diff --git a/docs/iam/umn/.placeholder b/docs/iam/umn/.placeholder deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/iam/umn/ALL_META.TXT.json b/docs/iam/umn/ALL_META.TXT.json index 993e8fb40..1c3c48577 100644 --- a/docs/iam/umn/ALL_META.TXT.json +++ b/docs/iam/umn/ALL_META.TXT.json @@ -1,500 +1,540 @@ [ { "uri":"iam_01_0021.html", - "product_code":"iam", + "product_code":"", "code":"1", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Service Overview", "title":"Service Overview", "githuburl":"" }, { "uri":"iam_01_0026.html", - "product_code":"iam", + "product_code":"", "code":"2", "des":"Identity and Access Management (IAM) provides identity authentication, permissions management, and access control. With IAM, you can create users for individuals, systems", - "doc_type":"usermanual", + "doc_type":"", "kw":"What Is IAM?,Service Overview,User Guide", "title":"What Is IAM?", "githuburl":"" }, { "uri":"en-us_topic_0046611276.html", - "product_code":"iam", + "product_code":"", "code":"3", "des":"IAM provides the following basic functions:Refined permissions managementYou can control user access to different projects and grant different permissions to users for th", - "doc_type":"usermanual", + "doc_type":"", "kw":"IAM Features,Service Overview,User Guide", "title":"IAM Features", "githuburl":"" }, { "uri":"iam_01_0023.html", - "product_code":"iam", + "product_code":"", "code":"4", "des":"You can manage users in your account and their security credentials. In addition, you can configure federated identity authentication so that users in other systems can a", - "doc_type":"usermanual", + "doc_type":"", "kw":"Identity Management,Service Overview,User Guide", "title":"Identity Management", "githuburl":"" }, { "uri":"iam_01_0024.html", - "product_code":"iam", + "product_code":"", "code":"5", "des":"You can grant users permissions to access different resources.Plan user groups and grant permissions to each user group.Add a user to a specific user group so that the us", - "doc_type":"usermanual", + "doc_type":"", "kw":"Permissions Management,Service Overview,User Guide", "title":"Permissions Management", "githuburl":"" }, { "uri":"iam_01_0035.html", - "product_code":"iam", + "product_code":"", "code":"6", "des":"To prevent personal data, such as the username, password, and mobile number, from being accessed by unauthorized entities or individuals, IAM encrypts the data before sto", - "doc_type":"usermanual", + "doc_type":"", "kw":"Personal Data Protection Mechanism,Service Overview,User Guide", "title":"Personal Data Protection Mechanism", "githuburl":"" }, { "uri":"iam_01_0027.html", - "product_code":"iam", + "product_code":"", "code":"7", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Getting Started", "title":"Getting Started", "githuburl":"" }, { "uri":"iam_01_0034.html", - "product_code":"iam", + "product_code":"", "code":"8", "des":"Your account has full access to your resources. For security purposes, create a security administrator and perform routine management as the security administrator.If a u", - "doc_type":"usermanual", + "doc_type":"", "kw":"Getting Started with IAM,Getting Started,User Guide", "title":"Getting Started with IAM", "githuburl":"" }, { "uri":"iam_01_0029.html", - "product_code":"iam", + "product_code":"", "code":"9", "des":"For security purposes, create a security administrator and manage users in your account as the security administrator.Programmatic access: Users can access cloud services", - "doc_type":"usermanual", + "doc_type":"", "kw":"Username,Creating a Security Administrator,Getting Started,User Guide", "title":"Creating a Security Administrator", "githuburl":"" }, { "uri":"iam_01_0030.html", - "product_code":"iam", + "product_code":"", "code":"10", "des":"As a security administrator, you can create user groups and grant them permissions.To enable users to directly view their permissions, set a description for the user grou", - "doc_type":"usermanual", + "doc_type":"", "kw":"Creating a User Group and Assigning Permissions,Getting Started,User Guide", "title":"Creating a User Group and Assigning Permissions", "githuburl":"" }, { "uri":"iam_01_0031.html", - "product_code":"iam", + "product_code":"", "code":"11", "des":"As a security administrator, you can create a user and add the user to a user group. The user automatically inherits the permissions of the user group.For security purpos", - "doc_type":"usermanual", + "doc_type":"", "kw":"Username,Creating a User and Adding the User to a User Group,Getting Started,User Guide", "title":"Creating a User and Adding the User to a User Group", "githuburl":"" }, { "uri":"iam_01_0032.html", - "product_code":"iam", + "product_code":"", "code":"12", "des":"You can log in to the cloud system as a user and access cloud services based on granted permissions.Verify the information displayed on the Login Verification page during", - "doc_type":"usermanual", + "doc_type":"", "kw":"Logging In as a User,Getting Started,User Guide", "title":"Logging In as a User", "githuburl":"" }, { "uri":"iam_01_0040.html", - "product_code":"iam", + "product_code":"", "code":"13", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"User Guide", "title":"User Guide", "githuburl":"" }, { "uri":"iam_01_0011.html", - "product_code":"iam", + "product_code":"", "code":"14", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Auditing", "title":"Auditing", "githuburl":"" }, { "uri":"iam_01_0012.html", - "product_code":"iam", + "product_code":"", "code":"15", "des":"Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).", - "doc_type":"usermanual", + "doc_type":"", "kw":"IAM Operations That Can Be Recorded by CTS,Auditing,User Guide", "title":"IAM Operations That Can Be Recorded by CTS", "githuburl":"" }, { "uri":"iam_01_0013.html", - "product_code":"iam", + "product_code":"", "code":"16", "des":"After you enable CTS, it records key operations performed on IAM. You can view the operation records of the last 7 days on the CTS console.The following filters are avail", - "doc_type":"usermanual", + "doc_type":"", "kw":"Viewing Audit Logs,Auditing,User Guide", "title":"Viewing Audit Logs", "githuburl":"" }, { "uri":"iam_01_06.html", - "product_code":"iam", + "product_code":"", "code":"17", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"User and User Group Management", "title":"User and User Group Management", "githuburl":"" }, { "uri":"en-us_topic_0079496985.html", - "product_code":"iam", + "product_code":"", "code":"18", "des":"As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud s", - "doc_type":"usermanual", + "doc_type":"", "kw":"Managing Users and Permissions,User and User Group Management,User Guide", "title":"Managing Users and Permissions", "githuburl":"" }, { "uri":"en-us_topic_0066738518.html", - "product_code":"iam", + "product_code":"", "code":"19", "des":"Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources ", - "doc_type":"usermanual", + "doc_type":"", "kw":"Managing Projects,User and User Group Management,User Guide", "title":"Managing Projects", "githuburl":"" }, { "uri":"en-us_topic_0046611269.html", - "product_code":"iam", + "product_code":"", "code":"20", "des":"You can plan user groups based on user responsibilities and grant the required permissions to the user groups. Users inherit permissions from the user groups to which the", - "doc_type":"usermanual", + "doc_type":"", "kw":"Creating a User Group,User and User Group Management,User Guide", "title":"Creating a User Group", "githuburl":"" }, { "uri":"en-us_topic_0046611303.html", - "product_code":"iam", + "product_code":"", "code":"21", "des":"If you need to share resources in your account to other users, you can create users by using the console or by calling an API, and set security credentials and required p", - "doc_type":"usermanual", + "doc_type":"", "kw":"Username,Creating a User,User and User Group Management,User Guide", "title":"Creating a User", "githuburl":"" }, { "uri":"en-us_topic_0079497018.html", - "product_code":"iam", + "product_code":"", "code":"22", "des":"Resources in different projects or regions are isolated. You can access resources only in the projects or regions for which you have been granted permissions. If you do n", - "doc_type":"usermanual", + "doc_type":"", "kw":"Switching Projects or Regions,User and User Group Management,User Guide", "title":"Switching Projects or Regions", "githuburl":"" }, { "uri":"en-us_topic_0046661675.html", - "product_code":"iam", + "product_code":"", "code":"23", "des":"As an administrator, you can view and modify the basic information, user groups, and logs of each user. In addition, you can change the groups to which a user belongs if ", - "doc_type":"usermanual", + "doc_type":"", "kw":"Viewing and Modifying User Information,User and User Group Management,User Guide", "title":"Viewing and Modifying User Information", "githuburl":"" }, { "uri":"en-us_topic_0085605493.html", - "product_code":"iam", + "product_code":"", "code":"24", "des":"As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the grou", - "doc_type":"usermanual", + "doc_type":"", "kw":"Viewing and Modifying User Group Information,User and User Group Management,User Guide", "title":"Viewing and Modifying User Group Information", "githuburl":"" }, { "uri":"en-us_topic_0080335069.html", - "product_code":"iam", + "product_code":"", "code":"25", "des":"You can modify user permissions using either of the following methods:Change the user groups to which a user belongs on the Modify User page. Choose this method if you wa", - "doc_type":"usermanual", + "doc_type":"", "kw":"Modifying User Permissions,User and User Group Management,User Guide", "title":"Modifying User Permissions", "githuburl":"" }, { "uri":"iam_01_0015.html", - "product_code":"iam", + "product_code":"", "code":"26", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Fine-Grained Policy Management", "title":"Fine-Grained Policy Management", "githuburl":"" }, { "uri":"iam_01_019.html", - "product_code":"iam", + "product_code":"", "code":"27", "des":"A fine-grained policy is a set of permissions that define operations allowed to be performed on specific cloud services. A policy can contain multiple permission sets. Af", - "doc_type":"usermanual", + "doc_type":"", "kw":"Fine-Grained Policies,Fine-Grained Policy Management,User Guide", "title":"Fine-Grained Policies", "githuburl":"" }, { "uri":"iam_01_0017.html", - "product_code":"iam", + "product_code":"", "code":"28", "des":"A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).Version: Distinguishes between role-based access control (RBA", - "doc_type":"usermanual", + "doc_type":"", "kw":"Policy Syntax,Fine-Grained Policy Management,User Guide", "title":"Policy Syntax", "githuburl":"" }, { - "uri":"en-us_topic_0274187246.html", - "product_code":"iam", + "uri":"iam_01_0016.html", + "product_code":"", "code":"29", "des":"You can create custom policies to supplement system-defined policies and implement more refined access control.Global services: Select this option if the services to whic", - "doc_type":"usermanual", + "doc_type":"", "kw":"Creating a Custom Policy,Fine-Grained Policy Management,User Guide", "title":"Creating a Custom Policy", "githuburl":"" }, { "uri":"iam_01_0600.html", - "product_code":"iam", + "product_code":"", "code":"30", "des":"Use the following method to assign permissions of the FullAccess policy to a user but also forbid the user from accessing CTS. Create a custom policy for denying access t", - "doc_type":"usermanual", + "doc_type":"", "kw":"Custom Policy Use Cases,Fine-Grained Policy Management,User Guide", "title":"Custom Policy Use Cases", "githuburl":"" }, { "uri":"en-us_topic_0046611308.html", - "product_code":"iam", + "product_code":"", "code":"31", "des":"Users with Security Administrator permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.In the", - "doc_type":"usermanual", + "doc_type":"", "kw":"Account Settings,User Guide,User Guide", "title":"Account Settings", "githuburl":"" }, { "uri":"en-us_topic_0079496986.html", - "product_code":"iam", + "product_code":"", "code":"32", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Agency Management", "title":"Agency Management", "githuburl":"" }, { "uri":"iam_01_0054.html", - "product_code":"iam", + "product_code":"", "code":"33", "des":"Agency is a trust relationship between a delegating account and a delegated account. By creating an agency, you can grant permissions to another account or cloud service ", - "doc_type":"usermanual", + "doc_type":"", "kw":"Delegating Resource Access to Another Account,Agency Management,User Guide", "title":"Delegating Resource Access to Another Account", "githuburl":"" }, { "uri":"en-us_topic_0046613147.html", - "product_code":"iam", + "product_code":"", "code":"34", "des":"By creating an agency, you can share your resources with another account or a cloud service (such as ECS), or delegate an individual or team to manage your resources. You", - "doc_type":"usermanual", + "doc_type":"", "kw":"Creating an Agency (by a Delegating Party),Agency Management,User Guide", "title":"Creating an Agency (by a Delegating Party)", "githuburl":"" }, { "uri":"iam_01_0063.html", - "product_code":"iam", + "product_code":"", "code":"35", "des":"When a trust relationship is established between another account and your account, you become a delegated party and you can authorize a user to manage resources for the d", - "doc_type":"usermanual", + "doc_type":"", "kw":"Assigning Permissions to a User (by a Delegated Party),Agency Management,User Guide", "title":"Assigning Permissions to a User (by a Delegated Party)", "githuburl":"" }, { "uri":"en-us_topic_0046613148.html", - "product_code":"iam", + "product_code":"", "code":"36", "des":"When an account establishes a trust relationship between itself and your account, you become a delegated party. You and all the users you have authorized can switch to th", - "doc_type":"usermanual", + "doc_type":"", "kw":"Switching Roles (by a Delegated Party),Agency Management,User Guide", "title":"Switching Roles (by a Delegated Party)", "githuburl":"" }, { "uri":"en-us_topic_0059870089.html", - "product_code":"iam", + "product_code":"", "code":"37", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Federated Identity Authentication", "title":"Federated Identity Authentication", "githuburl":"" }, { "uri":"en-us_topic_0079620341.html", - "product_code":"iam", + "product_code":"", "code":"38", "des":"If you have an identity authentication system, you do not need to create new users in the service provider system. Instead, you can configure federated identity authentic", - "doc_type":"usermanual", + "doc_type":"", "kw":"Introduction,Federated Identity Authentication,User