diff --git a/docs/iam/umn/ALL_META.TXT.json b/docs/iam/umn/ALL_META.TXT.json index b1dc6e35f..251d986b1 100644 --- a/docs/iam/umn/ALL_META.TXT.json +++ b/docs/iam/umn/ALL_META.TXT.json @@ -313,7 +313,7 @@ "node_id":"en-us_topic_0046661675.xml", "product_code":"iam", "code":"18", - "des":"You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.If the job responsibilities of a user a", + "des":"You can click the user to view user details. The administrator can change the user status, access method, description, external identity ID, and groups to which the user ", "doc_type":"usermanual", "kw":"Viewing and Modifying User Information,IAM Users,User Guide", "search_title":"", @@ -691,7 +691,7 @@ "node_id":"iam_01_0704.xml", "product_code":"iam", "code":"39", - "des":"The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", + "des":"The Login Authentication Policy tab of the Security Settings page provides the Session timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", "doc_type":"usermanual", "kw":"Login Authentication Policy,Security Settings,User Guide", "search_title":"", @@ -799,7 +799,7 @@ "node_id":"iam_06_0001.xml", "product_code":"iam", "code":"45", - "des":"The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acco", + "des":"An agency enables you to delegate another account or service to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acc", "doc_type":"usermanual", "kw":"Process for Account Delegation,Delegating Another Account for Resource Management,User Guide", "search_title":"", @@ -943,7 +943,7 @@ "node_id":"iam_08_0251.xml", "product_code":"iam", "code":"53", - "des":"IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type f", + "des":"IAM supports two SSO types: virtual user SSO and IAM user SSO. An account cannot have both types of IdPs. This section describes the two SSO types and their differences, ", "doc_type":"usermanual", "kw":"Application Scenarios of Virtual User SSO and IAM User SSO,Identity Providers,User Guide", "search_title":"", @@ -1465,7 +1465,7 @@ "node_id":"iam_01_0004.xml", "product_code":"iam", "code":"82", - "des":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", + "des":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.", "doc_type":"usermanual", "kw":"How Do I Unbind a Virtual MFA Device?,FAQs,User Guide", "search_title":"", diff --git a/docs/iam/umn/CLASS.TXT.json b/docs/iam/umn/CLASS.TXT.json index 698b6cf75..9555ba8cc 100644 --- a/docs/iam/umn/CLASS.TXT.json +++ b/docs/iam/umn/CLASS.TXT.json @@ -153,7 +153,7 @@ "code":"17" }, { - "desc":"You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.If the job responsibilities of a user a", + "desc":"You can click the user to view user details. The administrator can change the user status, access method, description, external identity ID, and groups to which the user ", "product_code":"iam", "title":"Viewing and Modifying User Information", "uri":"en-us_topic_0046661675.html", @@ -342,7 +342,7 @@ "code":"38" }, { - "desc":"The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", + "desc":"The Login Authentication Policy tab of the Security Settings page provides the Session timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom I", "product_code":"iam", "title":"Login Authentication Policy", "uri":"iam_01_0704.html", @@ -396,7 +396,7 @@ "code":"44" }, { - "desc":"The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acco", + "desc":"An agency enables you to delegate another account or service to implement O&M on your resources based on assigned permissions.You can delegate resource access only to acc", "product_code":"iam", "title":"Process for Account Delegation", "uri":"iam_06_0001.html", @@ -468,7 +468,7 @@ "code":"52" }, { - "desc":"IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type f", + "desc":"IAM supports two SSO types: virtual user SSO and IAM user SSO. An account cannot have both types of IdPs. This section describes the two SSO types and their differences, ", "product_code":"iam", "title":"Application Scenarios of Virtual User SSO and IAM User SSO", "uri":"iam_08_0251.html", @@ -729,7 +729,7 @@ "code":"81" }, { - "desc":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", + "desc":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.", "product_code":"iam", "title":"How Do I Unbind a Virtual MFA Device?", "uri":"iam_01_0004.html", diff --git a/docs/iam/umn/en-us_image_0000001088289742.png b/docs/iam/umn/en-us_image_0000001088289742.png deleted file mode 100644 index 896a1ad7e..000000000 Binary files a/docs/iam/umn/en-us_image_0000001088289742.png and /dev/null differ diff --git a/docs/iam/umn/en-us_image_0000001209454671.png b/docs/iam/umn/en-us_image_0000001209454671.png deleted file mode 100644 index 46cfcbc04..000000000 Binary files a/docs/iam/umn/en-us_image_0000001209454671.png and /dev/null differ diff --git a/docs/iam/umn/en-us_image_0000001209613221.png b/docs/iam/umn/en-us_image_0000001209613221.png deleted file mode 100644 index d6a8c5e55..000000000 Binary files a/docs/iam/umn/en-us_image_0000001209613221.png and /dev/null differ diff --git a/docs/iam/umn/en-us_image_0000001511377602.png b/docs/iam/umn/en-us_image_0000001511377602.png index 0ed426390..7a1503405 100644 Binary files a/docs/iam/umn/en-us_image_0000001511377602.png and b/docs/iam/umn/en-us_image_0000001511377602.png differ diff --git a/docs/iam/umn/en-us_image_0000001511378178.png b/docs/iam/umn/en-us_image_0000001511378178.png index f0f1b2225..c03b49957 100644 Binary files a/docs/iam/umn/en-us_image_0000001511378178.png and b/docs/iam/umn/en-us_image_0000001511378178.png differ diff --git a/docs/iam/umn/en-us_image_0000001511524692.png b/docs/iam/umn/en-us_image_0000001511524692.png index a73628e50..f72aaf03a 100644 Binary files a/docs/iam/umn/en-us_image_0000001511524692.png and b/docs/iam/umn/en-us_image_0000001511524692.png differ diff --git a/docs/iam/umn/en-us_image_0000001511856446.png b/docs/iam/umn/en-us_image_0000001511856446.png index 32218a8ba..a4d77ae0c 100644 Binary files a/docs/iam/umn/en-us_image_0000001511856446.png and b/docs/iam/umn/en-us_image_0000001511856446.png differ diff --git a/docs/iam/umn/en-us_image_0000001562564797.png b/docs/iam/umn/en-us_image_0000001562564797.png index 004dde38f..b627736bd 100644 Binary files a/docs/iam/umn/en-us_image_0000001562564797.png and b/docs/iam/umn/en-us_image_0000001562564797.png differ diff --git a/docs/iam/umn/en-us_image_0000001562896221.png b/docs/iam/umn/en-us_image_0000001562896221.png index f6d61c7e5..a5a08d09a 100644 Binary files a/docs/iam/umn/en-us_image_0000001562896221.png and b/docs/iam/umn/en-us_image_0000001562896221.png differ diff --git a/docs/iam/umn/en-us_image_0000001606779168.png b/docs/iam/umn/en-us_image_0000001606779168.png index d799cda9e..092b98244 100644 Binary files a/docs/iam/umn/en-us_image_0000001606779168.png and b/docs/iam/umn/en-us_image_0000001606779168.png differ diff --git a/docs/iam/umn/en-us_image_0000001606781176.png b/docs/iam/umn/en-us_image_0000001606781176.png index 6ccded3db..3eb945c80 100644 Binary files a/docs/iam/umn/en-us_image_0000001606781176.png and b/docs/iam/umn/en-us_image_0000001606781176.png differ diff --git a/docs/iam/umn/en-us_image_0000001606781944.png b/docs/iam/umn/en-us_image_0000001606781944.png index 7c3090f4a..33bd83c70 100644 Binary files a/docs/iam/umn/en-us_image_0000001606781944.png and b/docs/iam/umn/en-us_image_0000001606781944.png differ diff --git a/docs/iam/umn/en-us_image_0000001606783928.png b/docs/iam/umn/en-us_image_0000001606783928.png index 130ed766e..49f850e17 100644 Binary files a/docs/iam/umn/en-us_image_0000001606783928.png and b/docs/iam/umn/en-us_image_0000001606783928.png differ diff --git a/docs/iam/umn/en-us_image_0000001606939052.png b/docs/iam/umn/en-us_image_0000001606939052.png index acf7c27f4..ee6b86775 100644 Binary files a/docs/iam/umn/en-us_image_0000001606939052.png and b/docs/iam/umn/en-us_image_0000001606939052.png differ diff --git a/docs/iam/umn/en-us_image_0000001606944408.png b/docs/iam/umn/en-us_image_0000001606944408.png index 7825da49e..2d3c19c61 100644 Binary files a/docs/iam/umn/en-us_image_0000001606944408.png and b/docs/iam/umn/en-us_image_0000001606944408.png differ diff --git a/docs/iam/umn/en-us_image_0000001607217960.png b/docs/iam/umn/en-us_image_0000001607217960.png index bfd0595b3..82890e92b 100644 Binary files a/docs/iam/umn/en-us_image_0000001607217960.png and b/docs/iam/umn/en-us_image_0000001607217960.png differ diff --git a/docs/iam/umn/en-us_image_0000001607219512.png b/docs/iam/umn/en-us_image_0000001607219512.png index de9bb3d55..86b9c87df 100644 Binary files a/docs/iam/umn/en-us_image_0000001607219512.png and b/docs/iam/umn/en-us_image_0000001607219512.png differ diff --git a/docs/iam/umn/en-us_image_0000001607259280.png b/docs/iam/umn/en-us_image_0000001607259280.png index 96c1014ee..fe2a29917 100644 Binary files a/docs/iam/umn/en-us_image_0000001607259280.png and b/docs/iam/umn/en-us_image_0000001607259280.png differ diff --git a/docs/iam/umn/en-us_image_0000001656300001.png b/docs/iam/umn/en-us_image_0000001656300001.png index bfd0595b3..82890e92b 100644 Binary files a/docs/iam/umn/en-us_image_0000001656300001.png and b/docs/iam/umn/en-us_image_0000001656300001.png differ diff --git a/docs/iam/umn/en-us_image_0000001656303477.png b/docs/iam/umn/en-us_image_0000001656303477.png index 4098788bf..8eab97482 100644 Binary files a/docs/iam/umn/en-us_image_0000001656303477.png and b/docs/iam/umn/en-us_image_0000001656303477.png differ diff --git a/docs/iam/umn/en-us_image_0000001656303721.png b/docs/iam/umn/en-us_image_0000001656303721.png index bfd0595b3..82890e92b 100644 Binary files a/docs/iam/umn/en-us_image_0000001656303721.png and b/docs/iam/umn/en-us_image_0000001656303721.png differ diff --git a/docs/iam/umn/en-us_image_0000001656340545.png b/docs/iam/umn/en-us_image_0000001656340545.png index f98876a40..36d102629 100644 Binary files a/docs/iam/umn/en-us_image_0000001656340545.png and b/docs/iam/umn/en-us_image_0000001656340545.png differ diff --git a/docs/iam/umn/en-us_image_0000001656341101.png b/docs/iam/umn/en-us_image_0000001656341101.png index acf7c27f4..ee6b86775 100644 Binary files a/docs/iam/umn/en-us_image_0000001656341101.png and b/docs/iam/umn/en-us_image_0000001656341101.png differ diff --git a/docs/iam/umn/en-us_image_0000001656344889.png b/docs/iam/umn/en-us_image_0000001656344889.png index 0dd626d0d..99ee545ea 100644 Binary files a/docs/iam/umn/en-us_image_0000001656344889.png and b/docs/iam/umn/en-us_image_0000001656344889.png differ diff --git a/docs/iam/umn/en-us_image_0000001656458721.png b/docs/iam/umn/en-us_image_0000001656458721.png index c6bbaae66..d3d67bd54 100644 Binary files a/docs/iam/umn/en-us_image_0000001656458721.png and b/docs/iam/umn/en-us_image_0000001656458721.png differ diff --git a/docs/iam/umn/en-us_image_0000001656459361.png b/docs/iam/umn/en-us_image_0000001656459361.png index 96c1014ee..fe2a29917 100644 Binary files a/docs/iam/umn/en-us_image_0000001656459361.png and b/docs/iam/umn/en-us_image_0000001656459361.png differ diff --git a/docs/iam/umn/en-us_image_0000001656493417.png b/docs/iam/umn/en-us_image_0000001656493417.png index 3d60b14bb..008a98037 100644 Binary files a/docs/iam/umn/en-us_image_0000001656493417.png and b/docs/iam/umn/en-us_image_0000001656493417.png differ diff --git a/docs/iam/umn/en-us_image_0000001656578205.png b/docs/iam/umn/en-us_image_0000001656578205.png index df30add2e..38741f08a 100644 Binary files a/docs/iam/umn/en-us_image_0000001656578205.png and b/docs/iam/umn/en-us_image_0000001656578205.png differ diff --git a/docs/iam/umn/en-us_image_0000001656580725.png b/docs/iam/umn/en-us_image_0000001656580725.png index d799cda9e..092b98244 100644 Binary files a/docs/iam/umn/en-us_image_0000001656580725.png and b/docs/iam/umn/en-us_image_0000001656580725.png differ diff --git a/docs/iam/umn/en-us_image_0000001656582221.png b/docs/iam/umn/en-us_image_0000001656582221.png index 130ed766e..49f850e17 100644 Binary files a/docs/iam/umn/en-us_image_0000001656582221.png and b/docs/iam/umn/en-us_image_0000001656582221.png differ diff --git a/docs/iam/umn/en-us_image_0000001656585157.png b/docs/iam/umn/en-us_image_0000001656585157.png index fefc43eb8..714a0ce5c 100644 Binary files a/docs/iam/umn/en-us_image_0000001656585157.png and b/docs/iam/umn/en-us_image_0000001656585157.png differ diff --git a/docs/iam/umn/en-us_image_0000002492731764.png b/docs/iam/umn/en-us_image_0000002492731764.png new file mode 100644 index 000000000..ad94ea07d Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002492731764.png differ diff --git a/docs/iam/umn/en-us_image_0000002498759736.png b/docs/iam/umn/en-us_image_0000002498759736.png new file mode 100644 index 000000000..0c8e63535 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002498759736.png differ diff --git a/docs/iam/umn/en-us_image_0000002498925326.png b/docs/iam/umn/en-us_image_0000002498925326.png new file mode 100644 index 000000000..ce8250bfa Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002498925326.png differ diff --git a/docs/iam/umn/en-us_image_0000002515075725.png b/docs/iam/umn/en-us_image_0000002515075725.png new file mode 100644 index 000000000..7d3062616 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002515075725.png differ diff --git a/docs/iam/umn/en-us_image_0000002525618428.png b/docs/iam/umn/en-us_image_0000002525618428.png new file mode 100644 index 000000000..8da35a89b Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002525618428.png differ diff --git a/docs/iam/umn/en-us_image_0000002525746603.png b/docs/iam/umn/en-us_image_0000002525746603.png new file mode 100644 index 000000000..a6c38ad0c Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002525746603.png differ diff --git a/docs/iam/umn/en-us_image_0000002530633799.png b/docs/iam/umn/en-us_image_0000002530633799.png new file mode 100644 index 000000000..db91d51e8 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002530633799.png differ diff --git a/docs/iam/umn/en-us_image_0000002530642105.png b/docs/iam/umn/en-us_image_0000002530642105.png new file mode 100644 index 000000000..0cd61c71d Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002530642105.png differ diff --git a/docs/iam/umn/en-us_image_0000002530649051.png b/docs/iam/umn/en-us_image_0000002530649051.png new file mode 100644 index 000000000..5e8691763 Binary files /dev/null and b/docs/iam/umn/en-us_image_0000002530649051.png differ diff --git a/docs/iam/umn/en-us_image_0291358588.png b/docs/iam/umn/en-us_image_0291358588.png deleted file mode 100644 index c08ba6ec8..000000000 Binary files a/docs/iam/umn/en-us_image_0291358588.png and /dev/null differ diff --git a/docs/iam/umn/en-us_topic_0046611269.html b/docs/iam/umn/en-us_topic_0046611269.html index 079330bd3..c9f11f149 100644 --- a/docs/iam/umn/en-us_topic_0046611269.html +++ b/docs/iam/umn/en-us_topic_0046611269.html @@ -5,7 +5,7 @@

