong> page and their access permissions for the functions.</p>
<div class="tablenoborder"><a name="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_table9148216234"></a><a name="en-us_topic_0179264308_en-us_topic_0179263545_table9148216234"></a><table cellpadding="4" cellspacing="0" summary="" id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_table9148216234" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Intended audience</caption><thead align="left"><tr id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_row181582192316"><th align="left" class="cellrowborder" valign="top" width="15.73%" id="mcps1.3.2.3.2.3.1.1"><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p11511219234">Function</p>
</th>
@ -20,29 +20,29 @@
</tr>
<tr id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_row915192172319"><td class="cellrowborder" valign="top" width="15.73%" headers="mcps1.3.2.3.2.3.1.1 "><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p4154219235"><a href="iam_01_0029.html#iam_01_0029">Critical Operations</a></p>
</td>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p171582114233"><li id="iam_07_0001__en-us_topic_0179264308_li63781988398"><a href="iam_01_0023.html#iam_01_0023__section1475194083513">Administrator</a>: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li23782803914">IAM users: No access</li></ul>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p171582114233"><li id="iam_07_0001__en-us_topic_0179264308_li63781988398">Administrator: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li23782803914">IAM users: Read-only access</li></ul>
</td>
</tr>
<tr id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_row111614211238"><td class="cellrowborder" valign="top" width="15.73%" headers="mcps1.3.2.3.2.3.1.1 "><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p1616162114233"><a href="iam_01_0704.html#iam_01_0704">Login Authentication Policy</a></p>
</td>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p6161121172313"><li id="iam_07_0001__en-us_topic_0179264308_li1852311359398"><a href="iam_01_0023.html#iam_01_0023__section1475194083513">Administrator</a>: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li2524935143910">IAM users: Read-only access</li></ul>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p6161121172313"><li id="iam_07_0001__en-us_topic_0179264308_li1852311359398">Administrator and an entrusted identity: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li2524935143910">IAM users: Read-only access</li></ul>
</td>
</tr>
<tr id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_row1716142115230"><td class="cellrowborder" valign="top" width="15.73%" headers="mcps1.3.2.3.2.3.1.1 "><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p11618213234"><a href="iam_01_0607.html#iam_01_0607">Password Policy</a></p>
</td>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_ul0623121531711"><li id="iam_07_0001__en-us_topic_0179264308_li96236155179"><a href="iam_01_0023.html#iam_01_0023__section1475194083513">Administrator</a>: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li4624191561718">IAM users: Read-only access</li></ul>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_ul0623121531711"><li id="iam_07_0001__en-us_topic_0179264308_li96236155179">Administrator and an entrusted identity: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li4624191561718">IAM users: Read-only access</li></ul>
</td>
</tr>
<tr id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_row1416192122311"><td class="cellrowborder" valign="top" width="15.73%" headers="mcps1.3.2.3.2.3.1.1 "><p id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p416142172314"><a href="iam_07_0003.html#iam_07_0003">ACL</a></p>
</td>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p5162021132311"><li id="iam_07_0001__en-us_topic_0179264308_li1305162173918"><a href="iam_01_0023.html#iam_01_0023__section1475194083513">Administrator</a>: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li4305172116393">IAM users: No access</li></ul>
<td class="cellrowborder" valign="top" width="84.27%" headers="mcps1.3.2.3.2.3.1.2 "><ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_p5162021132311"><li id="iam_07_0001__en-us_topic_0179264308_li1305162173918">Administrator and an entrusted identity: Full access</li><li id="iam_07_0001__en-us_topic_0179264308_li4305172116393">IAM users: Read-only access</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575"><h4 class="sectiontitle">Accessing the Security Settings Page</h4><ol id="iam_07_0001__en-us_topic_0179264308_ol156481123285"><li id="iam_07_0001__en-us_topic_0179264308_li1687531542812"><span>Log in to the IAM console as an <a href="iam_01_0023.html#iam_01_0023__section1475194083513">administrator</a>.</span></li><li id="iam_07_0001__en-us_topic_0179264308_li46486124286"><span>In the left navigation pane, choose <strong id="iam_07_0001__en-us_topic_0179264308_b169901817711"></strong><strong id="iam_07_0001__en-us_topic_0179264308_b49901517812">Security Settings</strong>.</span></li></ol>
<div class="section" id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575"><h4 class="sectiontitle">Accessing the Security Settings Page</h4><ol id="iam_07_0001__en-us_topic_0179264308_ol156481123285"><li id="iam_07_0001__en-us_topic_0179264308_li1687531542812"><span>Log in to the IAM console as an administrator or an entrusted identity.</span></li><li id="iam_07_0001__en-us_topic_0179264308_li46486124286"><span>In the left navigation pane, choose <strong id="iam_07_0001__en-us_topic_0179264308_b169901817711"></strong><strong id="iam_07_0001__en-us_topic_0179264308_b49901517812">Security Settings</strong>.</span></li></ol>