Guide", "title":"Introduction", "githuburl":"" }, { "uri":"iam_08_0002.html", - "product_code":"iam", + "product_code":"", "code":"39", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"SAML-based Federated Identity Authentication", "title":"SAML-based Federated Identity Authentication", "githuburl":"" }, { "uri":"iam_08_0003.html", - "product_code":"iam", + "product_code":"", "code":"40", "des":"To establish a trust relationship between an enterprise identity provider and the cloud system, upload the metadata file of the cloud system to the identity provider, and", - "doc_type":"usermanual", + "doc_type":"", "kw":"Step 1: Create an Identity Provider,SAML-based Federated Identity Authentication,User Guide", "title":"Step 1: Create an Identity Provider", "githuburl":"" }, { "uri":"iam_08_0004.html", - "product_code":"iam", + "product_code":"", "code":"41", "des":"As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rule", - "doc_type":"usermanual", + "doc_type":"", "kw":"Step 2: Configure Identity Conversion Rules,SAML-based Federated Identity Authentication,User Guide", "title":"Step 2: Configure Identity Conversion Rules", "githuburl":"" }, { "uri":"iam_08_0005.html", - "product_code":"iam", + "product_code":"", "code":"42", "des":"Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.An identity pr", - "doc_type":"usermanual", + "doc_type":"", "kw":"Step 3: Configure Login Link in the Enterprise Management System,SAML-based Federated Identity Authe", "title":"Step 3: Configure Login Link in the Enterprise Management System", "githuburl":"" }, { - "uri":"en-us_topic_0079620340.html", - "product_code":"iam", + "uri":"iam_08_0010.html", + "product_code":"", "code":"43", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"", + "kw":"OpenID Connect–based Federated Identity Authentication", + "title":"OpenID Connect–based Federated Identity Authentication", + "githuburl":"" + }, + { + "uri":"iam_08_0009.html", + "product_code":"", + "code":"44", + "des":"To establish a trust relationship between an enterprise identity provider and the cloud system, create an identity provider and configure authorization information on the", + "doc_type":"", + "kw":"Step 1: Create an Identity Provider,OpenID Connect–based Federated Identity Authentication,User Guid", + "title":"Step 1: Create an Identity Provider", + "githuburl":"" + }, + { + "uri":"iam_08_0008.html", + "product_code":"", + "code":"45", + "des":"As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rule", + "doc_type":"", + "kw":"Step 2: Configure Identity Conversion Rules,OpenID Connect–based Federated Identity Authentication,U", + "title":"Step 2: Configure Identity Conversion Rules", + "githuburl":"" + }, + { + "uri":"iam_08_0007.html", + "product_code":"", + "code":"46", + "des":"Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.An identity pr", + "doc_type":"", + "kw":"Step 3: Configure Login Link in the Enterprise Management System,OpenID Connect–based Federated Iden", + "title":"Step 3: Configure Login Link in the Enterprise Management System", + "githuburl":"" + }, + { + "uri":"en-us_topic_0079620340.html", + "product_code":"", + "code":"47", "des":"An identity conversion rule is a JSON object which can be modified. The following is an example JSON object:[ \n { \n \"remote\": [ \n { \n ", - "doc_type":"usermanual", + "doc_type":"", "kw":"Syntax of Identity Conversion Rules,Federated Identity Authentication,User Guide", "title":"Syntax of Identity Conversion Rules", "githuburl":"" }, { "uri":"iam_10_0002.html", - "product_code":"iam", - "code":"44", + "product_code":"", + "code":"48", "des":"MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and ", - "doc_type":"usermanual", + "doc_type":"", "kw":"MFA Authentication and Virtual MFA Device,User Guide,User Guide", "title":"MFA Authentication and Virtual MFA Device", "githuburl":"" }, { "uri":"iam_01_0000.html", - "product_code":"iam", - "code":"45", + "product_code":"", + "code":"49", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"FAQs", "title":"FAQs", "githuburl":"" }, { "uri":"iam_01_0002.html", - "product_code":"iam", - "code":"46", + "product_code":"", + "code":"50", "des":"For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code", - "doc_type":"usermanual", + "doc_type":"", "kw":"How Do I Enable Login Authentication?,FAQs,User Guide", "title":"How Do I Enable Login Authentication?", "githuburl":"" }, { "uri":"iam_01_0003.html", - "product_code":"iam", - "code":"47", + "product_code":"", + "code":"51", "des":"MFA authentication provides an additional layer of protection on top of the username and password. If MFA–based login authentication is enabled, you will need to enter a ", - "doc_type":"usermanual", + "doc_type":"", "kw":"How Do I Bind a Virtual MFA Device?,FAQs,User Guide", "title":"How Do I Bind a Virtual MFA Device?", "githuburl":"" }, { "uri":"iam_01_0001.html", - "product_code":"iam", - "code":"48", + "product_code":"", + "code":"52", "des":"After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open ", - "doc_type":"usermanual", + "doc_type":"", "kw":"How Do I Obtain MFA Verification Codes?,FAQs,User Guide", "title":"How Do I Obtain MFA Verification Codes?", "githuburl":"" }, { "uri":"iam_01_0004.html", - "product_code":"iam", - "code":"49", + "product_code":"", + "code":"53", "des":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", - "doc_type":"usermanual", + "doc_type":"", "kw":"How Do I Unbind a Virtual MFA Device?,FAQs,User Guide", "title":"How Do I Unbind a Virtual MFA Device?", "githuburl":"" }, { "uri":"en-us_topic_0046611300.html", - "product_code":"iam", - "code":"50", + "product_code":"", + "code":"54", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "doc_type":"usermanual", + "doc_type":"", "kw":"Change History,User Guide", "title":"Change History", "githuburl":"" diff --git a/docs/iam/umn/CLASS.TXT.json b/docs/iam/umn/CLASS.TXT.json index 4b326fa69..85143d7af 100644 --- a/docs/iam/umn/CLASS.TXT.json +++ b/docs/iam/umn/CLASS.TXT.json @@ -1,452 +1,488 @@ [ { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Service Overview", "uri":"iam_01_0021.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"", "code":"1" }, { "desc":"Identity and Access Management (IAM) provides identity authentication, permissions management, and access control. With IAM, you can create users for individuals, systems", - "product_code":"iam", + "product_code":"", "title":"What Is IAM?", "uri":"iam_01_0026.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"1", "code":"2" }, { "desc":"IAM provides the following basic functions:Refined permissions managementYou can control user access to different projects and grant different permissions to users for th", - "product_code":"iam", + "product_code":"", "title":"IAM Features", "uri":"en-us_topic_0046611276.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"1", "code":"3" }, { "desc":"You can manage users in your account and their security credentials. In addition, you can configure federated identity authentication so that users in other systems can a", - "product_code":"iam", + "product_code":"", "title":"Identity Management", "uri":"iam_01_0023.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"1", "code":"4" }, { "desc":"You can grant users permissions to access different resources.Plan user groups and grant permissions to each user group.Add a user to a specific user group so that the us", - "product_code":"iam", + "product_code":"", "title":"Permissions Management", "uri":"iam_01_0024.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"1", "code":"5" }, { "desc":"To prevent personal data, such as the username, password, and mobile number, from being accessed by unauthorized entities or individuals, IAM encrypts the data before sto", - "product_code":"iam", + "product_code":"", "title":"Personal Data Protection Mechanism", "uri":"iam_01_0035.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"1", "code":"6" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Getting Started", "uri":"iam_01_0027.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"", "code":"7" }, { "desc":"Your account has full access to your resources. For security purposes, create a security administrator and perform routine management as the security administrator.If a u", - "product_code":"iam", + "product_code":"", "title":"Getting Started with IAM", "uri":"iam_01_0034.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"7", "code":"8" }, { "desc":"For security purposes, create a security administrator and manage users in your account as the security administrator.Programmatic access: Users can access cloud services", - "product_code":"iam", + "product_code":"", "title":"Creating a Security Administrator", "uri":"iam_01_0029.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"7", "code":"9" }, { "desc":"As a security administrator, you can create user groups and grant them permissions.To enable users to directly view their permissions, set a description for the user grou", - "product_code":"iam", + "product_code":"", "title":"Creating a User Group and Assigning Permissions", "uri":"iam_01_0030.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"7", "code":"10" }, { "desc":"As a security administrator, you can create a user and add the user to a user group. The user automatically inherits the permissions of the user group.For security purpos", - "product_code":"iam", + "product_code":"", "title":"Creating a User and Adding the User to a User Group", "uri":"iam_01_0031.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"7", "code":"11" }, { "desc":"You can log in to the cloud system as a user and access cloud services based on granted permissions.Verify the information displayed on the Login Verification page during", - "product_code":"iam", + "product_code":"", "title":"Logging In as a User", "uri":"iam_01_0032.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"7", "code":"12" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"User Guide", "uri":"iam_01_0040.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"", "code":"13" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Auditing", "uri":"iam_01_0011.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"14" }, { "desc":"Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).", - "product_code":"iam", + "product_code":"", "title":"IAM Operations That Can Be Recorded by CTS", "uri":"iam_01_0012.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"14", "code":"15" }, { "desc":"After you enable CTS, it records key operations performed on IAM. You can view the operation records of the last 7 days on the CTS console.The following filters are avail", - "product_code":"iam", + "product_code":"", "title":"Viewing Audit Logs", "uri":"iam_01_0013.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"14", "code":"16" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"User and User Group Management", "uri":"iam_01_06.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"17" }, { "desc":"As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud s", - "product_code":"iam", + "product_code":"", "title":"Managing Users and Permissions", "uri":"en-us_topic_0079496985.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"18" }, { "desc":"Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources ", - "product_code":"iam", + "product_code":"", "title":"Managing Projects", "uri":"en-us_topic_0066738518.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"19" }, { "desc":"You can plan user groups based on user responsibilities and grant the required permissions to the user groups. Users inherit permissions from the user groups to which the", - "product_code":"iam", + "product_code":"", "title":"Creating a User Group", "uri":"en-us_topic_0046611269.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"20" }, { "desc":"If you need to share resources in your account to other users, you can create users by using the console or by calling an API, and set security credentials and required p", - "product_code":"iam", + "product_code":"", "title":"Creating a User", "uri":"en-us_topic_0046611303.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"21" }, { "desc":"Resources in different projects or regions are isolated. You can access resources only in the projects or regions for which you have been granted permissions. If you do n", - "product_code":"iam", + "product_code":"", "title":"Switching Projects or Regions", "uri":"en-us_topic_0079497018.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"22" }, { "desc":"As an administrator, you can view and modify the basic information, user groups, and logs of each user. In addition, you can change the groups to which a user belongs if ", - "product_code":"iam", + "product_code":"", "title":"Viewing and Modifying User Information", "uri":"en-us_topic_0046661675.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"23" }, { "desc":"As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the grou", - "product_code":"iam", + "product_code":"", "title":"Viewing and Modifying User Group Information", "uri":"en-us_topic_0085605493.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"24" }, { "desc":"You can modify user permissions using either of the following methods:Change the user groups to which a user belongs on the Modify User page. Choose this method if you wa", - "product_code":"iam", + "product_code":"", "title":"Modifying User Permissions", "uri":"en-us_topic_0080335069.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"17", "code":"25" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Fine-Grained Policy Management", "uri":"iam_01_0015.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"26" }, { "desc":"A fine-grained policy is a set of permissions that define operations allowed to be performed on specific cloud services. A policy can contain multiple permission sets. Af", - "product_code":"iam", + "product_code":"", "title":"Fine-Grained Policies", "uri":"iam_01_019.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"26", "code":"27" }, { "desc":"A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).Version: Distinguishes between role-based access control (RBA", - "product_code":"iam", + "product_code":"", "title":"Policy Syntax", "uri":"iam_01_0017.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"26", "code":"28" }, { "desc":"You can create custom policies to supplement system-defined policies and implement more refined access control.Global services: Select this option if the services to whic", - "product_code":"iam", + "product_code":"", "title":"Creating a Custom Policy", - "uri":"en-us_topic_0274187246.html", - "doc_type":"usermanual", + "uri":"iam_01_0016.html", + "doc_type":"", "p_code":"26", "code":"29" }, { "desc":"Use the following method to assign permissions of the FullAccess policy to a user but also forbid the user from accessing CTS. Create a custom policy for denying access t", - "product_code":"iam", + "product_code":"", "title":"Custom Policy Use Cases", "uri":"iam_01_0600.