Procedure

  1. In the navigation pane, choose User Groups.
  2. On the User Groups page, click Create User Group.
  3. Enter a user group name.
  4. (Optional) Enter a description for the user group.

    To enable users to directly view their permissions, set a description for the user group. For example, if you assign the Security Administrator role to a user group, you can set any description in the Description text box. For example: Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users. For details about the permissions for all cloud services, see Permissions.

  5. Click OK.

    The user group is displayed in the user group list.

    -

  6. In the row containing the user group, click Authorize in the Operation column.
  7. On the Authorize User Group page, select the permissions to be assigned to the user group. You can also click Go to Old Edition to use the old version for authorization.

    If the system-defined policies do not meet your requirements, you can click Create Policy in the upper right to create custom policies for fine-grained permissions control. For details, see Creating a Custom Policy.

    +

  8. In the row containing the user group, click Authorize in the Operation column.
  9. On the Authorize User Group page, select the permissions to be assigned to the user group.

    If the system-defined policies do not meet your requirements, you can click Create Policy in the upper right to create custom policies for fine-grained permissions control. For details, see Creating a Custom Policy.

    Figure 1 Selecting permissions

  10. Click Next.
  11. Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.

    Table 1 Authorization scopes

    Scope

    diff --git a/docs/iam/umn/en-us_topic_0046611300.html b/docs/iam/umn/en-us_topic_0046611300.html index 912bfb4a2..56b4c5713 100644 --- a/docs/iam/umn/en-us_topic_0046611300.html +++ b/docs/iam/umn/en-us_topic_0046611300.html @@ -2,13 +2,19 @@

    Change History

    -
    Table 1 Change history

    Released On

    +
    - + + +
    Table 1 Change history

    Released On

    Description

    2025-06-24

    +

    2026-03-06

    +

    This release incorporates the following changes:

    +

    Updated the document based on the changes on the console version 25.9.

    +

    2025-06-24

    This release incorporates the following changes:

    Added the description of Last Activity in Viewing and Modifying User Information.

    @@ -61,7 +67,6 @@

    Added section Deleting User Groups.

    Added section Managing Permissions of a User Group.

    Added section Assigning Dependency Roles.

    -

    Modified content in section Assigning Permissions to an IAM User.

    Modified content in section Creating a User Group and Assigning Permissions.

    Modified content in section Basic Concepts.

    @@ -201,7 +206,7 @@

    2017-10-15

    This release incorporates the following changes:

    -

    Deleted chapter "Permission Description." For details, see Permission Description.

    +

    Deleted chapter "Permissions." For permissions details, see Permissions.

    2017-09-15

    diff --git a/docs/iam/umn/en-us_topic_0046611303.html b/docs/iam/umn/en-us_topic_0046611303.html index 42dd6c207..aad11abb7 100644 --- a/docs/iam/umn/en-us_topic_0046611303.html +++ b/docs/iam/umn/en-us_topic_0046611303.html @@ -65,7 +65,7 @@

    Set by user

    If you are the administrator setting the password for the user, select this option. The user can set a password by clicking on the one-time login URL sent over email.

    -

    The URL is valid for 7 days. Remind the user to log in and set a password before the URL expires.

    +

    The URL is valid for 2 days. Remind the user to log in and set a password before the URL expires.

    Automatically generated

    @@ -99,7 +99,7 @@
    • For security purposes, select only one access type for each user.
      • Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.
      • Management console access: Users can log in to the management console using their own usernames and passwords.
      -
    • Users can log in to the cloud platform using the username, mobile number, or email address.
    • If users forget their password, they can reset it through email address or mobile number verification. If no email address or mobile number has been bound to users, users need to contact the administrator to reset their password.
    • After you set the access type for IAM users, you cannot change it later. However, you can control their access by enabling or disabling their accounts.
    +
  12. Users can log in to the cloud platform using the username, mobile number, or email address.
  13. If users forget their password, they can reset it through email address or mobile number verification. If no email address or mobile number has been bound to users, users need to contact the administrator to reset their password.

  14. (Optional) Click Next and add the user to one or more user groups.

    • The user will inherit the permissions assigned to the user groups to which the user belongs.
    • You can also create new groups as required.
    • If a user will be an administrator, add the user to the default group admin.
    • You can enter a keyword to quickly find the target user group.
    • You can add a user to multiple user groups.
    @@ -107,6 +107,7 @@

  15. Click Create.

    If you have specified the access type as Programmatic access, download the access key on the Finish page.

    16. +

    2

    Related Operations

    • View and modify information about the user, including the user status, email address, mobile number, user groups, and logs.
    • In the user list, click Delete in the row that contains the user you want to delete and click Yes.
    diff --git a/docs/iam/umn/en-us_topic_0046613147.html b/docs/iam/umn/en-us_topic_0046613147.html index 06c0424b5..c2d7189c5 100644 --- a/docs/iam/umn/en-us_topic_0046613147.html +++ b/docs/iam/umn/en-us_topic_0046613147.html @@ -1,7 +1,7 @@

    Creating an Agency and Assigning Permissions

    -

    By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password or access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

    +

    By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

    Prerequisites

    Before creating an agency, complete the following operations:

    @@ -9,7 +9,7 @@

  16. Enter an agency name.

    Figure 2 Setting the agency name

  17. Specify the agency type as Account, and enter the name of a delegated account.

    • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
    • Cloud service: Delegate a specific service to access other services. For more information, see Delegating Another Service for Resource Management.
    -

  18. Set the validity period and enter a description for the agency.
  19. Click Next.
  20. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.

    • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to an IAM User.
    • Agencies cannot be assigned the Security Administrator role. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).
    +

  21. Set the validity period and enter a description for the agency.
  22. Click Next.
  23. Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.

    • Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to an IAM User.
    • You can assign the Security Administrator role to the agency, but we do not recommend you to do so. For account security purposes, only grant the required permissions to the agency based on the principle of least privilege (PoLP).

  24. Click OK.

    After creating an agency, provide your domain name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources based on the assigned permissions.

    diff --git a/docs/iam/umn/en-us_topic_0046613148.html b/docs/iam/umn/en-us_topic_0046613148.html index a453e20a4..5eedf57ca 100644 --- a/docs/iam/umn/en-us_topic_0046613148.html +++ b/docs/iam/umn/en-us_topic_0046613148.html @@ -6,12 +6,12 @@

    25. Procedure

    1. Log in to the management console using your account, or log in as the IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)".