<ul id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_ul070471365910"><li id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_li1670411310595">You and all IAM users created using your account can access the <strong id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_b65333793612">Security Settings</strong> page from the management console.<ol id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_ol11398238191517"><li id="iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_li3398238161515">Log in to the IAM console.</li><li id="iam_07_0001__en-us_topic_0179264308_li72201856133718">In the left navigation pane, choose <strong id="iam_07_0001__en-us_topic_0179264308_b4255141914246">Security Settings</strong>.</li></ol>
</li></ul>
</div>

18
docs/iam/umn/iam_07_0003.html
View File

@ -4,19 +4,19 @@
<h1 class="topictitle1">ACL</h1>
<div id="body0000001474132798"><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p65417254398">The <strong id="iam_07_0003__en-us_topic_0177717042_b18185105063414">ACL</strong> tab of the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page provides the <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011">IP Address Ranges</a>, <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478">IPv4 CIDR Blocks</a>, and <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258">VPC Endpoints</a> settings for allowing user access only from specified IP address ranges, IPv4 CIDR blocks, or VPC endpoints.</p>
<p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p20918481397">Only the <a href="iam_01_0034.html">administrator</a> can configure the ACL. If an IAM user needs to configure the ACL, the user can request the administrator to perform the configuration or grant the required permissions.</p>
<div class="p" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p846285314599"><strong id="iam_07_0003__en-us_topic_0177717042_b229335124613">Access type:</strong><ul id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_ul1726218495594"><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li3744103710445"><strong id="iam_07_0003__en-us_topic_0177717042_b591961115314">Console Access</strong> (recommended): The ACL takes effect only for IAM users who are created using your account and have access to the console.</li><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li1426274995910"><strong id="iam_07_0003__en-us_topic_0177717042_b8790232135312">API Access</strong>: The ACL controls users' API access through API Gateway and takes effect only for IAM users two hours after you complete the configuration.</li></ul>
<div id="body0000001474132798"><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p65417254398">The <strong id="iam_07_0003__en-us_topic_0177717042_b1635411360435">ACL</strong> tab of the <a href="iam_07_0001.html#iam_07_0001__en-us_topic_0179264308_en-us_topic_0179263545_section113256158575">Security Settings</a> page provides the <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011">IP Address Ranges</a>, <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478">CIDR Blocks</a>, and <a href="#iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258">VPC Endpoints</a> settings for allowing user access only from specified IP address ranges, CIDR blocks, or VPC endpoints.</p>
<p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p20918481397">Only the administrator or an entrusted identity can configure the ACL to control access of all IAM users under the account from specific IP address ranges, CIDR blocks, or VPC endpoints.</p>
<div class="p" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p846285314599"><strong id="iam_07_0003__en-us_topic_0177717042_b229335124613">Access type:</strong><ul id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_ul1726218495594"><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li3744103710445"><strong id="iam_07_0003__en-us_topic_0177717042_b346601174417">Console Access</strong> (recommended): The ACL takes effect only for IAM users who are created using your account and have access to the console.</li><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li1426274995910"><strong id="iam_07_0003__en-us_topic_0177717042_b108233353262">API Access</strong>: The ACL controls users' API access through API Gateway and takes effect only for your account and IAM users under your account 15 minutes after you complete the configuration.</li></ul>
</div>
<div class="note" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_note143415794617"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_07_0003__en-us_topic_0177717042_ul166011785449"><li id="iam_07_0003__en-us_topic_0177717042_li46016884411">You can configure a maximum of 200 access control items.</li></ul>
<div class="note" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_note143415794617"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_07_0003__en-us_topic_0177717042_ul166011785449"><li id="iam_07_0003__en-us_topic_0177717042_li46016884411">You can configure a maximum of 200 access control items.</li><li id="iam_07_0003__en-us_topic_0177717042_li54291135152414">Both IPv4 and IPv6 addresses can be used for console access, and only IPv4 addresses can be used for API access.</li></ul>
</div></div>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"></a><h4 class="sectiontitle">IP Address Ranges</h4><div class="fignone" id="iam_07_0003__en-us_topic_0177717042_fig3405202415617"><span class="figcap"><b>Figure 1 </b>IP Address Ranges</span><br><span><img id="iam_07_0003__en-us_topic_0177717042_image07430224615" src="en-us_image_0000001209614103.png" width="465.5" height="80.171735" title="Click to enlarge" class="imgResize"></span></div>