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"26", "code":"30" }, { "desc":"Users with Security Administrator permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.In the", - "product_code":"iam", + "product_code":"", "title":"Account Settings", "uri":"en-us_topic_0046611308.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"31" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Agency Management", "uri":"en-us_topic_0079496986.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"32" }, { "desc":"Agency is a trust relationship between a delegating account and a delegated account. By creating an agency, you can grant permissions to another account or cloud service ", - "product_code":"iam", + "product_code":"", "title":"Delegating Resource Access to Another Account", "uri":"iam_01_0054.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"32", "code":"33" }, { "desc":"By creating an agency, you can share your resources with another account or a cloud service (such as ECS), or delegate an individual or team to manage your resources. You", - "product_code":"iam", + "product_code":"", "title":"Creating an Agency (by a Delegating Party)", "uri":"en-us_topic_0046613147.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"32", "code":"34" }, { "desc":"When a trust relationship is established between another account and your account, you become a delegated party and you can authorize a user to manage resources for the d", - "product_code":"iam", + "product_code":"", "title":"Assigning Permissions to a User (by a Delegated Party)", "uri":"iam_01_0063.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"32", "code":"35" }, { "desc":"When an account establishes a trust relationship between itself and your account, you become a delegated party. You and all the users you have authorized can switch to th", - "product_code":"iam", + "product_code":"", "title":"Switching Roles (by a Delegated Party)", "uri":"en-us_topic_0046613148.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"32", "code":"36" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Federated Identity Authentication", "uri":"en-us_topic_0059870089.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"13", "code":"37" }, { "desc":"If you have an identity authentication system, you do not need to create new users in the service provider system. Instead, you can configure federated identity authentic", - "product_code":"iam", + "product_code":"", "title":"Introduction", "uri":"en-us_topic_0079620341.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"37", "code":"38" }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"SAML-based Federated Identity Authentication", "uri":"iam_08_0002.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"37", "code":"39" }, { "desc":"To establish a trust relationship between an enterprise identity provider and the cloud system, upload the metadata file of the cloud system to the identity provider, and", - "product_code":"iam", + "product_code":"", "title":"Step 1: Create an Identity Provider", "uri":"iam_08_0003.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"39", "code":"40" }, { "desc":"As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rule", - "product_code":"iam", + "product_code":"", "title":"Step 2: Configure Identity Conversion Rules", "uri":"iam_08_0004.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"39", "code":"41" }, { "desc":"Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.An identity pr", - "product_code":"iam", + "product_code":"", "title":"Step 3: Configure Login Link in the Enterprise Management System", "uri":"iam_08_0005.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"39", "code":"42" }, { - "desc":"An identity conversion rule is a JSON object which can be modified. The following is an example JSON object:[ \n { \n \"remote\": [ \n { \n ", - "product_code":"iam", - "title":"Syntax of Identity Conversion Rules", - "uri":"en-us_topic_0079620340.html", - "doc_type":"usermanual", + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"", + "title":"OpenID Connect–based Federated Identity Authentication", + "uri":"iam_08_0010.html", + "doc_type":"", "p_code":"37", "code":"43" }, { - "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and ", - "product_code":"iam", - "title":"MFA Authentication and Virtual MFA Device", - "uri":"iam_10_0002.html", - "doc_type":"usermanual", - "p_code":"13", + "desc":"To establish a trust relationship between an enterprise identity provider and the cloud system, create an identity provider and configure authorization information on the", + "product_code":"", + "title":"Step 1: Create an Identity Provider", + "uri":"iam_08_0009.html", + "doc_type":"", + "p_code":"43", "code":"44" }, { - "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", - "title":"FAQs", - "uri":"iam_01_0000.html", - "doc_type":"usermanual", - "p_code":"", + "desc":"As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rule", + "product_code":"", + "title":"Step 2: Configure Identity Conversion Rules", + "uri":"iam_08_0008.html", + "doc_type":"", + "p_code":"43", "code":"45" }, { - "desc":"For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code", - "product_code":"iam", - "title":"How Do I Enable Login Authentication?", - "uri":"iam_01_0002.html", - "doc_type":"usermanual", - "p_code":"45", + "desc":"Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.An identity pr", + "product_code":"", + "title":"Step 3: Configure Login Link in the Enterprise Management System", + "uri":"iam_08_0007.html", + "doc_type":"", + "p_code":"43", "code":"46" }, { - "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If MFA–based login authentication is enabled, you will need to enter a ", - "product_code":"iam", - "title":"How Do I Bind a Virtual MFA Device?", - "uri":"iam_01_0003.html", - "doc_type":"usermanual", - "p_code":"45", + "desc":"An identity conversion rule is a JSON object which can be modified. The following is an example JSON object:[ \n { \n \"remote\": [ \n { \n ", + "product_code":"", + "title":"Syntax of Identity Conversion Rules", + "uri":"en-us_topic_0079620340.html", + "doc_type":"", + "p_code":"37", "code":"47" }, { - "desc":"After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open ", - "product_code":"iam", - "title":"How Do I Obtain MFA Verification Codes?", - "uri":"iam_01_0001.html", - "doc_type":"usermanual", - "p_code":"45", + "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and ", + "product_code":"", + "title":"MFA Authentication and Virtual MFA Device", + "uri":"iam_10_0002.html", + "doc_type":"", + "p_code":"13", "code":"48" }, { - "desc":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", - "product_code":"iam", - "title":"How Do I Unbind a Virtual MFA Device?", - "uri":"iam_01_0004.html", - "doc_type":"usermanual", - "p_code":"45", + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"", + "title":"FAQs", + "uri":"iam_01_0000.html", + "doc_type":"", + "p_code":"", "code":"49" }, + { + "desc":"For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code", + "product_code":"", + "title":"How Do I Enable Login Authentication?", + "uri":"iam_01_0002.html", + "doc_type":"", + "p_code":"49", + "code":"50" + }, + { + "desc":"MFA authentication provides an additional layer of protection on top of the username and password. If MFA–based login authentication is enabled, you will need to enter a ", + "product_code":"", + "title":"How Do I Bind a Virtual MFA Device?", + "uri":"iam_01_0003.html", + "doc_type":"", + "p_code":"49", + "code":"51" + }, + { + "desc":"After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open ", + "product_code":"", + "title":"How Do I Obtain MFA Verification Codes?", + "uri":"iam_01_0001.html", + "doc_type":"", + "p_code":"49", + "code":"52" + }, + { + "desc":"You can unbind the virtual MFA device as long as the mobile phone used to bind the MFA device is available and the MFA application is still installed on the phone.On the ", + "product_code":"", + "title":"How Do I Unbind a Virtual MFA Device?", + "uri":"iam_01_0004.html", + "doc_type":"", + "p_code":"49", + "code":"53" + }, { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", - "product_code":"iam", + "product_code":"", "title":"Change History", "uri":"en-us_topic_0046611300.html", - "doc_type":"usermanual", + "doc_type":"", "p_code":"", - "code":"50" + "code":"54" } ] \ No newline at end of file diff --git a/docs/iam/umn/en-us_image_0000001420274825.png b/docs/iam/umn/en-us_image_0000001088289742.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420274825.png rename to docs/iam/umn/en-us_image_0000001088289742.png diff --git a/docs/iam/umn/en-us_image_0000001420034737.png b/docs/iam/umn/en-us_image_0000001088564514.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420034737.png rename to docs/iam/umn/en-us_image_0000001088564514.png diff --git a/docs/iam/umn/en-us_image_0000001420154953.png b/docs/iam/umn/en-us_image_0000001089129340.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420154953.png rename to docs/iam/umn/en-us_image_0000001089129340.png diff --git a/docs/iam/umn/en-us_image_0000001420274829.png b/docs/iam/umn/en-us_image_0000001135554103.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420274829.png rename to docs/iam/umn/en-us_image_0000001135554103.png diff --git a/docs/iam/umn/en-us_image_0000001369235158.png b/docs/iam/umn/en-us_image_0000001180570109.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369235158.png rename to docs/iam/umn/en-us_image_0000001180570109.png diff --git a/docs/iam/umn/en-us_image_0000001369714794.png b/docs/iam/umn/en-us_image_0274186850.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369714794.png rename to docs/iam/umn/en-us_image_0274186850.png diff --git a/docs/iam/umn/en-us_image_0000001420274845.png b/docs/iam/umn/en-us_image_0274186856.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420274845.png rename to docs/iam/umn/en-us_image_0274186856.png diff --git a/docs/iam/umn/en-us_image_0000001369554798.png b/docs/iam/umn/en-us_image_0274186858.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369554798.png rename to docs/iam/umn/en-us_image_0274186858.png diff --git a/docs/iam/umn/en-us_image_0000001369714790.png b/docs/iam/umn/en-us_image_0274186863.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369714790.png rename to docs/iam/umn/en-us_image_0274186863.png diff --git a/docs/iam/umn/en-us_image_0000001420034741.png b/docs/iam/umn/en-us_image_0274187167.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420034741.png rename to docs/iam/umn/en-us_image_0274187167.png diff --git a/docs/iam/umn/en-us_image_0000001419956133.png b/docs/iam/umn/en-us_image_0274187171.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001419956133.png rename to docs/iam/umn/en-us_image_0274187171.png diff --git a/docs/iam/umn/en-us_image_0000001369714802.png b/docs/iam/umn/en-us_image_0274187188.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369714802.png rename to docs/iam/umn/en-us_image_0274187188.png diff --git a/docs/iam/umn/en-us_image_0000001369235146.png b/docs/iam/umn/en-us_image_0274187193.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369235146.png rename to docs/iam/umn/en-us_image_0274187193.png diff --git a/docs/iam/umn/en-us_image_0000001369394890.png b/docs/iam/umn/en-us_image_0274187197.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369394890.png rename to docs/iam/umn/en-us_image_0274187197.png diff --git a/docs/iam/umn/en-us_image_0000001369554802.png b/docs/iam/umn/en-us_image_0274187199.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369554802.png rename to docs/iam/umn/en-us_image_0274187199.png diff --git a/docs/iam/umn/en-us_image_0000001420034725.png b/docs/iam/umn/en-us_image_0274187205.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420034725.png rename to docs/iam/umn/en-us_image_0274187205.png diff --git a/docs/iam/umn/en-us_image_0000001369394878.png b/docs/iam/umn/en-us_image_0274187214.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369394878.png rename to docs/iam/umn/en-us_image_0274187214.png diff --git a/docs/iam/umn/en-us_image_0000001419956121.png b/docs/iam/umn/en-us_image_0274187218.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001419956121.png rename to docs/iam/umn/en-us_image_0274187218.png diff --git a/docs/iam/umn/en-us_image_0000001369554818.png b/docs/iam/umn/en-us_image_0274187226.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369554818.png rename to docs/iam/umn/en-us_image_0274187226.png diff --git a/docs/iam/umn/en-us_image_0000001420034721.png b/docs/iam/umn/en-us_image_0274187229.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420034721.png rename to docs/iam/umn/en-us_image_0274187229.png diff --git a/docs/iam/umn/en-us_image_0000001419956113.png b/docs/iam/umn/en-us_image_0274187237.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001419956113.png rename to docs/iam/umn/en-us_image_0274187237.png diff --git a/docs/iam/umn/en-us_image_0000001369235150.png b/docs/iam/umn/en-us_image_0274187239.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369235150.png rename to docs/iam/umn/en-us_image_0274187239.png diff --git a/docs/iam/umn/en-us_image_0000001420034729.png b/docs/iam/umn/en-us_image_0274187240.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001420034729.png rename to docs/iam/umn/en-us_image_0274187240.png diff --git a/docs/iam/umn/en-us_image_0274187264.png b/docs/iam/umn/en-us_image_0274187264.png new file mode 100644 index 000000000..f6063cb7b Binary files /dev/null and b/docs/iam/umn/en-us_image_0274187264.png differ diff --git a/docs/iam/umn/en-us_image_0000001369554806.png b/docs/iam/umn/en-us_image_0274187275.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369554806.png rename to docs/iam/umn/en-us_image_0274187275.png diff --git a/docs/iam/umn/en-us_image_0000001369554814.png b/docs/iam/umn/en-us_image_0274187277.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369554814.png rename to docs/iam/umn/en-us_image_0274187277.png diff --git a/docs/iam/umn/en-us_image_0000001369235154.png b/docs/iam/umn/en-us_image_0291358588.png similarity index 100% rename from docs/iam/umn/en-us_image_0000001369235154.png rename to docs/iam/umn/en-us_image_0291358588.png diff --git a/docs/iam/umn/en-us_topic_0046611276.html b/docs/iam/umn/en-us_topic_0046611276.html index 6764198cc..e887d792d 100644 --- a/docs/iam/umn/en-us_topic_0046611276.html +++ b/docs/iam/umn/en-us_topic_0046611276.html @@ -3,14 +3,14 @@