      The IAM user created in "Assigning Permissions to an IAM User (by a Delegated Party)" has permission to manage agencies and switch roles.

      -

    2. Move the cursor to the username in the upper right corner and choose Switch Role.
    3. On the Switch Role page, enter the domain name of the delegating party.

      After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.

      +

    4. Move the cursor to the username in the upper right corner and choose Switch Role.
    5. On the Switch Role page, enter the domain name of the delegating party.

      After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.

      -

    6. Click OK to switch to the delegating Domain name.
    +

  25. Click OK to switch to the delegating Domain name.
    26. -

    Follow-Up Procedure

    Move the cursor to the username in the upper right corner and choose Switch Role.

    +

    Follow-Up Procedure

    Move the cursor to the username in the upper right corner and choose Switch Role.

    diff --git a/docs/iam/umn/en-us_topic_0046661675.html b/docs/iam/umn/en-us_topic_0046661675.html index c46169fd7..5bb7e3c69 100644 --- a/docs/iam/umn/en-us_topic_0046661675.html +++ b/docs/iam/umn/en-us_topic_0046661675.html @@ -1,11 +1,10 @@

    Viewing and Modifying User Information

    -

    You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.

    +

    You can click the user to view user details. The administrator can change the user status, access method, description, external identity ID, and groups to which the user belongs.

    If the job responsibilities of a user are changed, you can change the permissions assigned for that user by changing the groups which the user belongs to. You can also change the virtual MFA device and access keys of the user by choosing More > Security Settings in the row containing the target user. If a user forgot their password or access keys, you can modify the login credentials of the user.

    As an administrator, you can modify the basic information about an IAM user, change the security settings of the user and the groups to which the user belongs, and view or delete the assigned permissions. To view or modify user information, click Security Settings in the row containing the IAM user.

    -

    To adjust the item columns displayed on the list, click . The Username and Operation columns are displayed by default, and the Status column cannot be removed. You can also select Description, Last Login, Last Activity, Created, Access Type, Virtual MFA Device, Password Age, and Access Key (Status, Age, and AK).

    -

    Last Activity displays the first login time of your account or all the IAM users who have logged in within a 5-minute span. If you just use the account to obtain a token, Last Activity shows last time there was any activity.

    +

    To adjust the item columns displayed on the list, click . The Username and Operation columns are displayed by default, and the Status column cannot be removed. Optional columns include: User ID, External Identity ID, Description, Last Login, Created, Access Type, MFA Type, Password Age, and Access Key (Status, Age, and AK).

    Basic Information

    You can modify the basic information of IAM users, but cannot modify the basic information of your account. The username, user ID, and creation time can be viewed but cannot be modified.

    • Status: New IAM users are enabled by default. You can set Status to Disabled to disable an IAM user. A disabled user is no longer able to log in to the cloud platform through the management console or programmatic access.
    • Access Type: You can change the access type of the IAM user.
      • Pay attention to the following when you set the access type for an IAM user:
        • If you intend to enable the user to access cloud services only by using the management console, select Management console access.
        • If you intend to enable the user to access cloud services only by using programmatic access, select Programmatic access.
        • If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access.
        • If the user needs to perform access key verification when using certain services in the console, select both Programmatic access and Management console access.
        @@ -17,14 +16,6 @@

        Your account belongs to the default group admin, which cannot be changed.

        • Click Add to User Group, and select one or more groups to which the user will belong. The user then inherits permissions of these groups.
        • Click Remove on the right of a user group and click Yes. The user no longer has the permissions assigned to the group.
      -

      Security Settings

      As an administrator, you can modify the MFA device, login credential, login protection, and access keys of an IAM user on this page. If you are an IAM user and need to change your mobile number, email address, or virtual MFA device, see Security Settings.

      -
      • MFA Authentication: You can change the multi-factor authentication (MFA) settings of an IAM user on the Security Settings page.
        • Change the mobile number or email address of the user.

          The mobile number and email address of the IAM user cannot be the same as those of your account or other IAM users.

          -
          -
        • Remove the virtual MFA device from the user. For more information about MFA authentication and virtual MFA device, see MFA Authentication and Virtual MFA Device.
        -
      -
      • Login Credentials: You can change the login password of the IAM user. For more information, see Modifying Security Settings for an IAM User.
      • Login Protection: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.

        This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.

        -
      • Access Keys: You can manage access keys of the IAM user.
      -
      diff --git a/docs/iam/umn/en-us_topic_0066738518.html b/docs/iam/umn/en-us_topic_0066738518.html index 5eccc77c9..63aa0f50e 100644 --- a/docs/iam/umn/en-us_topic_0066738518.html +++ b/docs/iam/umn/en-us_topic_0066738518.html @@ -7,9 +7,6 @@

    • (Optional) Enter a description for the project.
    • Click OK.

      The project list is displayed, and the newly created project is in the Normal state.

    -

    Follow-Up Procedure

    Assigning permissions for a specific project

    -

    On the user group details page, click the Permissions tab, select Project View, click Modify Permissions in the row containing the target project, and then modify the permissions for this project. For details, see Creating a User Group and Assigning Permissions.

    -

    Related Operations

    • Viewing project details
      1. View the projects of the corresponding region in the project list.
      2. Click View in the Operation column of the row that contains the target project.

        View project details and the users bound to the project.

        After you add a user to a user group that has been granted permissions for a specific project, the user inherits permissions of the group and is associated with the project. The user can switch to this project to access resources in it.

        diff --git a/docs/iam/umn/en-us_topic_0079620341.html b/docs/iam/umn/en-us_topic_0079620341.html index 977cb52d8..3db71016c 100644 --- a/docs/iam/umn/en-us_topic_0079620341.html +++ b/docs/iam/umn/en-us_topic_0079620341.html @@ -1,7 +1,7 @@

        Overview

        -

        The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).

        +

        The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access the cloud platform through single sign-on (SSO).

        Basic Concepts

        @@ -48,13 +48,13 @@
        Table 1 Basic concepts

        Concept

        -

        Advantages of Identity Federation

        • Easy identity management

          With an identity provider, the administrator can manage workforce identities outside of the cloud platform and give these external workforce identities permissions to use resources on the cloud platform.

          -
        • Simplified operations

          Workforce users can use their existing accounts in the enterprise to access the cloud platform through SSO.

          +

          Advantages of Identity Federation

          • Easy identity management

            With an identity provider, the administrator can manage workforce identities outside of the cloud platform and give these external workforce identities permissions to use resources on cloud platform.

            +
          • Simplified operations

            Workforce users can use their existing accounts in the enterprise to access cloud platform through SSO.

            Figure 1 Advantages of identity federation

          SSO Type

          IAM supports two SSO types: virtual user SSO and IAM user SSO. For details about how to choose an SSO type, see Application Scenarios of Virtual User SSO and IAM User SSO.

          -
          • Virtual user SSO

            After a federated user logs in to the cloud platform, the system automatically creates a virtual user and grants access permissions to the virtual user based on the configured identity conversion rules.

            +
            • Virtual user SSO

              After a federated user logs in to cloud platform, the system automatically creates a virtual user and grants access permissions to the virtual user based on the configured identity conversion rules.

            • IAM user SSO

              After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user.

            Currently, IAM supports two federated login methods: browser-based SSO (web SSO) and SSO via API calling.

            @@ -110,7 +110,7 @@
    -

    Precautions

    • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
    • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following constraints:
      • Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
      • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.

        If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

        +

        Precautions

        • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
        • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following constraints:
          • Federated users do not need to perform a 2-step verification when performing critical operations even though login protection or operation protection is enabled.
          • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens.

            If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

        diff --git a/docs/iam/umn/en-us_topic_0085605493.html b/docs/iam/umn/en-us_topic_0085605493.html index 47a1765f0..916ecd4d8 100644 --- a/docs/iam/umn/en-us_topic_0085605493.html +++ b/docs/iam/umn/en-us_topic_0085605493.html @@ -2,14 +2,17 @@

        Viewing and Modifying User Group Information

        As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the groups to which the users belong.

        -

        Procedure

        1. In the navigation pane, choose User Groups.
        2. In the user group list, view or modify user group information.

          • Viewing user group information

            In the user group list, click next to the target user group to view its details, including the basic information, permissions, and users.

            +

            Procedure

            1. In the navigation pane, choose User Groups.
            2. In the user group list, view or modify user group information.

              • Viewing user group information

                In the user group list, click the target user group to view its details, including the basic information, permissions, and users.

              • Modifying user group information
                Click Modify in the Operation column of the row that contains the target user group to go to the Modify User Group page.
                • For the default user group, you can only manage its users and cannot modify its basic information or permissions.
                • If the name of a user group has been configured in the identity conversion rules of an IdP, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.
                -
              • Modifying user group permissions
                You can assign new permissions to or cancel the existing permissions of a user group in the policy view or project view.
                • Changing the authorization scope in the policy view
                  1. Choose User Groups in the navigation pane, and click Manage Permissions in the row containing the user group you want to modify. On the Permissions tab page, select Policy View.
                  2. Click Change Project on the right of a policy.
                  3. On the Change Project page, select or deselect desired projects.
                  4. Click OK.
                  -
                • Modifying permissions for certain projects in the project view
                  1. Choose User Groups in the navigation pane, and click Manage Permissions on the right of a user group. On the Permissions tab page, select Project View.
                  2. Click Modify Permissions on the right of a project.
                  3. Select or deselect desire policies, and click OK.
                  -
                +
              • Modifying user group permissions
                You can view or modify user group permissions on the Permissions page of the IAM console.
                • Modifying the permissions of a user group changes the permissions of all users in the user group.
                • Permissions of the default user group admin cannot be modified.
                +
                +
                1. Click a user group to go to the details page, and view the group permissions in the Permissions tab.
                2. Click Delete in the row that contains the role or policy you want to delete.
                  Figure 1 Deleting an assigned permission
                  +
                3. Click OK.
                4. On the Permissions tab, click Authorize.
                  Figure 2 Assigning permissions to a user group
                  +
                5. Select desired permissions and a scope, and click OK.
                6. Go back to the Permissions tab to view the modified group permissions.
                  Figure 3 Permissions assigned
                  +
              • Managing Users
                1. In the user group list, click Manage User in the row containing the user group you want to modify.
                2. In the Available Users area, select users you want to add to the user group.
                3. In the Selected Users area, remove users from the user group.

            @@ -21,3 +24,10 @@
        + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0003.html b/docs/iam/umn/iam_01_0003.html index 2a79ecf16..72ed3ed9c 100644 --- a/docs/iam/umn/iam_01_0003.html +++ b/docs/iam/umn/iam_01_0003.html @@ -7,16 +7,14 @@

        For more information, see MFA Authentication and Virtual MFA Device.

        Prerequisites

        You have installed an MFA application (for example, Google Authenticator) on your smartphone.

        -

        Procedure

        1. On the management console, hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
        2. On the My Credentials page, click Bind next to the Virtual MFA Device parameter.
        3. Go to the Bind Virtual MFA Device page.