<p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p12441103013472">Specify IP address ranges from 0.0.0.0 to 255.255.255.255 to allow access to the cloud platform. The default value is <strong id="iam_07_0003__en-us_topic_0177717042_b1833514392120">0.0.0.0255.255.255.255</strong>. If this parameter is left blank or the default value is used, your IAM users can access the management console from anywhere.</p>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section1659055844011"></a><h4 class="sectiontitle">IP Address Ranges</h4><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p12441103013472">You can specify the IP address range from 0.0.0.0 to 255.255.255.255 to control access to the cloud platform. The default setting is 0.0.0.0-255.255.255.255. If you do not specify a range or use the default range, your IAM users can access the cloud platform from IP addresses.</p>
</div>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"></a><h4 class="sectiontitle">IPv4 CIDR Blocks</h4><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p749844074110">Specify IPv4 CIDR blocks to allow access to the cloud platform. For example, set <strong id="iam_07_0003__en-us_topic_0177717042_b163421143349">IPv4 CIDR block</strong> to <strong id="iam_07_0003__en-us_topic_0177717042_b82561957166">10.10.10.10/32</strong>.</p>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section5282253478"></a><h4 class="sectiontitle">CIDR Blocks</h4><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p749844074110">Specify CIDR blocks to control access to the cloud platform. For example, set <strong id="iam_07_0003__en-us_topic_0177717042_b1115594114442">CIDR Block</strong> to <strong id="iam_07_0003__en-us_topic_0177717042_b201550410445">10.10.10.10/32</strong>.</p>
</div>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"></a><h4 class="sectiontitle">VPC Endpoints</h4><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p9434164992814">Specify VPC endpoints, such as <strong id="iam_07_0003__en-us_topic_0177717042_b761717442304">0ccad098-b8f4-495a-9b10-613e2a5exxxx</strong>, to allow API-based access to the cloud platform. If access control is not configured, you can access APIs from all VPC endpoints by default.</p>
<div class="note" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_note10743737134414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_ul483364319516"><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li38337432516">User access is allowed if any of <strong id="iam_07_0003__en-us_topic_0177717042_b18525185393013">IP Address Ranges</strong>, <strong id="iam_07_0003__en-us_topic_0177717042_b1525155314303">IPv4 CIDR Blocks</strong>, and <strong id="iam_07_0003__en-us_topic_0177717042_b1452695311302">VPC Endpoints</strong> is met.</li><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li28336436511">To restore <strong id="iam_07_0003__en-us_topic_0177717042_b1289032612166">IP Address Ranges</strong> to the default settings (0.0.0.0255.255.255.255) and clear the settings in <strong id="iam_07_0003__en-us_topic_0177717042_b1789113268160">IPv4 CIDR Blocks</strong> and <strong id="iam_07_0003__en-us_topic_0177717042_b10891102619164">VPC Endpoints</strong>, click <strong id="iam_07_0003__en-us_topic_0177717042_b3891726161613">Restore Defaults</strong>.</li></ul>
<div class="section" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"><a name="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"></a><a name="en-us_topic_0177717042_en-us_topic_0176803440_section148601027258"></a><h4 class="sectiontitle">VPC Endpoints</h4><p id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_p9434164992814">Specify access to the cloud platform APIs only from the VPC Endpoint with the specified ID, for example, <strong id="iam_07_0003__en-us_topic_0177717042_b12222647194416">0ccad098-b8f4-495a-9b10-613e2a5exxxx</strong>. You can set the VPC endpoint only on the <strong id="iam_07_0003__en-us_topic_0177717042_b1322264794412">API Access</strong> tab. If access control is not configured, you can access APIs from all VPC endpoints by default.</p>
<div class="fignone" id="iam_07_0003__en-us_topic_0177717042_fig11211643103710"><span class="figcap"><b>Figure 1 </b>VPC endpoints</span><br><span><img id="iam_07_0003__en-us_topic_0177717042_image1211643173719" src="en-us_image_0000001925383938.png" title="Click to enlarge" class="imgResize"></span></div>
<div class="note" id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_note10743737134414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_ul483364319516"><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li38337432516">User access is allowed if any of <strong id="iam_07_0003__en-us_topic_0177717042_b18525185393013">IP Address Ranges</strong>, <strong id="iam_07_0003__en-us_topic_0177717042_b1525155314303">CIDR Blocks</strong>, and <strong id="iam_07_0003__en-us_topic_0177717042_b1452695311302">VPC Endpoints</strong> is met.</li><li id="iam_07_0003__en-us_topic_0177717042_en-us_topic_0176803440_li28336436511">To restore <strong id="iam_07_0003__en-us_topic_0177717042_b12362192514195">IP Address Ranges</strong> to the default settings (0.0.0.0-255.255.255.255) and clear the settings in <strong id="iam_07_0003__en-us_topic_0177717042_b1336315256194">CIDR Blocks</strong> and <strong id="iam_07_0003__en-us_topic_0177717042_b1636372517194">VPC Endpoints</strong>, click <strong id="iam_07_0003__en-us_topic_0177717042_b2364142551910">Restore Defaults</strong>.</li></ul>
</div></div>
</div>
</div>

Some files were not shown because too many files have changed in this diff Show More