IAM Features

IAM provides the following basic functions:

@@ -19,3 +19,10 @@
+ + \ No newline at end of file diff --git a/docs/iam/umn/en-us_topic_0046611300.html b/docs/iam/umn/en-us_topic_0046611300.html index 01a41ef15..672f8b0ac 100644 --- a/docs/iam/umn/en-us_topic_0046611300.html +++ b/docs/iam/umn/en-us_topic_0046611300.html @@ -2,15 +2,21 @@

Change History

-
- - - - - @@ -53,14 +53,14 @@ - - @@ -74,7 +74,7 @@ - @@ -141,10 +141,10 @@

Authentication Process

IAM authenticates users according to the permissions granted to the users. The following diagram shows the authentication process.

-
Figure 1 Authentication process
+
Figure 1 Authentication process

The actions in each policy bear the OR relationship.

-
  1. A user accesses the system and initiates an operation request.
  2. The system evaluates all the permissions policies assigned to the user.
  3. The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.
  4. If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.
  5. If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.
+
  1. A user accesses the system and initiates an operation request.
  2. The system evaluates all the permissions policies assigned to the user.
  3. The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.
  4. If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.
  5. If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.
@@ -153,3 +153,10 @@
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0023.html b/docs/iam/umn/iam_01_0023.html index 6f172bf12..8ae054c36 100644 --- a/docs/iam/umn/iam_01_0023.html +++ b/docs/iam/umn/iam_01_0023.html @@ -4,10 +4,10 @@

You can manage users in your account and their security credentials. In addition, you can configure federated identity authentication so that users in other systems can access the cloud system through SSO.

Domain

A domain, also called an "account", is created upon successful registration with the cloud system. The domain has full access permissions for its cloud services and resources.

For security purposes, create a security administrator and grant them Security Administrator permissions to manage users and their permissions in your account.

-
Figure 1 Account management module
+
Figure 1 Account management module

User

You or other administrators can create users for employees, systems, or applications in IAM. The users can log in to the console or access APIs using their own identity credentials (passwords and access keys).

-
Figure 2 Relationship between the account and users
+
Figure 2 Relationship between the account and users

Federated User

Federated users access the cloud system through federated identity authentication.

After being authenticated by an identity provider (IdP), users can access resources in a service provider (SP) without needing re-authentication.

@@ -21,3 +21,10 @@
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0024.html b/docs/iam/umn/iam_01_0024.html index 8ac142ce0..af0ccf8d7 100644 --- a/docs/iam/umn/iam_01_0024.html +++ b/docs/iam/umn/iam_01_0024.html @@ -2,7 +2,7 @@

Permissions Management

You can grant users permissions to access different resources.

-

Granting Permissions to Users

Figure 1 Authorization model
+

Granting Permissions to Users

Figure 1 Authorization model

  1. Plan user groups and grant permissions to each user group.
  2. Add a user to a specific user group so that the user can inherit the permissions of the group.
@@ -10,7 +10,7 @@

Granting Permissions to Other Accounts

You (account A) can grant permissions to another account (account B) by creating an agency. Account B can then grant the Agent Operator permissions to a user so that the user can manage resources in your account (account A).

Granting Permissions to Federated Users

You can federate external users to IAM and grant permissions to the users to access cloud resources by creating an identity provider and identity conversion rules.

-
Figure 2 Identity conversion of federated users
+
Figure 2 Identity conversion of federated users
@@ -19,3 +19,10 @@
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0029.html b/docs/iam/umn/iam_01_0029.html index 276b3eaff..031c3f6b4 100644 --- a/docs/iam/umn/iam_01_0029.html +++ b/docs/iam/umn/iam_01_0029.html @@ -47,7 +47,7 @@ - - - - - diff --git a/docs/iam/umn/iam_01_0034.html b/docs/iam/umn/iam_01_0034.html index 87717e257..19957cff8 100644 --- a/docs/iam/umn/iam_01_0034.html +++ b/docs/iam/umn/iam_01_0034.html @@ -6,7 +6,7 @@

Example

The following is an example of how to use IAM.

Assume that there are three user groups in your enterprise: security administrators (admin), developers, and testers. Each user group can contain multiple users, and a user can belong to multiple user groups.

-
Figure 1 User management model
+
Figure 1 User management model
  1. Create a security administrator Franklin and add Franklin to the default user group admin.
  2. Log in as Franklin, create another security administrator Lawrence, and add Lawrence to the default user group admin.
  3. Log in as Franklin or Lawrence, create user groups Developers and Testers, and grant the required permissions to each user group.
  4. Log in as Franklin or Lawrence, create developers Elizabeth and Randolph, and add them to the Developers user group. Then create tester Jennifer, and add Jennifer and Randolph to the Testers user group.
  5. Users Elizabeth, Jennifer, and Randolph log in using their own credentials.

    Security administrators and users are IAM users who have different permissions depending on the user groups to which they belong. All IAM users have their own security credentials (username and password) to log in to the system.

@@ -17,3 +17,10 @@ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0054.html b/docs/iam/umn/iam_01_0054.html index 2a8657892..860b2f209 100644 --- a/docs/iam/umn/iam_01_0054.html +++ b/docs/iam/umn/iam_01_0054.html @@ -3,12 +3,12 @@

Delegating Resource Access to Another Account

Agency is a trust relationship between a delegating account and a delegated account. By creating an agency, you can grant permissions to another account or cloud service for resource management.

This section uses account A and account B as an example to describe how to delegate an account to manage resources under another account.

-
  1. Account A creates an agency to delegate resource access to account B.

    Figure 1 Creating an agency
    +
    1. Account A creates an agency to delegate resource access to account B.

      Figure 1 Creating an agency

    2. Account B grants user Randolph permissions for managing account A's resources.

      1. Create a user group (for example, Agency), and grant resource management permissions to the user group.
      2. Add user Randolph to user group Agency.
      -
      Figure 2 Delegating resource access
      +
      Figure 2 Delegating resource access

    3. User Randolph of account B manages the resources in account A.

      1. Randolph logs in to the cloud system and switches the role to account A.
      2. Job switches to project A.
      3. Job manages the resources in account A based on assigned permissions.
      -
      Figure 3 Managing resources based on agency permissions
      +
      Figure 3 Managing resources based on agency permissions

@@ -17,3 +17,10 @@
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0600.html b/docs/iam/umn/iam_01_0600.html index f6bfe8c34..11d8746d8 100644 --- a/docs/iam/umn/iam_01_0600.html +++ b/docs/iam/umn/iam_01_0600.html @@ -18,14 +18,14 @@
  • Effect: Determines whether to deny or allow the operation.
    • -

    Using a Custom Policy Along with a System-Defined Policy

    • Use the following method to assign permissions of the BMS FullAccess policy to a user but also forbid the user from creating BMSs. Create a custom policy containing the bms:servers:create action, for denying BMS creation, and attach both policies to the group to which the user belongs. Then, the user will be able to perform all operations on BMS except creating BMSs.