          Figure 1 Binding a virtual MFA device
          -

          The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.

          -
          -
          -

        4. Add your account to an MFA application.

          • Scanning the QR code

            Open the MFA application on your mobile phone, click the plus sign + on the application, and scan the QR code displayed on the Bind Virtual MFA Device page. Your account is then automatically added to the application, with the username and secret key displayed.

            -
          • Manually entering the secret key

            Open the MFA application on your mobile phone, click the plus sign + on the application, and manually enter the secret key displayed on the Bind Virtual MFA Device page.

            -

            The manual entry function is time-based. Ensure that automatic time setup has been enabled on your mobile phone.

            +

            Procedure

            1. Go to the Security Settings page.
            2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.

              Figure 1 Binding a virtual MFA device
              +

            3. Add a virtual MFA device to your MFA application.

              Figure 2 Adding a virtual MFA device
              +

            4. Bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

              • Scanning the QR code

                Open the MFA application on your mobile phone, select Scan QR code. Click Show QR code in step 1 and scan the QR code. Then, the MFA application automatically adds the virtual MFA device.

                +
              • Entering the secret key

                Open the MFA application on your mobile phone, and enter the secret key.

                +

                TOTP-based virtual MFA devices can only be manually added. You are advised to enable automatic time setting on your mobile device.

              -

            5. View the verification code on the MFA application. The code is automatically updated every 30 seconds.
            6. On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK to bind the virtual MFA device.
            +

          • View the dynamic verification codes on the home page of the MFA application. The code is automatically updated every 30 seconds.
          • On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
        diff --git a/docs/iam/umn/iam_01_0004.html b/docs/iam/umn/iam_01_0004.html index 312188b95..dc742f963 100644 --- a/docs/iam/umn/iam_01_0004.html +++ b/docs/iam/umn/iam_01_0004.html @@ -2,8 +2,7 @@

        How Do I Unbind a Virtual MFA Device?

        You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.

        -
        1. On the homepage of the cloud system, click Console.
        2. Hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
        3. Click Unbind next to Virtual MFA Device.
        4. Enter the verification code obtained from the virtual MFA device.
        5. Click OK.

          The virtual MFA device is unbound successfully.

          -
        +
        1. Go to the Security Settings page.
        2. Click the Critical Operations tab, and click Unbind in the Virtual MFA Device row.
        3. In the displayed dialog box, enter DELETE in the text box.
        diff --git a/docs/iam/umn/iam_01_0016.html b/docs/iam/umn/iam_01_0016.html index fd3603218..28bbe09d3 100644 --- a/docs/iam/umn/iam_01_0016.html +++ b/docs/iam/umn/iam_01_0016.html @@ -2,28 +2,29 @@

        Creating a Custom Policy

        You can create custom policies to supplement system-defined policies and implement more refined access control.

        -

        Creating a Custom Policy in the Visual Editor

        1. On the IAM console, choose Policies in the navigation pane, and click Create Custom Policy.
        2. Enter a policy name.
        3. Select Visual editor.
        4. Set the policy content.

          1. Select Allow or Deny.
          2. Select a cloud service.

            Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click Add Permissions or switch to the JSON view.

            +

            Creating a Custom Policy in the Visual Editor

            1. In the navigation pane of the IAM console, choose Permissions > Policies/Roles.
            2. Click Create Custom Policy.

              Figure 1 Creating custom policies
              +

            3. Enter a policy name.
            4. Select Visual editor.
            5. Set the policy content.

              1. Select Allow or Deny.
              2. Select a cloud service.

                Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click Add Permissions or switch to the JSON view.

              3. Select actions.
              4. Select all resources, or select specific resources by specifying their paths.
              5. (Optional) Add request conditions by specifying condition keys, operators, and values. -
                Table 1 Condition parameters

                Name

                +
                - - - - - - - @@ -46,3 +47,10 @@ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0029.html b/docs/iam/umn/iam_01_0029.html index b19a7afcd..173584348 100644 --- a/docs/iam/umn/iam_01_0029.html +++ b/docs/iam/umn/iam_01_0029.html @@ -11,7 +11,7 @@

                This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see MFA Authentication and Virtual MFA Device.

                Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.

                -
                1. Go to the Security Settings page.
                2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
                3. On the displayed page, enter a device name. Only letters, digits, hyphens (-), and underscores (_) are allowed.
                4. Select an MFA device. For this example, select Virtual MFA Device and click Next.
                5. Add a virtual MFA device to your MFA application.
                6. You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

                  • Scanning the QR code

                    Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Add MFA Device page. Then, the MFA application automatically adds the virtual MFA device.

                    +
                    1. Go to the Security Settings page.
                    2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
                    3. Add a virtual MFA device to your MFA application.
                    4. You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

                      • Scanning the QR code

                        Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Add MFA Device page. Then, the MFA application automatically adds the virtual MFA device.

                      • Entering the secret key

                        Open the MFA application on your mobile phone, and enter the secret key.

                        TOTP-based virtual MFA devices can only be manually added. You are advised to enable automatic time setting on your mobile device.

                        @@ -20,15 +20,15 @@

                        Login Protection

                        After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

                        For an account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.

                        -
                        • (Administrator) Enabling login protection for an IAM user

                          To enable login protection for an IAM user, go to the Users page and choose Security Settings in the row that contains the IAM user. In the Login Protection area in the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device or security key. You can enable or disable API login protection as needed when you select Virtual MFA device. The option is disabled by default. API login protection asks you for both a password and a virtual MFA device to obtain an IAM user token. Without API login protection, you can obtain the token with only a password. To obtain an IAM user token, see .

                          -
                        • Enabling login protection for your account

                          To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification code, and click OK.

                          +
                          • (Administrator) Enabling login protection for an IAM user

                            To enable login protection for an IAM user, go to the Users page and choose Security Settings in the row that contains the IAM user. In the Login Protection area in the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device.

                            +
                          • Enabling login protection for your account

                            To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification code, and click OK.

                        Operation Protection

                        • Enabling operation protection

                          After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.

                          The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.

                        1. Go to the Security Settings page.
                        2. On the Critical Operations tab, locate the Operation Protection row and click Enable.
                        3. Select Enable and then select Self-verification or Verification by another person.

                          If you select Verification by another person, an identity verification is required to ensure that this verification method is available.

                          -
                          • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
                          • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification is supported. Virtual MFA devices are not supported.
                          +
                          • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
                          • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification is supported. Virtual MFA devices are not supported.

                        4. Click OK.
                        • Disabling operation protection
                        @@ -40,14 +40,14 @@

                        Access Key Management

                        • Enabling access key management

                          After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.

                          -

                          To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                          +

                          To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                        • Disabling access key management

                          After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.

                          -

                          To disable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                          +

                          To disable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                        Information Self-Management

                        • Enabling information self-management

                          By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.

                          To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable in the Information Self-Management row. Select Enable, select the information types that IAM users can modify, and click OK.

                          -
                        • Disabling information self-management

                          After you disable information self-management, only administrators can manage their own basic information. If you are an IAM user and want to change your login password, mobile number, or email address, contact the administrator. The administrator can modify the information by referring to Viewing and Modifying User Group Information.

                          +
                        • Disabling information self-management

                          After you disable information self-management, only administrators can manage their own basic information. If you are an IAM user and want to change your login password, mobile number, or email address, contact the administrator. The administrator can modify the information by referring to Viewing and Modifying User Information.

                          To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.

                        @@ -193,7 +193,7 @@
                -
                Table 1 Condition parameters

                Name

                Description

                +

                Description

                Condition Key

                +

                Condition Key

                A key in the Condition element of a statement. There are global and service-specific condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-specific condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

                +

                A key in the Condition element of a statement. There are global and service-specific condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-specific condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

                Operator

                +

                Operator

                Used together with a condition key to form a complete condition statement.

                +

                Used together with a condition key to form a complete condition statement.

                Value

                +

                Value

                Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.

                +

                Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.

                RDS for MySQL

                • Resetting the administrator password
                • Deleting a DB instance
                • Deleting a database backup
                • Switching between primary and standby DB instances
                • Changing the database port
                • Deleting a database account
                • Deleting a database
                • Unbinding an EIP
                • Downloading a full backup
                • Downloading a Binlog backup
                • Changing a private domain name
                • Changing a public domain name
                • Modifying a host IP address
                • Stopping an instance
                • Starting an instance
                • Restarting an instance
                • Resetting a password for a database account
                +
                • Resetting the administrator password
                • Deleting a DB instance
                • Deleting a database backup
                • Switching between primary and standby DB instances
                • Changing the database port
                • Deleting a database account
                • Deleting a database
                • Unbinding an EIP
                • Downloading a full backup
                • Downloading a Binlog backup
                • Changing a private domain name
                • Changing a public domain name
                • Modifying a host IP address
                • Stopping an instance
                • Starting an instance
                • Restarting an instance
                • Resetting a password for a database account
                • Downloading a slow query log

                Database

                diff --git a/docs/iam/umn/iam_01_0031.html b/docs/iam/umn/iam_01_0031.html index 0a5779836..3eee0691c 100644 --- a/docs/iam/umn/iam_01_0031.html +++ b/docs/iam/umn/iam_01_0031.html @@ -97,8 +97,8 @@
                -
                • For security purposes, select only one access type for each user.
                  • Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.
                  • Management console access: Users can log in to the management console using their own usernames and passwords.
                  -
                • You cannot change the access type of users, but you can control their access by enabling or disabling the user accounts.
                +
                For security purposes, select only one access type for each user.
                • Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.
                • Management console access: Users can log in to the management console using their own usernames and passwords.
                +

              6. (Optional) Click Next and add the user to one or more user groups.

                • The user will inherit the permissions assigned to the user groups to which the user belongs.
                • You can also create new groups as required.
                • If the user will be an administrator, add the user to the default group admin.
                • You can add a user to multiple user groups.
                diff --git a/docs/iam/umn/iam_01_0032.html b/docs/iam/umn/iam_01_0032.html index 8bd3531c5..e82d324f5 100644 --- a/docs/iam/umn/iam_01_0032.html +++ b/docs/iam/umn/iam_01_0032.html @@ -5,7 +5,7 @@

                Background

                If either of the following has been configured on Security Settings > Login Authentication Policy, you will see the Login Verification page after login:
                • Recent Login Information has been enabled.
                • Custom Information has been configured.
                -

                Procedure

                1. On the Multitenant Login page, enter Domain name, Username/Email address/Mobile number, and Password, and click Log In.

                  • Domain Name is a username set in MyWorkplace. It is in the format "ICU + User ID + Contract instance number". ICU stands for identity for customer user.
                  • If this is your first login, change your initial password on the First Login page. To ensure account security, change your password periodically.
                  • Enter a verification code on the Login Verification page if login authentication has been enabled.
                  +

                  Procedure

                  1. On the Multitenant Login page, enter Domain name, Username/Email address/Mobile number, and Password, and click Log In.

                    • Domain Name is a username set in MyWorkplace. It is in the format "ICU + User ID + Contract instance number". ICU stands for identity for customer user.
                    • If this is your first login, change your initial password on the First Login page. To ensure account security, change your password periodically.
                    • Enter a verification code on the Login Verification page if login authentication has been enabled.