      Example policy denying BMS creation:

      -
      {
+
      Using a Custom Policy Along with a System-Defined Policy
      • Use the following method to assign permissions of the ECS FullAccess policy to a user but also forbid the user from deleting ECSs. Create a custom policy denying the ecs:cloudServers:delete action, and attach this custom policy together with the system-defined ECS FullAccess policy to the group to which the user belongs. Then, the user will be able to perform all operations on ECS except deleting ECSs.
        Example policy denying ECS deletion:
        
+
        {
     "Version": "1.1",
     "Statement": [
         {
             "Effect": "Deny",
             "Action": [
-                    "bms:servers:create"
+                    "ecs:cloudServers:delete"
             ]
         }
     ]
diff --git a/docs/iam/umn/iam_08_0002.html b/docs/iam/umn/iam_08_0002.html
index 9be7f0589..bff6ef61c 100644
--- a/docs/iam/umn/iam_08_0002.html
+++ b/docs/iam/umn/iam_08_0002.html
@@ -6,12 +6,12 @@

    Configuring Federated Identity Authentication

    To implement federated identity authentication between an identity provider and the cloud system, complete the following configuration:

    -
    1. Establish a trust relationship and create an identity provider: Exchange the metadata files of the identity provider and cloud system (see Figure 1).
      Figure 1 Metadata file exchange model
      -
    2. Configure identity conversion rules: Map the users, user groups, and permissions of the identity provider to the cloud system (see Figure 2).
      Figure 2 User identity conversion model
      -
    3. Configure a login link: Configure a login link (see Figure 3) in the enterprise management system to allow users to access the cloud system through SSO.
      Figure 3 SSO login model
      +
      1. Establish a trust relationship and create an identity provider: Exchange the metadata files of the identity provider and cloud system (see Figure 1).
        Figure 1 Metadata file exchange model
        +
      2. Configure identity conversion rules: Map the users, user groups, and permissions of the identity provider to the cloud system (see Figure 2).
        Figure 2 User identity conversion model
        +
      3. Configure a login link: Configure a login link (see Figure 3) in the enterprise management system to allow users to access the cloud system through SSO.
        Figure 3 SSO login model

      Process of Federated Identity Authentication

      Figure 4 shows the interaction between an identity provider and the cloud system after a user initiates an SSO request.

      -
      Figure 4 Process of federated identity authentication
      +
      Figure 4 Process of federated identity authentication

      To view interactive requests and assertions with a better experience, you are advised to use the Google Chrome browser and install the SAML Message Decoder plug-in.

      As shown in Figure 4, the process of federated identity authentication is as follows:

      @@ -35,3 +35,10 @@
      + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0003.html b/docs/iam/umn/iam_08_0003.html index 6c1abe4e9..66e5d27fe 100644 --- a/docs/iam/umn/iam_08_0003.html +++ b/docs/iam/umn/iam_08_0003.html @@ -2,8 +2,8 @@

      Step 1: Create an Identity Provider

      To establish a trust relationship between an enterprise identity provider and the cloud system, upload the metadata file of the cloud system to the identity provider, and then create an identity provider and upload the metadata file of the identity provider on the IAM console.

      -

      Prerequisites

      As an enterprise administrator, you have registered an account in the cloud system and created user groups and granted them permissions in IAM.

      -

      The user groups created in IAM will be used to assign permissions to identity provider users mapped to the cloud system.

      +

      Prerequisites

      As an enterprise administrator, you have registered an account in the cloud system and created user groups and granted them permissions in IAM.

      +

      The user groups created in IAM will be used to assign permissions to identity provider users mapped to the cloud system.

      Establishing a Trust Relationship

      To establish a trust relationship between the enterprise identity provider and the cloud system, exchange their metadata files.

      @@ -12,7 +12,7 @@

    4. Upload the metadata file to the identity provider server. For details about how to upload the metadata file, see the documentation of your identity provider.
    5. Obtain the metadata file of the enterprise identity provider. For details about how to obtain the metadata file, see the documentation of your identity provider.

    Creating an Identity Provider

    Create an identity provider and configure the metadata file in IAM.

    -
    1. Log in to the IAM console, and choose Identity Providers from the navigation pane. Then click Create Identity Provider.
    2. Specify the name, protocol, status, and description of the identity provider.

      The identity provider name must be unique under your account.

      +
      1. Log in to the IAM console, and choose Identity Providers from the navigation pane. Then click Create Identity Provider.
      2. On the displayed page, enter an identity provider name, select SAML for Protocol and Enabled for Status. Then, click OK.

        The identity provider name must be unique under your account.

      3. Click OK.
      diff --git a/docs/iam/umn/iam_08_0004.html b/docs/iam/umn/iam_08_0004.html index 62b06be8a..9d9f299f3 100644 --- a/docs/iam/umn/iam_08_0004.html +++ b/docs/iam/umn/iam_08_0004.html @@ -48,7 +48,7 @@

      For example, set an identity conversion rule for enterprise administrators.

      • Username: FederationUser-IdP_admin_{email}
      • User group: admin
      • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and ID1;ID2;ID3 (value). Only users with ID1, ID2, or ID3 inherit permissions from the admin user group.
    3. In the Create Rule area, click OK.
    4. On the Modify Identity Provider page, click OK.
    -
  • Editing a Rule
    1. Log in to the cloud system as an administrator, and go to the IAM console. Then, choose Identity Providers from the navigation pane.
    2. In the identity provider list, click Modify in the row containing the identity provider.
    3. In the Identity Conversion Rules area, click Edit Rule. Then configure the rule in the Edit Rule dialog box.
    4. Edit the identity conversion rule in the JSON format. For details, see Syntax of Identity Conversion Rules.
    5. Click Validate to verify the syntax of the rule.
    6. If the rule is correct, click OK in the Edit Rule dialog box. Then click OK on the Modify Identity Provider page.

      If a message indicating that the JSON file is incomplete is displayed, modify the statement or click Cancel to cancel the modifications.

      +
    7. Editing a Rule
      1. Log in to the cloud system as an administrator, and go to the IAM console. Then, choose Identity Providers from the navigation pane.
      2. In the identity provider list, click Modify in the row containing the identity provider.
      3. In the Identity Conversion Rules area, click Edit Rule. Then configure the rule in the Edit Rule dialog box.
      4. Edit the identity conversion rule in the JSON format. For details, see Syntax of Identity Conversion Rules.
      5. Click Validate to verify the syntax of the rule.
      6. If the rule is correct, click OK in the Edit Rule dialog box. Then click OK on the Modify Identity Provider page.

        If a message indicating that the JSON file is incomplete is displayed, modify the statement or click Cancel to cancel the modifications.

    • diff --git a/docs/iam/umn/iam_08_0007.html b/docs/iam/umn/iam_08_0007.html new file mode 100644 index 000000000..a89294a76 --- /dev/null +++ b/docs/iam/umn/iam_08_0007.html @@ -0,0 +1,16 @@ + + +

    Step 3: Configure Login Link in the Enterprise Management System

    +

    Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.

    +

    Prerequisites

    • An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)
    • A login link to the cloud system has already been configured in the enterprise management system.
    +
    +

    Procedure

    1. Log in to the IAM console, and choose Identity Providers from the navigation pane.
    2. Click View in the row containing the identity provider.
    3. Click Copy next to the login link.
    4. Add the following statement to the page file of the enterprise management system:

      <a href="<Login link>"> Login </a>
      +

    5. Log in to the enterprise management system, and then click the configured login link to access the cloud system.
    +
    +
    +
    +
    +
    Parent topic: OpenID Connect–based Federated Identity Authentication
    +
    +
    + diff --git a/docs/iam/umn/iam_08_0008.html b/docs/iam/umn/iam_08_0008.html new file mode 100644 index 000000000..544639a0a --- /dev/null +++ b/docs/iam/umn/iam_08_0008.html @@ -0,0 +1,61 @@ + + +

    Step 2: Configure Identity Conversion Rules

    +

    As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rules, you can map the identities and permissions of federated users to the cloud system and control their access to specific resources.

    +
    • Modifications to identity conversion rules will take effect only after the federated users log in again.
    • To modify the permissions of a federated user, modify the permissions of the user group to which the user belongs. Then restart the identity provider system for the modifications to take effect.
    +
    +

    Prerequisites

    An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)

    +
    +

    Procedure

    If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in the JSON format.

    +
    • Creating a Rule
      1. Choose Identity Providers from the navigation pane.
      2. In the identity provider list, click Modify in the row containing the identity provider.
      3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rule in the Create Rule dialog box. +
    Table 1 Change history

    Released On

    +
    - - + + + diff --git a/docs/iam/umn/en-us_topic_0046611308.html b/docs/iam/umn/en-us_topic_0046611308.html index ba3b261b3..1130bb9d1 100644 --- a/docs/iam/umn/en-us_topic_0046611308.html +++ b/docs/iam/umn/en-us_topic_0046611308.html @@ -1,25 +1,25 @@

    Account Settings

    -

    Users with Security Administrator permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.

    -

    Procedure

    1. Set the login authentication policy.

      1. In the navigation pane, choose Account Settings > Login Authentication Policy.
      2. In the Account Lockout area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.

        If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.

        +

        Users with Security Administrator permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.

        +

        Procedure

        1. Set the login authentication policy.

          1. In the navigation pane, choose Security Settings > Login Authentication Policy.
          2. In the Account Lockout area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.

            If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.

          3. In the Account Disabling area, select Disable account upon login if it is not used within the validity period, and set the user validity period. If the user does not access the cloud system through the management console or APIs within the validity period, the user will be disabled.

            The account disabling setting is for security purposes. If a user is disabled, resources in the account will not be affected and the user can contact the administrator to enable the user again.

          4. In the Session Timeout area, set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period. The timeout ranges from 15 minutes to 24 hours, and the default value is 15 minutes. If a user does not perform any operation within the specified duration, the user needs to log in again.
          5. In the Recent Login Information area, select Display last login information upon successful login.

            Users will be able to view the login information, such as the time of the last login, on the Login Verification page.

          6. In the Custom Information area, set custom information that will be displayed upon successful login.

            Users will be able to view this custom information on the Login Verification page.

          7. Click Save.
          -

        2. Set the password policy.

          1. In the navigation pane, choose Account Settings > Password Policy.
          2. In the Password Composition & Reuse area, do as follows:
            • Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
            • Set Minimum Number of Characters.

              By default, a password must contain at least 6 characters.

              +

            • Set the password policy.

              1. In the navigation pane, choose Security Settings > Password Policy.
              2. In the Password Composition & Reuse area, do as follows:
                • Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
                • Set Minimum Number of Characters.

                  By default, a password must contain at least 6 characters.

                • Select Restrict consecutive identical characters and set the maximum number of consecutive identical characters that can be contained in a password. The value ranges from 1 to 32.
                • Select Disallow previously used passwords and set the number of recent passwords disallowed. The value ranges from 1 to 10.
              3. In the Password Expiration area, select Prompt password change 15 days before expiration and force password change upon expiration, and set the password validity period.

                Users must change their password when the password has expired.

                -
                The password must meet the following requirements:
                • Must contain 6 to 32 characters.
                • Must contain at least two types of the following characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), spaces, and special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\=).
                • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
                • Cannot contain the user's mobile number or email address.
                +
                The password must meet the following requirements:
                • Must contain 6 to 32 characters.
                • Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\= and spaces).
                • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
                • Cannot contain the user's mobile number or email address.
              4. In the Minimum Password Age area, select Allow a password to be changed only after it is used for a specified time and set the minimum password age.

                Users can change their password only when the specified period has expired.

              5. Click Save.
              -

            • Set the ACL.

              1. In the navigation pane, choose Account Settings > ACL.
              2. On the ACL page, enter the allowed IP address ranges or IPv4 CIDR blocks.
                • IP Address Ranges: only allow users to access the system using IP addresses in specified ranges.
                • IPv4 CIDR Blocks: only allow users of specified IPv4 CIDR blocks to access the system. For example: 10.10.10.10/32.
                -
                • The ACL takes effect only for users under your account.
                • You can click Restore Defaults to restore the allowed IP address ranges to the default value, 0.0.0.0-255.255.255.255, and to clear IPv4 CIDR Blocks.
                • If both IP Address Ranges and IPv4 CIDR Blocks are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.
                +

              3. Set the ACL.

                1. In the navigation pane, choose Security Settings > ACL.
                2. On the ACL page, enter the allowed IP address ranges or IPv4 CIDR blocks.
                  • IP Address Ranges: only allow users to access the system using IP addresses in specified ranges.
                  • IPv4 CIDR Blocks: only allow users of specified IPv4 CIDR blocks to access the system. For example: 10.10.10.10/32.
                  +
                  • The ACL takes effect only for users under your account.
                  • You can click Restore Defaults to restore the allowed IP address ranges to the default value, 0.0.0.0-255.255.255.255, and to clear IPv4 CIDR Blocks.
                  • If both IP Address Ranges and IPv4 CIDR Blocks are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.
                  -
                3. Click Save.
                +
              4. Click Save.

        diff --git a/docs/iam/umn/en-us_topic_0059870089.html b/docs/iam/umn/en-us_topic_0059870089.html index 7c016f34b..038713f04 100644 --- a/docs/iam/umn/en-us_topic_0059870089.html +++ b/docs/iam/umn/en-us_topic_0059870089.html @@ -8,6 +8,8 @@
      3. SAML-based Federated Identity Authentication
        4. +
      4. OpenID Connect–based Federated Identity Authentication
        +
      5. Syntax of Identity Conversion Rules
        6. diff --git a/docs/iam/umn/en-us_topic_0079496985.html b/docs/iam/umn/en-us_topic_0079496985.html index ff5266f83..c931ba25c 100644 --- a/docs/iam/umn/en-us_topic_0079496985.html +++ b/docs/iam/umn/en-us_topic_0079496985.html @@ -2,11 +2,11 @@

        Managing Users and Permissions

        As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud system based on assigned permissions.

        -
        1. Create projects in a region to isolate resources.

          Figure 1 Project isolating model
          +
          1. Create projects in a region to isolate resources.

            Figure 1 Project isolating model

            -

          2. Plan user groups according to user responsibilities and grant the required permissions to the user groups.

            Figure 2 User group authorization model
            +

          3. Plan user groups according to user responsibilities and grant the required permissions to the user groups.

            Figure 2 User group authorization model

            -

          4. Create users and add them to the corresponding user groups.

            Figure 3 User authorization model
            +

          5. Create users and add them to the corresponding user groups.

            Figure 3 User authorization model

          6. Log in as the users and access the cloud system based on assigned permissions.
        @@ -16,3 +16,10 @@
    + + \ No newline at end of file diff --git a/docs/iam/umn/en-us_topic_0079620340.html b/docs/iam/umn/en-us_topic_0079620340.html index aaf52dab5..832b31ba8 100644 --- a/docs/iam/umn/en-us_topic_0079620340.html +++ b/docs/iam/umn/en-us_topic_0079620340.html @@ -78,8 +78,8 @@ ] } ] -

    In this example, the username of a federated user will be "the value of the first remote attribute+space+the value of the second remote attribute" in the cloud system, that is, FirstName LastName. The groups to which the user belongs are the value of the third remote attribute Groups.

    -

    If the following assertion is received, the username of the federated user will be John Smith in the cloud system and the user will belong to the admin and manager groups.

    +

    In this example, the username of a federated user will be "the value of the first remote attribute+space+the value of the second remote attribute" in the cloud system, that is, FirstName LastName. The groups to which the user belongs are the value of the third remote attribute Groups.

    +

    If the following assertion is received, the username of the federated user will be John Smith in the cloud system and the user will belong to the admin and manager groups.

    {FirstName: John}  
 {LastName: Smith}  
 {Groups: [admin, manager]}
    @@ -111,7 +111,7 @@ } ]

    The username of the federated user in the cloud system is the value of the first remote attribute, that is, UserName. The federated user belongs to the admin group. This rule takes effect only for users who are members of the idp_admin group in the identity provider system.

    -

    If a federated user will belong to multiple user groups in the cloud system, the identity conversion rule can be configured as follows:

    +

    If a federated user will belong to multiple user groups in the cloud system, the identity conversion rule can be configured as follows:

    [  
         {  
             "local": [  
@@ -137,7 +137,7 @@
             ]  
         }  
     ]
    -

    The username of the federated user in the cloud system is the value of the first remote attribute, that is, UserName. The federated user belongs to the admin and manager groups. This rule takes effect only for users who are members of the idp_admin group in the identity provider system.

    +

    The username of the federated user in the cloud system is the value of the first remote attribute, that is, UserName. The federated user belongs to the admin and manager groups. This rule takes effect only for users who are members of the idp_admin group in the identity provider system.

    • The following assertion indicates that the federated user John Smith is a member of the idp_admin group. Therefore, the user can access the cloud system.
      {UserName: John Smith} 
 {Groups: [idp_user, idp_admin, idp_agency]}
    • The following assertion indicates that the federated user John Smith is not a member of the idp_admin group. Therefore, the rule does not take effect for the user and the user cannot access the cloud system.
      {UserName: John Smith} 
diff --git a/docs/iam/umn/en-us_topic_0079620341.html b/docs/iam/umn/en-us_topic_0079620341.html
index fc4a9110f..fbabc7c85 100644
--- a/docs/iam/umn/en-us_topic_0079620341.html
+++ b/docs/iam/umn/en-us_topic_0079620341.html
@@ -6,23 +6,23 @@
 
      • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the system using browsers.
      • API calling: Development tools (such as OpenStack Client) are used as the communication media. This authentication type enables enterprise users and common users to access the system by calling APIs.
        Users in your enterprise can choose SP-initiated or IdP-initiated federated identity authentication for API calling depending on your identity provider system.
        
 
      
 
      Without Federated Identity Authentication
      • SSO not supported
        Users authenticated by the identity provider of an enterprise management system cannot access the cloud system.
        
-
        Figure 1 User authentication model (1)
        
+
        Figure 1 User authentication model (1)
        
 
        
 
      
 
      
 
      • Complex user management
        The enterprise administrator has to create users in both the enterprise management system and the cloud system.
        
 
      • Complex user operations
        Users have to use different accounts to log in to the enterprise management system and cloud system.
        
-
        Figure 2 User login model (1)
        
+
        Figure 2 User login model (1)
        
 
      
 
      
 
      With Federated Identity Authentication
      • SSO supported
        Users authenticated by the identity provider can access the cloud system through SSO.
        
-
        Figure 3 User authentication model (2)
        
+
        Figure 3 User authentication model (2)
        
 
        
 
      
 
      
 
      • Simplified user management
        The enterprise administrator does not need to create users in the cloud system.
        
 
      • Easy user operations
        Users can access the cloud system through the enterprise management system.
        
-
        Figure 4 User login model (2)
        
+
        Figure 4 User login model (2)
        
 
      
 
 
      
@@ -31,3 +31,10 @@
 
      
 
 
+
+
\ No newline at end of file
diff --git a/docs/iam/umn/en-us_topic_0085605493.html b/docs/iam/umn/en-us_topic_0085605493.html
index cf32d528b..10e401efe 100644
--- a/docs/iam/umn/en-us_topic_0085605493.html
+++ b/docs/iam/umn/en-us_topic_0085605493.html
@@ -2,7 +2,7 @@
 
 
      Viewing and Modifying User Group Information
      
 
      As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the groups to which the users belong.
      
-
      Procedure
      1. In the navigation pane, choose User Groups.
      2. In the user group list, view or modify user group information.
        • Viewing user group information
          In the user group list, click  next to the target user group to view its details, including the basic information, permissions, and users.
          
+
          Procedure
          1. In the navigation pane, choose User Groups.
          2. In the user group list, view or modify user group information.
            • Viewing user group information
              In the user group list, click  next to the target user group to view its details, including the basic information, permissions, and users.
              
 
            • Modifying user group information
              Click Modify in the Operation column of the row that contains the target user group to go to the Modify User Group page.
               
              • For the default user group, you can only manage its users and cannot modify its basic information or permissions.
              • If the name of a user group has been configured in the identity conversion rules of an identity provider, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.
              
 
              
 
              
diff --git a/docs/iam/umn/en-us_topic_0274187246.html b/docs/iam/umn/en-us_topic_0274187246.html
deleted file mode 100644
index 3e3d31739..000000000
--- a/docs/iam/umn/en-us_topic_0274187246.html
+++ /dev/null
@@ -1,56 +0,0 @@
-
-
-
              Creating a Custom Policy
              
-
              You can create custom policies to supplement system-defined policies and implement more refined access control.
              
-
              Creating a Custom Policy in the Visual Editor
              1. On the IAM console, choose Policies in the navigation pane, and click Create Custom Policy.
              2. Enter a policy name.
              3. Select a scope based on the type of services related to this policy.
                • Global services: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as Global services. Custom policies of this scope must be attached to user groups for the global service project.
                • Project-level services: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as Project-level services. Custom policies of this scope must be attached to user groups for specific projects except the global service project.
                
-
                For example, when creating a custom policy containing the action evs:volumes:create for EVS, specify the scope as Project-level services.
                
-
                 
                A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as Global services and Project-level services.
                
-
                
-
              4. Select Visual editor.
              5. Set the policy content.
                1. Select Allow or Deny.
                2. Select a cloud service.
                   
                  Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click Add Permissions or switch to the JSON view.
                  
-
                  
-
                3. Select actions.
                4. Select all resources, or select specific resources by specifying their paths.
                5. (Optional) Add request conditions by specifying condition keys, operators, and values.
-
    Table 1 Change history

    Released On

    What's New

    2022-10-21

    +

    2022-11-21

    Optimized the document content.

    +

    This release incorporates the following changes:

    + +

    2022-10-21

    +

    Optimized the document content.

    2020-12-30

    @@ -28,13 +34,13 @@

    2020-07-21

    This release incorporates the following changes:

    - +

    2019-04-19

    This release incorporates the following change:

    -

    Added descriptions about the scope of custom policies in Creating a Custom Policy.

    +

    Added descriptions about the scope of custom policies in Creating a Custom Policy.

    2019-04-18

    @@ -52,7 +58,7 @@

    2019-03-12

    This release incorporates the following changes:

    - +

    2019-02-26

    diff --git a/docs/iam/umn/en-us_topic_0046611303.html b/docs/iam/umn/en-us_topic_0046611303.html index db7b56c7e..8f7e89eb9 100644 --- a/docs/iam/umn/en-us_topic_0046611303.html +++ b/docs/iam/umn/en-us_topic_0046611303.html @@ -70,7 +70,7 @@

    Set now

    Select this option if you are the user. Then, set a password for login.

    -
    NOTE:
    The password must meet the following requirements:
    • Must contain 6 to 32 characters.
    • Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and spaces or other special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\=).
    • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
    • Cannot contain the user's mobile number or email address.
    +
    NOTE:
    The password must meet the following requirements:
    • Must contain 6 to 32 characters.
    • Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\= and spaces).
    • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
    • Cannot contain the user's mobile number or email address.
    - - - - - - - - - - - - - -
    Table 1 Condition parameters

    Name

    -

    Description

    -

    Condition Key

    -

    A key in the Condition element of a statement. There are global and service-level condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

    -

    Operator

    -

    Used together with a condition key to form a complete condition statement.

    -

    Value

    -

    Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.

    -
    -
    - -

  • (Optional) Switch to the JSON view and modify the policy content in the JSON format.

    If the policy content is incorrect after modification, check and modify the content, or click Reset to cancel the modifications.