                  2. On the Login Verification page, click OK.

                    The management console is displayed.

                  diff --git a/docs/iam/umn/iam_01_0063.html b/docs/iam/umn/iam_01_0063.html index 78eb3d6ad..2665cb04d 100644 --- a/docs/iam/umn/iam_01_0063.html +++ b/docs/iam/umn/iam_01_0063.html @@ -1,13 +1,13 @@

                  Assigning Agency Permissions to an IAM User

                  -

                  When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

                  +

                  When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.

                  You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.

                  -

                  Prerequisites

                  • A trust relationship has been established between your account and another account.
                  • You have obtained the name of the delegating account and the name and ID of the created agency.
                  +

                  Prerequisites

                  • A trust relationship has been established between another account and your account.
                  • You have obtained the name of the delegating account and the name and ID of the created agency.
                  -

                  Procedure

                  1. Create a user group and grant permissions to it.

                    1. On the User Groups page, click Create User Group.
                    2. Enter a user group name.
                    3. Click OK.
                    4. In the row containing the user group, click Authorize.
                    5. Create a custom policy.

                      This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to step 6.

                      +

                      Procedure

                      1. Create a user group and grant permissions to it.

                        1. On the User Groups page, click Create User Group.
                        2. Enter a user group name.
                        3. Click OK.
                        4. In the row containing the user group, click Authorize.
                        5. Create a custom policy.

                          This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to step 6.

                          -
                          1. On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
                          2. Enter a policy name.
                          3. Select JSON for Policy View.
                          4. In the Policy Content area, enter the following content:
                            {
+
                            1. On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
                            2. Enter a policy name.
                            3. Select JSON for Policy View.
                            4. In the Policy Content area, enter the following content:
                              {
         "Version": "1.1",
         "Statement": [
                 {
diff --git a/docs/iam/umn/iam_01_0430.html b/docs/iam/umn/iam_01_0430.html
index 8e6c3ad51..10f7201b7 100644
--- a/docs/iam/umn/iam_01_0430.html
+++ b/docs/iam/umn/iam_01_0430.html
@@ -6,9 +6,9 @@
 
                              Deleting User Groups
                              
 
                              Procedure
                              To delete a user group, do the following:
                              
 
                              
-
                              1. Log in to the IAM console. In the navigation pane, choose User Groups.
                              2. In the user group list, click Delete in the row that contains the user group to be deleted.
                              3. In the displayed dialog box, click OK.
                              
+
                              1. Log in to the IAM console. In the navigation pane, choose User Groups.
                              2. In the user group list, click Delete in the row that contains the user group to be deleted.
                              3. In the displayed dialog box, enter DELETE and click OK.
                              
 
                              Batch Deleting User Groups
                              To delete multiple user groups at a time, do the following:
                              
-
                              1. Log in to the IAM console. In the navigation pane, choose User Groups.
                              2. In the user group list, select the user groups to be deleted and click Delete above the list.
                              3. In the displayed dialog box, click OK.
                              
+
                              1. Log in to the IAM console. In the navigation pane, choose User Groups.
                              2. In the user group list, select the user groups to be deleted and click Delete above the list.
                              3. In the displayed dialog box, enter DELETE and click OK.
                              
 
                              
 
                              
 
                              
diff --git a/docs/iam/umn/iam_01_0607.html b/docs/iam/umn/iam_01_0607.html
index 7abc90bc9..237e0e0f0 100644
--- a/docs/iam/umn/iam_01_0607.html
+++ b/docs/iam/umn/iam_01_0607.html
@@ -4,15 +4,15 @@
   
   
 
                              Password Policy
                              
-
                              The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.
                              
+
                              The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.
                              
 
                              Only the administrator and an entrusted identity can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
                              
 
                              The administrator or an entrusted identity should configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.
                              
 
                              Password Composition & Reuse
                              • Ensure that the password contains 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
                              • Set the minimum number of characters that a password must contain. The default value is 6 and the value range is from 6 to 32.
                              • (Optional) Enable the Restrict consecutive identical characters option and set the maximum number of times that a character is allowed to be consecutively present in a password. For example, value 1 indicates that consecutive identical characters are not allowed in a password.
                              • (Optional) Enable the Disallow previously used passwords option and set the number of previously used passwords that are not allowed. For example, value 3 indicates that the user cannot set the last three passwords that the user has previously used when setting a new password.
                              
 
                              Changes to the password policy take effect the next time you or your IAM users change passwords. The new password policy will also apply to IAM users created later.
                              
 
                              
-
                              Password Expiration
                              Set a validity period for passwords so that users need to change their passwords periodically. The users will be prompted to change their passwords 15 days before password expiration. Expired passwords cannot be used to log in to the cloud platform.
                              
+
                              Password Expiration
                              To require users need to change their passwords periodically, set a validity period for passwords. The users will be prompted to change their passwords 15 days before password expiration. Expired passwords cannot be used to log in to the cloud platform.
                              
 
                              This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period range is from 1 day to 180 days.
                              
-
                              The changes will take effect immediately for your account and all IAM users under your account.
                              
+
                              Changes to this setting will be immediately applied to both your account and IAM users under your account.
                              
 
                              
 
                               
                              • After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old one.
                              • The password validity period policy applies only to console login. The operations of obtaining a user token through password authentication are not restricted by this policy.
                              
 
                              
diff --git a/docs/iam/umn/iam_01_0653.html b/docs/iam/umn/iam_01_0653.html
index fae047a17..6544c6734 100644
--- a/docs/iam/umn/iam_01_0653.html
+++ b/docs/iam/umn/iam_01_0653.html
@@ -5,11 +5,11 @@
   
 
                              Modifying Security Settings for an IAM User
                              
 
                              As an administrator, you can modify the password, MFA device, login protection, and access keys of an IAM user.
                              
-
                              Constraints
                              • IAM users can change their passwords on the Basic Information tab. 
                              • By default, only the IAM user's MFA device can be changed on the Security Settings tab. The MFA device of the account cannot be changed. To change the MFA device of the account, grant the permissions needed to add and unbind the MFA device.
                              • The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.
                              
+
                              Constraints
                              • IAM users can change their passwords on the Basic Information tab. 
                              • By default, only the IAM user's MFA device can be changed on the Security Settings tab. The MFA device of the account cannot be changed. 
                              • The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.
                              
 
                              
 
                              Changing the Password of an IAM User
                              As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user. 
                              
 
                              
-
                              1. Log in to the IAM console as the administrator.
                              2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
                              3. Click the Security Settings tab. In the Login Credentials area, click  in the Login Password row to reset the login password for the IAM user.
                                • Set by user: A one-time login URL will be emailed to the user. The user can then click the link to set a password.
                                • Automatically generated: A password will be automatically generated and then sent to the user by email.
                                • Set now: You set a new password and send the new password to the user.
                                
+
                                1. Log in to the IAM console as the administrator.
                                2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
                                3. Click the Security Settings tab. In the Login Credentials area, click  in the Login Password row to reset the login password for the IAM user.
                                  • Set by user: A one-time login URL will be emailed to the user. The user can then click the link to set a password.
                                  • Automatically generated: A password will be automatically generated and then sent to the user by email.
                                  • Set now: You set a new password and send the new password to the user.
                                  
 
                                
 
                                Changing the MFA Device for an IAM User
                                You can only change the MFA device for an IAM user, but not for the account.
                                
 
                                1. Log in to the IAM console as the administrator.
                                2. In the user list, click a username or click Security Settings in the Operation column to access the user details page.
                                3. Click the Security Settings tab and change the MFA device of the IAM user.
                                  • Change the mobile number or email address of the user. 
                                     
                                    The mobile number and email address of the IAM user cannot be the same as those of the account or other IAM users.
                                    
diff --git a/docs/iam/umn/iam_01_0703.html b/docs/iam/umn/iam_01_0703.html
index 9e6af60e7..02d388609 100644
--- a/docs/iam/umn/iam_01_0703.html
+++ b/docs/iam/umn/iam_01_0703.html
@@ -3,12 +3,12 @@
 
   
   
-
                                    Basic Information
                                    
+
                                    Basic Information 
                                    
 
                                    As an account administrator, both you and your IAM users can manage basic information on this page.
                                    
 
                                     
                                    • A mobile number or an email address can be bound only to one account or IAM user.
                                    • Only one mobile number, email address, and virtual MFA device can be bound to an account or IAM user.
                                    
 
                                    
-
                                    Changing the Login Password, Mobile Number, Virtual MFA Device, or Email Address
                                    The methods for changing the login password, mobile number, virtual MFA device, and email address are similar. To change the login password, do as follows:
                                    
-
                                    1. Go to the Security Settings page.
                                    2. Click the Basic Information tab, and click Change in the Login Password row.
                                    3. (Optional) Select email address or mobile number verification, and enter the verification code.
                                       
                                      If no email address or mobile number is bound, no verification is required.
                                      
+
                                      Changing the Login Password, Mobile Number, or 
                                      The methods for changing the login password, mobile number, virtual MFA device, and email address are similar. To change the login password, do as follows:
                                      
+
                                      1. Go to the Security Settings page.
                                      2. Click the Basic Information tab, and click Change in the Login Password row.
                                      3. (Optional) Select email address or mobile number verification, and enter the verification code.
                                         
                                        If no email address or mobile number is bound, no verification is required.
                                        
 
                                        
 
                                      4. Enter the old password and new password, and enter the new password again.
                                         
                                        • The password cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
                                        • To prevent password cracking, the administrator can configure the password policy to define password requirements, such as minimum password length. For details, see Password Policy.
                                        
 
                                        
diff --git a/docs/iam/umn/iam_01_0704.html b/docs/iam/umn/iam_01_0704.html
index 69bc5d460..40b93c0bd 100644
--- a/docs/iam/umn/iam_01_0704.html
+++ b/docs/iam/umn/iam_01_0704.html
@@ -4,20 +4,20 @@
   
   
 
                                        Login Authentication Policy
                                        
-
                                        The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom Information settings. These settings take effect for both your account and the IAM users created using the account.
                                        
+
                                        The Login Authentication Policy tab of the Security Settings page provides the Session timeout, Account Lockout, Account Disabling, Recent Login Information, and Custom Information settings. These settings take effect for both your account and the IAM users created using the account.
                                        
 
                                        Only the administrator and entrusted identities can configure the login authentication policy. IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
                                        
-
                                        Session Timeout
                                        Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.
                                        
-
                                        Figure 1 Session Timeout
                                        
-
                                        The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1 hour.
                                        
+
                                        Session timeout
                                        Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.
                                        
+
                                        Figure 1 Session timeout
                                        
+
                                        Only administrators and authorized identities can change the session timeout. The timeout ranges from 15 minutes to 24 hours, and the default timeout is 15 minutes.
                                        
 
                                        
 
                                        Account Lockout
                                        Set a duration to lock users out if a specific number of unsuccessful login attempts has been reached within a certain period. You cannot unlock your own account or an IAM user's account. Wait until the lock time expires.
                                        
-
                                        Figure 2 Account Lockout
                                        
-
                                        The administrator and entrusted identities can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.
                                        