    -
    -

  • (Optional) To add another permission block for the policy, click Add Permissions. Alternatively, click the plus (+) icon on the right of an existing permission block to clone its permissions.
  • (Optional) Enter a brief description for the policy.
  • Click OK.
  • Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.
    • - -

    Creating a Custom Policy in JSON View

    1. On the IAM console, choose Policies in the navigation pane, and click Create Custom Policy.
    2. Enter a policy name.
    3. Select a scope based on the type of services related to this policy.

      • Global services: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as Global services. Custom policies of this scope must be attached to user groups for the global service project.
      • Project-level services: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as Project-level services. Custom policies of this scope must be attached to user groups for specific projects except the global service project.
      -

      For example, when creating a custom policy containing the action evs:volumes:create for EVS, specify the scope as Project-level services.

      -

      A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as Global services and Project-level services.

      -
      -

    4. Select JSON.
    5. (Optional) Click Select Existing Policy, and select a policy to use it as a template, such as VPC Admin.
    6. Click OK.
    7. Modify the statement in the template.

      • Effect: Set it to Allow or Deny.
      • Action: Enter the actions provided in the API actions table of the EVS service, for example, evs:volumes:create.
        • The version of each custom policy is fixed at 1.1.
        -
        -
      -

    8. (Optional) Enter a brief description for the policy.
    9. Click OK. If the policy list is displayed, the policy is created successfully.
    10. Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.
    -
    - -
    -
    -
    Parent topic: Fine-Grained Policy Management
    -
    -
    - diff --git a/docs/iam/umn/iam_01_0003.html b/docs/iam/umn/iam_01_0003.html index 8767835a0..0e373fd59 100644 --- a/docs/iam/umn/iam_01_0003.html +++ b/docs/iam/umn/iam_01_0003.html @@ -7,7 +7,7 @@

    For more information, see MFA Authentication and Virtual MFA Device.

    Prerequisites

    You have installed an MFA application (for example, Google Authenticator) on your smartphone.

    -

    Procedure

    1. On the management console, hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
    2. On the My Credentials page, click Bind next to the Virtual MFA Device parameter.
    3. Go to the Bind Virtual MFA Device page.

      Figure 1 Binding a virtual MFA device
      +

      Procedure

      1. On the management console, hover the mouse pointer over the username in the upper right corner and choose My Credentials from the drop-down list.
      2. On the My Credentials page, click Bind next to the Virtual MFA Device parameter.
      3. Go to the Bind Virtual MFA Device page.

        Figure 1 Binding a virtual MFA device

        The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.

        @@ -25,3 +25,10 @@
    + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0012.html b/docs/iam/umn/iam_01_0012.html index f8804c28f..69ea32bab 100644 --- a/docs/iam/umn/iam_01_0012.html +++ b/docs/iam/umn/iam_01_0012.html @@ -155,14 +155,14 @@

    userGroup

    updateUserGroup

    +

    updateUserGroup

    Deleting a user group

    userGroup

    deleteUserGroup

    +

    deleteUserGroup

    Adding a user to a user group

    diff --git a/docs/iam/umn/iam_01_0013.html b/docs/iam/umn/iam_01_0013.html index b6003692d..eab062634 100644 --- a/docs/iam/umn/iam_01_0013.html +++ b/docs/iam/umn/iam_01_0013.html @@ -5,8 +5,8 @@

    Viewing IAM Audit Logs

    1. Log in to the management console.
    2. Click Service List in the upper part of the page and choose Cloud Trace Service under Management & Deployment.
    3. In the navigation pane, choose Trace List.
    4. Click Filter in the upper right corner of the trace list to set filter conditions.

      The following filters are available:
      • Trace Source, Resource Type, and Search By
        • Select a filter criteria from the drop-down list. Specifically, select IAM from the Trace Source drop-down list.
        • If you select Trace name for Search By, select a trace name.
        • If you select Resource ID for Search By, select or enter a resource ID.
        • If you select Resource name for Search By, select or enter a resource name.
      • Operator: Select an operator (a user rather than domain).
      • Trace Status: Available options include All trace statuses, normal, incident, and warning.
      • Specify the start time and end time for querying traces.
      -

    5. Click Query.
    6. Expand the details of a trace, as shown in Figure 1.

      Figure 1 Expanding trace details
      -

    7. Click View Trace in the Operation column. In the View Trace dialog box as shown in Figure 2, the trace details are displayed.

      Figure 2 Viewing a trace
      +

    8. Click Query.
    9. Expand the details of a trace, as shown in Figure 1.

      Figure 1 Expanding trace details
      +

    10. Click View Trace in the Operation column. In the View Trace dialog box as shown in Figure 2, the trace details are displayed.

      Figure 2 Viewing a trace

    @@ -16,3 +16,10 @@ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0015.html b/docs/iam/umn/iam_01_0015.html index c87f6be96..865d87de2 100644 --- a/docs/iam/umn/iam_01_0015.html +++ b/docs/iam/umn/iam_01_0015.html @@ -8,7 +8,7 @@
  • Policy Syntax
    • -
  • Creating a Custom Policy
    +
  • Creating a Custom Policy
  • Custom Policy Use Cases
    • diff --git a/docs/iam/umn/iam_01_0016.html b/docs/iam/umn/iam_01_0016.html new file mode 100644 index 000000000..3ba551efd --- /dev/null +++ b/docs/iam/umn/iam_01_0016.html @@ -0,0 +1,56 @@ + + +

    Creating a Custom Policy

    +

    You can create custom policies to supplement system-defined policies and implement more refined access control.

    +

    Creating a Custom Policy in the Visual Editor

    1. On the IAM console, choose Policies in the navigation pane, and click Create Custom Policy.
    2. Enter a policy name.
    3. Select a scope based on the type of services related to this policy.

      • Global services: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as Global services. Custom policies of this scope must be attached to user groups for the global service project.
      • Project-level services: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as Project-level services. Custom policies of this scope must be attached to user groups for specific projects except the global service project.
      +

      For example, when creating a custom policy containing the action evs:volumes:create for EVS, specify the scope as Project-level services.

      +

      A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as Global services and Project-level services.

      +
      +

    4. Select Visual editor.
    5. Set the policy content.

      1. Select Allow or Deny.
      2. Select a cloud service.

        Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click Add Permissions or switch to the JSON view.

        +
        +
      3. Select actions.
      4. Select all resources, or select specific resources by specifying their paths.
      5. (Optional) Add request conditions by specifying condition keys, operators, and values. +
        + + + + + + + + + + + + + +
        Table 1 Condition parameters

        Name

        +

        Description

        +

        Condition Key

        +

        A key in the Condition element of a statement. There are global and service-level condition keys. Global condition keys (starting with g:) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as obs:) are available only for operations of the corresponding service.

        +

        Operator

        +

        Used together with a condition key to form a complete condition statement.

        +

        Value

        +

        Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.

        +
        +
        +
      +

    6. (Optional) Switch to the JSON view and modify the policy content in the JSON format.

      If the policy content is incorrect after modification, check and modify the content, or click Reset to cancel the modifications.

      +
      +

    7. (Optional) To add another permission block for the policy, click Add Permissions. Alternatively, click the plus (+) icon on the right of an existing permission block to clone its permissions.
    8. (Optional) Enter a brief description for the policy.
    9. Click OK.
    10. Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.
    +
    +

    Creating a Custom Policy in JSON View

    1. On the IAM console, choose Policies in the navigation pane, and click Create Custom Policy.
    2. Enter a policy name.
    3. Select a scope based on the type of services related to this policy.

      • Global services: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as Global services. Custom policies of this scope must be attached to user groups for the global service project.
      • Project-level services: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as Project-level services. Custom policies of this scope must be attached to user groups for specific projects except the global service project.
      +

      For example, when creating a custom policy containing the action evs:volumes:create for EVS, specify the scope as Project-level services.

      +

      A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as Global services and Project-level services.

      +
      +

    4. Select JSON.
    5. (Optional) Click Select Existing Policy, and select a policy to use it as a template, such as VPC Admin.
    6. Click OK.
    7. Modify the statement in the template.

      • Effect: Set it to Allow or Deny.
      • Action: Enter the actions provided in the API actions table of the EVS service, for example, evs:volumes:create.
        • The version of each custom policy is fixed at 1.1.
        +
        +
      +

    8. (Optional) Enter a brief description for the policy.
    9. Click OK. If the policy list is displayed, the policy is created successfully.
    10. Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.
    +
    +
    +
    +
    +
    Parent topic: Fine-Grained Policy Management
    +
    +
    + diff --git a/docs/iam/umn/iam_01_0017.html b/docs/iam/umn/iam_01_0017.html index cda6c99fe..717bf9a68 100644 --- a/docs/iam/umn/iam_01_0017.html +++ b/docs/iam/umn/iam_01_0017.html @@ -2,7 +2,7 @@

    Policy Syntax

    Policy Content

    A fine-grained policy consists of the policy version (the Version field) and statement (the Statement field).

    -

    +

    • Version: Distinguishes between role-based access control (RBAC) and fine-grained policies.
      • 1.0: RBAC policies, which are preset in the system and used to grant permissions for each service as a whole. After such a policy is granted to a user, the user has all permissions of the corresponding service.
      • 1.1: Fine-grained policies, which enable more refined authorization based on service APIs. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system-defined and custom policies.
        • System-defined policies: read-only and administrator permissions for different services.
        • Custom policies: created and managed by users to supplement system-defined policies. For example, you can create a custom policy to allow users only to modify ECS specifications.
    @@ -25,21 +25,21 @@

    g:CurrentTime

    +

    g:CurrentTime

    Time

    Time when an authentication request is received. The time is expressed in the format defined by ISO 8601, for example, 2012-11-11T23:59:59Z.

    g:DomainName

    +

    g:DomainName

    Character string

    Domain name

    g:MFAPresent

    +

    g:MFAPresent

    Boolean

    Validity period of a token obtained through MFA authentication. This condition must be used together with g:MFAPresent.

    g:ProjectName

    +

    g:ProjectName

    Character string

    Project name

    g:ServiceName

    +

    g:ServiceName

    Character string

    User ID

    g:UserName

    +

    g:UserName

    Character string

    Set by user

    If you are the administrator setting the password for user Franklin, select this option and enter an email address and a mobile number. User Franklin can then set a password by clicking on the one-time login URL sent over email.

    +

    If you are the administrator setting the password for user Franklin, select this option and enter an email address and a mobile number. User Franklin can then set a password by clicking the one-time login URL sent over email.

    Automatically generated

    diff --git a/docs/iam/umn/iam_01_0031.html b/docs/iam/umn/iam_01_0031.html index adb716518..aa1decf15 100644 --- a/docs/iam/umn/iam_01_0031.html +++ b/docs/iam/umn/iam_01_0031.html @@ -45,9 +45,9 @@

    --

    --

    +

    --

    If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.

    +

    If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.

    Management console access

    @@ -56,9 +56,9 @@

    Console Password

    Set by user

    +

    Set by user

    If you are the administrator setting the password for the user, select this option and enter an email address and a mobile number. The user can set a password by clicking on the one-time login URL sent over email.

    +

    If you are the administrator setting the password for the user, select this option and enter an email address and a mobile number. The user can set a password by clicking on the one-time login URL sent over email.

    Automatically generated

    @@ -69,7 +69,7 @@

    Set now

    Select this option if you are the user. Then, set a password for login.