-
                                        • Time for resetting the account lockout counter: The value range is from 15 to 60 minutes, and the default value is 15 minutes.
                                        • Maximum number of unsuccessful login attempts: The value range is from 3 to 10, and the default value is 5.
                                        • Lockout duration: The value range is from 15 to 30 minutes, and the default value is 15 minutes.
                                        
+
                                        Figure 2 Account lockout
                                        
 
                                        
+
                                        The administrator and entrusted identities can set the account lockout duration, maximum number of unsuccessful login attempts before the account is locked, and time for resetting the account lockout counter.
                                        
+
                                        • Lockout duration: The value ranges from 15 to 30 minutes, and the default value is 15 minutes.
                                        • Maximum number of unsuccessful login attempts: The value ranges from 3 to 10, and the default value is 5.
                                        • Time for resetting the account lockout counter: The value ranges from 15 to 60 minutes, and the default value is 15 minutes.
                                        
 
                                        Account Disabling
                                        Set a validity period to disable IAM users if they have not accessed the cloud platform using the console or APIs within a certain period.
                                        
 
                                        This option is disabled by default. It can be enabled by the administrator or an entrusted identity. The validity period is from 1 day to 240 days.
                                        
-
                                        If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.
                                        
+
                                        If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.
                                        
 
                                        
 
                                        Recent Login Information
                                        Configure whether you want the system to display the previous login information after you log in. If incorrect login information is displayed on the Login Verification page, change your password immediately.
                                        
 
                                        This option is disabled by default and can be enabled by the administrator or an entrusted identity.
                                        
@@ -33,3 +33,10 @@
 
                                        
 
                                        
 
+
+
\ No newline at end of file
diff --git a/docs/iam/umn/iam_01_0730.html b/docs/iam/umn/iam_01_0730.html
index f0102b549..5ff2e59f5 100644
--- a/docs/iam/umn/iam_01_0730.html
+++ b/docs/iam/umn/iam_01_0730.html
@@ -14,7 +14,7 @@
 
                                        
 
                                        Batch Deleting Agencies
                                        To delete multiple agencies, select the agencies to be deleted in the list and click Delete above the list.
                                        
 
                                        Figure 3 Batch deleting agencies
                                        
-
                                         
                                        After you delete an agency, all permissions granted to the delegated accounts will be revoked.
                                        
+
                                         
                                        After you delete an agency, all permissions granted to the delegated account will be cancelled.
                                        
 
                                        
 
                                        
 
                                        
diff --git a/docs/iam/umn/iam_03_0002.html b/docs/iam/umn/iam_03_0002.html
index 86d830641..9d8f58102 100644
--- a/docs/iam/umn/iam_03_0002.html
+++ b/docs/iam/umn/iam_03_0002.html
@@ -7,7 +7,7 @@
 
                                        A user inherits permissions from the groups which the user belongs to. To change the permissions of a user, add the user to a new group or remove the user from an existing group.
                                        
 
                                        Adding Users to a User Group
                                        1. In the user group list, click Manage User in the row containing the target user group.
                                        2. In the Manage User dialog box, select the usernames to be added.
                                        3. Click OK.
                                        
 
                                        
-
                                        Removing Users from a User Group
                                        1. In the user group list, click Manage User in the row containing the target user group.
                                        2. In the Selected Users area, locate the user to be removed and click the ×. Then, click OK.
                                        
+
                                        Removing Users from a User Group
                                        1. In the user group list, click Manage User in the row containing the target user group.
                                        2. In the Selected Users area, locate the user to be removed and click the ×. Then, click OK.
                                        
 
                                        
 
                                        
 
                                        
diff --git a/docs/iam/umn/iam_03_0004.html b/docs/iam/umn/iam_03_0004.html
index e08b56e54..067772288 100644
--- a/docs/iam/umn/iam_03_0004.html
+++ b/docs/iam/umn/iam_03_0004.html
@@ -7,9 +7,15 @@
 
                                        You can modify or delete permissions of a user group on its details page.
                                        
 
                                        Revoking Permissions of a User Group
                                        To revoke a policy or role attached to a user group, do the following:
                                        
 
                                        
-
                                        1. Log in to the . In the navigation pane, choose User Groups.
                                        2. Click the name of the user group to go to the group details page.
                                        3. On the Permissions tab, click Delete in the row that contains the role or policy you want to delete.
                                        4. In the displayed dialog box, click OK.
                                        
+
                                        1. Log in to the . In the navigation pane, choose User Groups.
                                        2. Click the name of the user group to go to the group details page.
                                        3. On the Permissions tab, click Delete in the row that contains the role or policy you want to delete.
                                        4. In the displayed dialog box, click OK.
                                        
 
                                        Batch Deleting Permissions of a User Group
                                        To revoke multiple policies or roles attached to a user group, do as follows:
                                        
-
                                        1. Log in to the . In the navigation pane, choose User Groups.
                                        2. Click the name of the user group to go to the group details page.
                                        3. On the Permissions page, select the roles or policies you want to delete and click Delete above the list.
                                        4. In the displayed dialog box, click OK.
                                        
+
                                        1. Log in to the . In the navigation pane, choose User Groups.
                                        2. Click the name of the user group to go to the group details page.
                                        3. On the Permissions page, select the roles or policies you want to delete and click Delete above the list.
                                        4. In the displayed dialog box, click OK.
                                        
+
                                        
+
                                        Managing Identity Policy-based Authorization
                                        To view the identity policy-based authorization on the new console, perform the following operations:
                                        
+
                                        1. Click the name of a user group to go to the details page.
                                        2. In the Permissions tab, click Check identity policy-based authorization records. You can assign and delete permissions for the user group in the Permissions tab.
                                          Figure 1 Checking identity policy-based authorization records
                                          
+
                                           
                                          After you click Authorize in the displayed pane on the left, you will go to the new console. You can assign permissions to the user group using identity policies.
                                          
+
                                          
+
                                        
 
                                        
 
                                        
 
                                        
@@ -18,3 +24,10 @@
 
                                        
 
                                        
 
+
+
\ No newline at end of file
diff --git a/docs/iam/umn/iam_06_0001.html b/docs/iam/umn/iam_06_0001.html
index 3e2127000..b914cc98f 100644
--- a/docs/iam/umn/iam_06_0001.html
+++ b/docs/iam/umn/iam_06_0001.html
@@ -1,7 +1,7 @@
 
 
 
                                        Process for Account Delegation
                                        
-
                                        The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.
                                        
+
                                        An agency enables you to delegate another account or service to implement O&M on your resources based on assigned permissions.
                                        
 
                                         
                                        You can delegate resource access only to accounts, rather than IAM users.
                                        
 
                                        
 
                                        The following is the procedure for delegating resource access to another account. Account A is the delegating party and account B is the delegated party.
                                        
diff --git a/docs/iam/umn/iam_07_0001.html b/docs/iam/umn/iam_07_0001.html
index f28557506..9b30125f6 100644
--- a/docs/iam/umn/iam_07_0001.html
+++ b/docs/iam/umn/iam_07_0001.html
@@ -4,45 +4,173 @@
   
   
 
                                        Security Settings Overview
                                        
-
                                        You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.
                                        
-
                                        Intended Audience
                                        Table 1 lists the intended audience of different functions provided on the Security Settings page and their access permissions for the functions.
                                        
-
-
                                        Table 1 Intended audience
                                        Function
                                        
+
                                        You can configure the basic information, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes what permissions are required to and how to access the Security Settings page.
                                        
+
                                        Permissions Required for Security Settings
                                        Table 1 lists the permissions required for the operations in different tabs in security settings.
+
                                        
-
+
-
-
+
-
-
-
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                        Table 1 Permissions required for security settings
                                        Function
                                        
 
                                        Intended Audience
                                        
+
                                        Operation
                                        
+
                                        Permissions
                                        
                                         		
 
                                        
 
                                        Basic Information
                                        
+
                                        Login password
                                        
 
                                        IAM users: Full access
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your login password.
                                        
                                         		
 
                                        Critical Operations
                                        
+
                                        Modify
                                        
 
                                        • Administrator: Full access
                                        • IAM users: Read-only access
                                        
+
                                        You do not need to obtain the permissions to change your login password.
                                        
                                         		
 
                                        Login Authentication Policy
                                        
+
                                        Mobile number
                                        
 
                                        • Administrator and an entrusted identity: Full access
                                        • IAM users: Read-only access
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your bound mobile number.
                                        
                                         		
 
                                        Password Policy
                                        
+
                                        Modify
                                        
 
                                        • Administrator and an entrusted identity: Full access
                                        • IAM users: Read-only access
                                        
+
                                        You do not need to obtain the permissions to change your bound mobile number.
                                        
                                         		
 
                                        ACL
                                        
+
                                        Email address
                                        
 
                                        • Administrator and an entrusted identity: Full access
                                        • IAM users: Read-only access
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your bound email address.
                                        
+
                                        Modify
                                        
+
                                        You do not need to obtain the permissions to change your bound email address.
                                        
+
                                        Virtual MFA device
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your virtual MFA device.
                                        
+
                                        Bind
                                        
+
                                        You do not need to obtain the permissions to bind your virtual MFA device.
                                        
+
                                        Unbind
                                        
+
                                        You do not need to obtain the permissions to unbind your virtual MFA device.
                                        
+
                                        Login protection
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your login protection type.
                                        
+
                                        Operation protection
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getProtectPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateProtectPolicy
                                        
+
                                        Access key protection
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getProtectPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateProtectPolicy
                                        
+
                                        Information self-management
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getProtectPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateProtectPolicy
                                        
+
                                        USB KEY
                                        
+
                                        Query
                                        
+
                                        You do not need to obtain the permissions to query your USB key.
                                        
+
                                        Login authentication policy
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getLoginPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateLoginPolicy
                                        
+
                                        Password policy
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getPasswordPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updatePasswordPolicy
                                        
+
                                        Console access
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getConsoleAclPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateConsoleAclPolicy
                                        
+
                                        API access
                                        
+
                                        Query
                                        
+
                                        iam:securitypolicies:getApiAclPolicy
                                        
+
                                        Modify
                                        
+
                                        iam:securitypolicies:updateApiAclPolicy
                                        
                                         		
 
                                        
                                         
 
                                        
 
                                        
 
                                        
-
                                        Accessing the Security Settings Page
                                        1. Log in to the IAM console as an administrator or an entrusted identity.
                                        2. In the left navigation pane, choose Security Settings.
                                        
+
                                        
+
                                        Accessing the Security Settings Page
                                        1. Log in to the IAM console as an administrator or an entrusted identity.
                                        2. In the left navigation pane, choose Security Settings.
                                        
 
                                        • You and all IAM users created using your account can access the Security Settings page from the management console.
                                          1. Log in to the IAM console.
                                          2. In the left navigation pane, choose Security Settings.
                                          
 
                                        
 
                                        
diff --git a/docs/iam/umn/iam_07_0003.html b/docs/iam/umn/iam_07_0003.html
index 37ed95d7d..663627ea0 100644
--- a/docs/iam/umn/iam_07_0003.html
+++ b/docs/iam/umn/iam_07_0003.html
@@ -10,11 +10,13 @@
 
                                        
 
                                         
                                        • You can configure a maximum of 200 access control items.
                                        • Both IPv4 and IPv6 addresses can be used for console access, and only IPv4 addresses can be used for API access.
                                        
 
                                        
-
                                        IP Address Ranges
                                        You can specify the IP address range from 0.0.0.0 to 255.255.255.255 to control access to the cloud platform. The default setting is 0.0.0.0-255.255.255.255. If you do not specify a range or use the default range, your IAM users can access the cloud platform from IP addresses.
                                        
+
                                        IP Address Ranges
                                        You can specify the IP address range to control access to the cloud platform. The IPv4 address range is from 0.0.0.0 to 255.255.255.255 and the default setting is 0.0.0.0-255.255.255.255. The IPv6 address range is from 0:0:0:0:0:0:0:0 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF and the default setting is 0:0:0:0:0:0:0:0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF. If you do not specify a range or use the default range, your IAM users can access the cloud platform from any IP addresses. To disable IPv6 access, set the IP address to all zeros, for example, 0:0:0:0:0:0:0:0-0:0:0:0:0:0:0:0.
                                        
 
                                        
+
                                         
                                        The IP address of the current user must be in the allowed IP address range. Otherwise, the setting will fail.
                                        
+
                                        
 
                                        CIDR Blocks
                                        Specify CIDR blocks to control access to the cloud platform. For example, set CIDR Block to 10.10.10.10/32.
                                        
 
                                        
-
                                        VPC Endpoints
                                        Specify access to the cloud platform APIs only from the VPC Endpoint with the specified ID, for example, 0ccad098-b8f4-495a-9b10-613e2a5exxxx. You can set the VPC endpoint only on the API Access tab. If access control is not configured, you can access APIs from all VPC endpoints by default.
                                        
+
                                        VPC Endpoints
                                        Specify access to the cloud platform APIs only from the VPC Endpoint with the specified ID, for example, 0ccad098-b8f4-495a-9b10-613e2a5exxxx. You can set the VPC endpoint only on the API Access tab. If access control is not configured, you can access APIs from all VPC endpoints by default.
                                        
 
                                        Figure 1 VPC endpoints
                                        
 
                                         
                                        • User access is allowed if any of IP Address Ranges, CIDR Blocks, and VPC Endpoints is met.
                                        • To restore IP Address Ranges to the default settings (0.0.0.0-255.255.255.255) and clear the settings in CIDR Blocks and VPC Endpoints, click Restore Defaults.
                                        
 
                                        
diff --git a/docs/iam/umn/iam_08_0003.html b/docs/iam/umn/iam_08_0003.html
index 3d965782f..cc0c29a5b 100644
--- a/docs/iam/umn/iam_08_0003.html
+++ b/docs/iam/umn/iam_08_0003.html
@@ -10,7 +10,7 @@
 
                                      5. Upload the metadata file to the enterprise IdP server. For details, see the help documentation of the enterprise IdP.
                                      6. Obtain the metadata file of the enterprise IdP. For details, see the help documentation of the enterprise IdP.
                                        7. 
 
                                        
 
                                        Creating an IdP Entity on the Cloud Platform
                                        To create an IdP entity on the IAM console, do as follows:
                                        
-
                                        1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                          Figure 1 Creating an IdP entity
                                          
+
                                          1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                            Figure 1 Creating an IdP entity
                                            
 
                                          2. Specify the name, protocol, SSO type, status, and description of the IdP entity.
                                            Figure 2 Setting IdP parameters
                                            
 
 
                                            Table 1 Basic parameters of an IdP
                                            Parameter
                                            
@@ -49,7 +49,7 @@
 
                                             
                                            For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.
                                            
 
                                            
 
                                            • Upload a metadata file.
                                              1. Click Modify in the row containing the IdP.
                                                Figure 3 Modifying an IdP
                                                
-
                                              2. Click Select File and select the metadata file of the enterprise IdP.
                                                Figure 4 Uploading a metadata file
                                                
+
                                              3. Click Add and select the metadata file of the enterprise IdP.
                                                Figure 4 Uploading a metadata file
                                                
 
                                              4. Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
                                                • If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
                                                • If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
                                                
 
                                              5. Click OK.
                                              
 
                                            
@@ -128,7 +128,7 @@
 
                                            
 
                                          3. Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
                                          4. Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click OK in the displayed dialog box.
                                            5. 
 
-
                                            Follow-Up Procedure
                                            • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                                            • Configure identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Configuring Identity Conversion Rules.
                                            • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Verifying the Login.
                                            
+
                                            Follow-Up Procedure
                                            • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                                            • Configure identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Configuring Identity Conversion Rules.
                                            • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Verifying the Login.
                                            
 
                                            
 
                                            
 
                                            
diff --git a/docs/iam/umn/iam_08_0004.html b/docs/iam/umn/iam_08_0004.html
index eb08389a8..c06dd9648 100644
--- a/docs/iam/umn/iam_08_0004.html
+++ b/docs/iam/umn/iam_08_0004.html
@@ -1,7 +1,7 @@
 
 
 
                                            Configuring Identity Conversion Rules
                                            
-
                                            After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user on the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.
                                            
+
                                            After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user on the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.
                                            
 
                                            You can configure the following parameters for federated users:
                                            
 
                                            • Username: Usernames of federated users in the cloud platform.
                                            • User permissions: Permissions assigned to federated users in the cloud platform. You need to map the federated users to IAM user groups. In this way, the federated users can obtain the permissions of the user groups to use cloud resources. Ensure that user groups have been created. For details about how to create a user group, see Creating a User Group and Assigning Permissions.
                                            
 
                                             
                                            • Modifications to identity conversion rules will take effect the next time federated users log in.
                                            • To modify the permissions of a user, modify the permissions of the user group which the user belongs to. Then restart the enterprise IdP for the modifications to take effect.
                                            
@@ -9,7 +9,7 @@
 
                                            Prerequisites
                                            
 
                                            
 
                                            Procedure
                                            If you configure identity conversion rules by clicking Create Rule, IAM converts your specified parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                                            
-
                                            • Creating Rules
                                              1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                              2. In the IdP list, click Modify in the row containing the IdP.
                                              3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                                                
+
                                                • Creating Rules
                                                  1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                                  2. In the IdP list, click Modify in the row containing the IdP.
                                                  3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                                                    
 
                                                    
-
@@ -39,7 +39,7 @@
 
diff --git a/docs/iam/umn/iam_08_0005.html b/docs/iam/umn/iam_08_0005.html
index 5e1d4204d..f1e11d1ae 100644
--- a/docs/iam/umn/iam_08_0005.html
+++ b/docs/iam/umn/iam_08_0005.html
@@ -6,7 +6,7 @@
 
                                                    Procedure
                                                    1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                                                    2. Click View in the row containing the IdP.
                                                      Figure 1 Viewing IdP details
                                                      
 
                                                    3. Copy the login link by clicking  in the Login Link row.
                                                      Figure 2 Copying the login link
                                                      
-
                                                    4. Add the following statement to the page file of the enterprise management system:
                                                      <a href="<Login link>"> Cloud platform login entry </a>
                                                      
+
                                                    5. Add the following statement to the page file of the enterprise management system:
                                                      <a href="<Login link>"> Cloud platform login entry </a>
                                                      
 
                                                    6. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
                                                    
 
                                                    
diff --git a/docs/iam/umn/iam_08_0007.html b/docs/iam/umn/iam_08_0007.html
index d08eec4aa..7b9cd2ec6 100644
--- a/docs/iam/umn/iam_08_0007.html
+++ b/docs/iam/umn/iam_08_0007.html
@@ -6,7 +6,7 @@
 
                                                    Procedure
                                                    1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                                                    2. Click View in the row containing the IdP.
                                                      Figure 1 Viewing IdP details
                                                      
 
                                                    3. Copy the login link by clicking  in the Login Link row.
                                                      Figure 2 Copying the login link
                                                      
-
                                                    4. Add the following statement to the page file of the enterprise management system:
                                                      <a href="<Login link>"> Cloud platform login entry </a>
                                                      
+
                                                    5. Add the following statement to the page file of the enterprise management system:
                                                      <a href="<Login link>"> Cloud platform login entry </a>
                                                      
 
                                                    6. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
                                                    
 
                                                    
diff --git a/docs/iam/umn/iam_08_0008.html b/docs/iam/umn/iam_08_0008.html
index ce690fa92..5075a2e26 100644
--- a/docs/iam/umn/iam_08_0008.html
+++ b/docs/iam/umn/iam_08_0008.html
@@ -1,14 +1,14 @@
 
                                                    Configuring Identity Conversion Rules
                                                    
-
                                                    Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:
                                                    
+
                                                    Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:
                                                    
 
                                                    • Display enterprise users with different names in the cloud platform.
                                                    • Assign permissions to enterprise users to use the cloud platform resources by mapping these users to IAM user groups. Ensure that you have created the required user groups. For details, see Creating a User Group and Assigning Permissions.
                                                    
 
                                                     
                                                    • Modifications to identity conversion rules will take effect the next time federated users log in.
                                                    • To modify the permissions of a user, modify the permissions of the user group which the user belongs to. Then restart the enterprise IdP for the modifications to take effect.
                                                    
 
                                                    
 
                                                    Prerequisites
                                                    An IdP entity has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP entity, see Creating an IdP Entity.)
                                                    
 
                                                    
 
                                                    Procedure
                                                    If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                                                    
-
                                                    • Creating Rules
                                                      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                                      2. In the IdP list, click Modify in the row containing the IdP.
                                                      3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                                                        
+
                                                        • Creating Rules
                                                          1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                                          2. In the IdP list, click Modify in the row containing the IdP.
                                                          3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                                                            
 
                                                    Table 1 Parameter description
                                                    Parameter
                                                    
                                                     		
 
                                                    Description
                                                    
@@ -22,7 +22,7 @@
 
 
                                                    Username of federated users in the cloud platform.
                                                    
 
                                                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.
                                                    
+
                                                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.
                                                    
 
                                                     NOTICE: 
                                                    • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                                                    • The username can be any string that does not contain <, >, {, or }, or you can use a placeholder {0..n}. {0} indicates the first attribute of the user information in remote, and {1} indicates the second attribute.
                                                    
 
                                                    
 
                                                    Conditions that a federated user must meet to obtain permissions from the selected user groups.
                                                    
                                                     		
 
                                                    Federated users who do not meet these conditions cannot access the cloud platform. You can create a maximum of 10 conditions for an identity conversion rule.
                                                    
-
                                                    The Attribute and Value parameters are used for the enterprise IdP to transfer user information to the cloud platform through SAML assertions. The Condition parameter can be set to empty, any_one_of, or not_any_of. For details about these parameters, see Syntax of Identity Conversion Rules.
                                                    
+
                                                    The Attribute and Value parameters are used for the enterprise IdP to transfer user information to the cloud platform through SAML assertions. The Condition parameter can be set to empty, any_one_of, or not_any_of. For details about these parameters, see Syntax of Identity Conversion Rules.
                                                    
 
                                                     NOTE: 
                                                    • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
                                                    • An IdP can have multiple identity conversion rules. If none of the rules apply to a federated user, the federated user is not allowed to access the cloud platform.
                                                    
 
                                                    
                                                     		
 
 
 
 
 
 
                                                    
-
@@ -47,15 +47,15 @@
 
                                                    For example, set an identity conversion rule for administrators in the enterprise management system.
                                                    
-
                                                    • Username: FederationUser-IdP_admin
                                                    • User group: admin
                                                    • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).
                                                      Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.
                                                      
+
                                                      • Username: FederationUser-IdP_admin
                                                      • User group: admin
                                                      • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).
                                                        Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.
                                                        
 
                                                      
 
                                                    • In the Create Rule dialog box, click OK.
                                                    • On the Modify Identity Provider page, click OK.
                                                      • 
-
                                                    • Editing Rules
                                                      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                                      2. In the IdP list, click Modify in the row containing the IdP.
                                                      3. In the Identity Conversion Rules area, click Edit Rule.
                                                      4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                                                      5. Click Validate to verify the syntax of the rules.
                                                      6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.
                                                        If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.
                                                        
+
                                                      7. Editing Rules
                                                        1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                                                        2. In the IdP list, click Modify in the row containing the IdP.
                                                        3. In the Identity Conversion Rules area, click Edit Rule.
                                                        4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                                                        5. Click Validate to verify the syntax of the rules.
                                                        6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.
                                                          If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.
                                                          
 
                                                        
 
                                                    Verifying Federated User Permissions
                                                    After configuring identity conversion rules, verify the permissions of federated users.
                                                    
-
                                                    1. Log in as a federated user.
                                                      On the Identity Providers page of the , click View in the row containing the IdP. Click  to copy the login link displayed on the IdP details page, open the link using a browser, and then enter the username and password used in the enterprise management system.
                                                      
+
                                                      1. Log in as a federated user.
                                                        On the Identity Providers page of the , click View in the row containing the IdP. Click  to copy the login link displayed on the IdP details page, open the link using a browser, and then enter the username and password used in the enterprise management system.
                                                        
 
                                                      2. Check that the federated user has the permissions assigned to their user group.
                                                        For example, configure an identity conversion rule to map federated user ID1 to the admin user group so that ID1 will have full permissions for all cloud services. On the management console, select a cloud service, and check if you can access the service.
                                                        
 
                                                      
 
                                                    
diff --git a/docs/iam/umn/iam_08_0009.html b/docs/iam/umn/iam_08_0009.html
index a7caa7812..4dc75b89f 100644
--- a/docs/iam/umn/iam_08_0009.html
+++ b/docs/iam/umn/iam_08_0009.html
@@ -4,10 +4,10 @@
 
                                                    To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On the IAM console, create an IdP entity and configure authorization information.
                                                    
 
                                                    Prerequisites
                                                    • The enterprise administrator has created an account on the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
                                                    • The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain an enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.
                                                    
 
                                                    
-
                                                    Creating OAuth 2.0 Credentials in the Enterprise IdP
                                                    1. Set redirect URIs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
                                                    2. Obtain OAuth 2.0 credentials of the enterprise IdP.
                                                    
+
                                                    Creating OAuth 2.0 Credentials in the Enterprise IdP
                                                    1. Set redirect URIs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
                                                    2. Obtain OAuth 2.0 credentials of the enterprise IdP.
                                                    
 
                                                    
 
                                                    Creating an IdP Entity on the Cloud Platform
                                                    Create an IdP entity and configure authorization information in IAM to establish a trust relationship between the enterprise IdP and IAM.
                                                    
-
                                                    1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                                      Figure 1 Creating an IdP entity
                                                      
+
                                                      1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                                        Figure 1 Creating an IdP entity
                                                        
 
                                                      2. Enter an IdP name, select OpenID Connect and Enabled, and click OK.
                                                        Figure 2 Setting IdP parameters
                                                        
 
                                                         
                                                        The IdP name must be unique under your account. You are advised to use the domain name.
                                                        
 
                                                        
@@ -93,7 +93,7 @@
 
                                                    
 
                                                  4. Click OK.
                                                    5. 
 
                                                    
-
                                                    Verifying the Federated Login
                                                    1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.
                                                      1. On the Identity Providers page of the , click Modify in the Operation column of the identity provider.
                                                      2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
                                                        Figure 5 Copying the login link
                                                        
+
                                                        Verifying the Federated Login
                                                        1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.
                                                          1. On the Identity Providers page of the , click Modify in the Operation column of the identity provider.
                                                          2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
                                                            Figure 5 Copying the login link
                                                            
 
                                                          3. If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.
                                                          
 
                                                        2. Enter the username and password of a user that was created in the enterprise management system.
                                                          • If the login is successful, add the login link to the enterprise management system.
                                                          • If the login fails, check the username and password.
                                                          
 
                                                           
                                                          Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Configuring Identity Conversion Rules.
                                                          
diff --git a/docs/iam/umn/iam_08_0251.html b/docs/iam/umn/iam_08_0251.html
index 16a170c31..318f5b83e 100644
--- a/docs/iam/umn/iam_08_0251.html
+++ b/docs/iam/umn/iam_08_0251.html
@@ -4,7 +4,7 @@
   
   
 
                                                          Application Scenarios of Virtual User SSO and IAM User SSO
                                                          
-
                                                          IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
                                                          
+
                                                          IAM supports two SSO types: virtual user SSO and IAM user SSO. An account cannot have both types of IdPs. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
                                                          
 
                                                          Virtual User SSO
                                                          After a federated user logs in to the cloud platform, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:
                                                          
 
                                                          
 
                                                          • To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
                                                          • You want to assign permissions for cloud resources based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
                                                          • Your enterprise has branches and may require multiple enterprise IdPs. These IdPs need to access the same cloud account. You need to configure multiple IdPs in the cloud platform for identity federation.
                                                          
diff --git a/docs/iam/umn/iam_08_0254.html b/docs/iam/umn/iam_08_0254.html
index 740915055..1ca95f51a 100644
--- a/docs/iam/umn/iam_08_0254.html
+++ b/docs/iam/umn/iam_08_0254.html
@@ -11,7 +11,7 @@
 
                                                          Configuring Identity Federation
                                                          The following describes how to configure your enterprise IdP and the cloud platform to trust each other.
                                                          
 
                                                          Figure 1 Configuration of IAM user SSO via SAML
                                                          
 
                                                          1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                                                            Figure 2 Exchanging metadata files
                                                            
-
                                                          2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                                                          3. Configure an external identity ID: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
                                                            Figure 3 Mapping external identities to IAM users
                                                            
+
                                                          4. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                                                          5. Configure an external identity ID: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
                                                            Figure 3 Mapping external identities to IAM users
                                                            
 
                                                          6. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                                                          7. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                                                            Figure 4 SSO login model
                                                            
 
                                                          
 
                                                          
diff --git a/docs/iam/umn/iam_08_0255.html b/docs/iam/umn/iam_08_0255.html
index 222506996..6aabef170 100644
--- a/docs/iam/umn/iam_08_0255.html
+++ b/docs/iam/umn/iam_08_0255.html
@@ -11,7 +11,7 @@
 
                                                        3. Upload the metadata file to the enterprise IdP server. For details, see the help documentation of the enterprise IdP.
                                                        4. Obtain the metadata file of the enterprise IdP. For details, see the help documentation of the enterprise IdP.
                                                        
 
                                                        
 
                                                        Creating an IdP Entity on the Cloud Platform
                                                        To create an IdP entity on the IAM console, do as follows:
                                                        
-
                                                        1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                                          Figure 1 Creating an IdP entity
                                                          
+
                                                          1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
                                                            Figure 1 Creating an IdP entity
                                                            
 
                                                          2. Specify the name, protocol, SSO type, status, and description of the IdP entity.
                                                            Figure 2 Setting IdP parameters
                                                            
 
 
                                                    Table 1 Parameter description
                                                    Parameter
                                                    
                                                     		
 
                                                    Description
                                                    
@@ -21,7 +21,7 @@
 
 
                                                    Username of federated users in the cloud platform.
                                                    
 
                                                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.
                                                    
+
                                                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.
                                                    
 
                                                     NOTICE: 
                                                    • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                                                    • The username can be any string that does not contain <, >, {, or }, or you can use a placeholder {0..n}. {0} indicates the first attribute of the user information in remote, and {1} indicates the second attribute.
                                                    
 
                                                    
                                                     		
 
 
 
 
                                                    Table 1 Basic parameters of an IdP
                                                    Parameter
                                                    
@@ -50,7 +50,7 @@
 
                                                     
                                                    For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.
                                                    
 
                                                    
 
                                                    • Upload a metadata file.
                                                      1. Click Modify in the row containing the IdP.
                                                        Figure 3 Modifying an IdP
                                                        
-
                                                      2. Click Select File and select the metadata file of the enterprise IdP.
                                                        Figure 4 Uploading a metadata file
                                                        
+
                                                      3. Click Add and select the metadata file of the enterprise IdP.
                                                        Figure 4 Uploading a metadata file
                                                        
 
                                                      4. Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
                                                        • If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
                                                        • If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
                                                        
 
                                                      5. Click OK to save the settings.
                                                      
 
                                                    
diff --git a/docs/iam/umn/iam_08_0256.html b/docs/iam/umn/iam_08_0256.html
index 093bdbab0..6fe0c925f 100644
--- a/docs/iam/umn/iam_08_0256.html
+++ b/docs/iam/umn/iam_08_0256.html
@@ -21,7 +21,7 @@
 
                                                    ID of an enterprise IdP user (federated user)
                                                    
                                                     		
 
                                                    This parameter is mandatory when the SSO type is IAM user.
                                                    
-
                                                    Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.
                                                    
+
                                                    Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.
                                                    
                                                     		
 
                                                    
 
                                                    IAM_SAML_Attributes_redirect_url
                                                    
diff --git a/docs/iam/umn/iam_08_0259.html b/docs/iam/umn/iam_08_0259.html
index 6dc5732ed..511221384 100644
--- a/docs/iam/umn/iam_08_0259.html
+++ b/docs/iam/umn/iam_08_0259.html
@@ -7,9 +7,9 @@
 
                                                    Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.
                                                    
 
                                                    Prerequisites
                                                    • An IdP entity has been created on the cloud platform, and the login link for the IdP is available. For details, see Creating an IdP Entity.
                                                    • The login entry for logging in to the cloud platform has been configured in the enterprise management system.
                                                    
 
                                                    
-
                                                    Procedure
                                                    1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                                                    2. Click View in the row containing the IdP.
                                                      Figure 1 Viewing IdP details
                                                      
+
                                                      Procedure
                                                      1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                                                      2. Click View in the row containing the IdP.
                                                        Figure 1 Viewing IdP details
                                                        
 
                                                      3. Copy the login link by clicking  in the Login Link row.
                                                        Figure 2 Copying the login link
                                                        
-
                                                      4. Add the following statement to the page file of the enterprise management system:
                                                        <a href="<Login link>"> Cloud platform login entry </a>
                                                        
+
                                                      5. Add the following statement to the page file of the enterprise management system:
                                                        <a href="<Login link>"> Cloud platform login entry </a>
                                                        
 
                                                      6. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.