    -
    NOTE:
    The password must meet the following requirements:
    • Must contain 6 to 32 characters.
    • Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and spaces or other special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\=).
    • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
    • Cannot contain the user's mobile number or email address.
    +
    NOTE:
    The password must meet the following requirements:
    • Must contain 6 to 32 characters.
    • Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\= and spaces).
    • Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
    • Cannot contain the user's mobile number or email address.
    + + + + + + + + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    Remarks

    +

    Username

    +

    Username of federated users to be displayed in the cloud system

    +

    To distinguish federated users from users of the cloud system, it is recommended that you set the username to "FederationUser-IdP_XXX". IdP indicates an identity provider name, for example, AD FS and Shibboleth. XXX indicates a custom name.

    +

    You can also set the federated username to a simple expression, for example, FederationUser-IdP_{email}. After the rule is created successfully, {email} is automatically replaced with the email address of each federated user.

    +
    NOTICE:

    Each federated username must be unique under your account. Identical usernames under one or more identity providers of the same account will be identified as the same federated user in the cloud system.

    +
    +

    User Group

    +

    User groups to which the federated users will belong in the cloud system

    +

    Federated users will inherit permissions from the groups to which they belong.

    +

    Rule Conditions

    +

    Conditions that a federated user must meet to obtain permissions from the selected user groups

    +

    Federated users who do not meet these conditions cannot access the cloud system. You can create a maximum of 10 conditions for an identity conversion rule.

    +
    NOTE:
    • An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
    • An identity provider can have multiple identity conversion rules. If a federated user does not meet any of the rules, the user will not be allowed to access the cloud system.
    +
    +
    +
    +

    For example, set an identity conversion rule for enterprise administrators.

    + +
  • In the Create Rule area, click OK.
  • On the Modify Identity Provider page, click OK.
    • +
  • Editing a Rule
    1. Log in to the cloud system as an administrator, and go to the IAM console. Then, choose Identity Providers from the navigation pane.
    2. In the identity provider list, click Modify in the row containing the identity provider.
    3. In the Identity Conversion Rules area, click Edit Rule. Then configure the rule in the Edit Rule dialog box.
    4. Edit the identity conversion rule in the JSON format. For details, see Syntax of Identity Conversion Rules.
    5. Click Validate to verify the syntax of the rule.
    6. If the rule is correct, click OK in the Edit Rule dialog box. Then click OK on the Modify Identity Provider page.

      If a message indicating that the JSON file is incomplete is displayed, modify the statement or click Cancel to cancel the modifications.

      +
    +
    • +
    + +
    +
    +
    Parent topic: OpenID Connect–based Federated Identity Authentication
    +
    +
    + diff --git a/docs/iam/umn/iam_08_0009.html b/docs/iam/umn/iam_08_0009.html new file mode 100644 index 000000000..68e28a64a --- /dev/null +++ b/docs/iam/umn/iam_08_0009.html @@ -0,0 +1,116 @@ + + +

    Step 1: Create an Identity Provider

    +

    To establish a trust relationship between an enterprise identity provider and the cloud system, create an identity provider and configure authorization information on the IAM console, and set the user redirect URLs and create OAuth 2.0 credentials in the enterprise identity provider.

    +

    Prerequisites

    As an enterprise administrator, you have registered an account in the cloud system and created user groups and granted them permissions in IAM.

    +

    The user groups created in IAM will be used to assign permissions to identity provider users mapped to the cloud system.

    +
    +
    +

    Creating OAuth 2.0 Credentials in the Enterprise Identity Provider

    1. The enterprise IdP redirects users to an OpenID Connect identity provider on the cloud platform through a browser. In the IdP system, set the redirect URLs to the following:

      https://auth.otc.t-systems.com/authui/oidc/redirect and https://auth.otc.t-systems.com/authui/oidc/post

      +

    2. Obtain OAuth 2.0 credentials (see Table 2) of the enterprise IdP. For details, see the documentation of your enterprise IdP.
    +
    +

    Creating an Identity Provider

    Create an identity provider and configure authorization information in IAM.

    +
    1. Log in to the IAM console, and choose Identity Providers from the navigation pane. Then click Create Identity Provider.
    2. Enter an identity provider name, select OpenID Connect and Enabled, and click OK.

      The identity provider name must be unique under your account.

      +
      +

    +
    +

    Configuring Authorization Information

    1. Click Modify in the Operation column of the row containing the identity provider you want to modify.
    2. Select an access type.

      +

      + + + + + + + + + + +
      Table 1 Access type

      Access Type

      +

      Description

      +

      Programmatic access and management console access

      +
      • Programmatic access: Federated users can obtain a token for the cloud system by using an ID token and then use development tools (including APIs, CLI, and SDKs) that support token authentication to access the cloud system.
      • Management console access: Federated users can log in to the management console by using their own usernames and passwords.

        Select this access type if you want to access the cloud system using SSO.

        +
      +

      Programmatic access

      +

      Federated users can only obtain a token for the cloud system by using an ID token and then use development tools (including APIs, CLI, and SDKs) that support token authentication to access the cloud system.

      +
      +
      +

    3. Specify the configuration information.

      +

      + + + + + + + + + + + + + + + + + + + + + + + + + +
      Table 2 Configuration information

      Parameter

      +

      Description

      +

      Identity Provider URL

      +

      URL of the OpenID Connect identity provider.

      +

      Specify this parameter as the value of issuer in the Openid-configuration.

      +
      NOTE:

      Openid-configuration indicates a URL defined in OpenID Connect, containing configurations of an enterprise identity provider. The URL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterprise identity provider.

      +

      For example, the Openid-configuration of Google is https://accounts.google.com/.well-known/openid-configuration. Therefore, the identity provider URL is https://accounts.google.com.

      +
      +

      Client ID

      +

      ID of a client registered with the OpenID Connect identity provider. that is, an OAuth 2.0 credential created in the enterprise identity provider.

      +

      Authorization Endpoint

      +

      Authorization endpoint of the OpenID Connect identity provider. Specify this parameter as the value of authorization_endpoint in the Openid-configuration.

      +

      This parameter is required only if you set Access Type to Programmatic access and management console access.

      +

      Scopes

      +

      Scopes of authorization requests. openid is selected by default.

      +

      This parameter is required only if you set Access Type to Programmatic access and management console access.

      +

      Enumerated values:

      +
      • openid
      • email
      • profile
      +

      Response Type

      +

      Response type of authorization requests. The default value is id_token.

      +

      This parameter is required only if you set Access Type to Programmatic access and management console access.

      +

      Response Mode

      +

      Response mode of authorization requests. The options include form_post and fragment. form_post is recommended.

      +
      • form_post: If this mode is selected, set the redirect URL to http://auth.example.com/authul/oidc/post in the enterprise identity provider.
      • fragment: If this mode is selected, set the redirect URL to https://auth.example.com/authui/oidc/redirect in the enterprise identity provider.
      +

      This parameter is required only if you set Access Type to Programmatic access and management console access.

      +

      Signing Key

      +

      Public key used to sign the ID token of the OpenID Connect identity provider. For example: NqMhxWVZf2PcPQRc6aBlpd3k...

      +
      NOTE:

      For account security purposes, change the signing key periodically.

      +
      +
      +
      +

    4. Click OK.
    +
    +

    Logging In as a Federated User

    1. Click the login link displayed on the identity provider details page to check if the login page of the IdP server is displayed.

      1. On the Identity Providers page, click View in the Operation column of the identity provider.
      2. Copy the login link displayed on the identity provider details page and visit the link using a browser.
      3. If the identity provider login page is not displayed, check the configurations of the identity provider and the identity provider server.
      +

    2. Enter the username and password of a user that was created in the enterprise management system.

      • If the login is successful, add the login link to the enterprise's official website.
      • If the login fails, check the username and password.
      +

      Federated users only have read permissions for the cloud system by default. To assign permissions to federated users, configure identity conversion rules for the identity provider. For more information, see Step 2: Configure Identity Conversion Rules.

      +
      +

    +
    +

    Related Operations

    +
    +

    Follow-Up Procedure

    +
    +
    +
    +
    +
    Parent topic: OpenID Connect–based Federated Identity Authentication
    +
    +
    + diff --git a/docs/iam/umn/iam_08_0010.html b/docs/iam/umn/iam_08_0010.html new file mode 100644 index 000000000..df38a56ab --- /dev/null +++ b/docs/iam/umn/iam_08_0010.html @@ -0,0 +1,35 @@ + + +

    OpenID Connect–based Federated Identity Authentication

    +

    This section describes the process and configuration of OpenID Connect–based federated identity authentication between an enterprise identity provider and the cloud system.

    +

    Configuring Federated Identity Authentication

    To implement federated identity authentication between an identity provider and the cloud system, complete the following configuration:

    +
    1. Establish a trust relationship and create an identity provider: Create OAuth 2.0 credentials in the enterprise identity provider, and create an identity provider in the cloud system.
    2. Configure identity conversion rules: Map the users, user groups, and permissions in the identity provider to the cloud system.
    3. Configure a login link: Configure a login link in the enterprise management system to allow users to access the cloud system through SSO.
    +
    +

    Process of Federated Identity Authentication

    Figure 1 shows the interaction between an identity provider and the cloud system after a user initiates an SSO request.

    +
    Figure 1 Process of federated identity authentication
    +

    As shown in the preceding figure, the process of federated identity authentication is as follows:

    +
    1. A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud system.
    2. The cloud system searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.
    3. The browser forwards the authorization request to the enterprise identity provider.
    4. The user enters their username and password on the login page displayed in the identity provider system. After the identity provider authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
    5. The browser responds and forwards the authorization response to the cloud system.
    6. The cloud system parses the ID token in the authorization response, and issues a token to the user after identifying the group the user is mapped to, according to the configured identity conversion rules.
    7. If the login is successful, the user accesses the cloud system successfully.
    +
    +
    +
    + + +
    +
    Parent topic: Federated Identity Authentication
    +
    +
    + + + \ No newline at end of file diff --git a/docs/iam/umn/public_sys-resources/icon-arrowdn.gif b/docs/iam/umn/public_sys-resources/icon-arrowdn.gif index 84eec9be2..379428032 100644 Binary files a/docs/iam/umn/public_sys-resources/icon-arrowdn.gif and b/docs/iam/umn/public_sys-resources/icon-arrowdn.gif differ diff --git a/docs/iam/umn/public_sys-resources/icon-arrowrt.gif b/docs/iam/umn/public_sys-resources/icon-arrowrt.gif index 39583d168..6aaaa11c2 100644 Binary files a/docs/iam/umn/public_sys-resources/icon-arrowrt.gif and b/docs/iam/umn/public_sys-resources/icon-arrowrt.gif differ diff --git a/docs/iam/umn/public_sys-resources/imageclose.gif b/docs/iam/umn/public_sys-resources/imageclose.gif new file mode 100644 index 000000000..3a3344af4 Binary files /dev/null and b/docs/iam/umn/public_sys-resources/imageclose.gif differ diff --git a/docs/iam/umn/public_sys-resources/imageclosehover.gif b/docs/iam/umn/public_sys-resources/imageclosehover.gif new file mode 100644 index 000000000..8699d5e36 Binary files /dev/null and b/docs/iam/umn/public_sys-resources/imageclosehover.gif differ diff --git a/docs/iam/umn/public_sys-resources/imagemax.gif b/docs/iam/umn/public_sys-resources/imagemax.gif new file mode 100644 index 000000000..99c07dc25 Binary files /dev/null and b/docs/iam/umn/public_sys-resources/imagemax.gif differ diff --git a/docs/iam/umn/public_sys-resources/imagemaxhover.gif b/docs/iam/umn/public_sys-resources/imagemaxhover.gif new file mode 100644 index 000000000..d01d77d6e Binary files /dev/null and b/docs/iam/umn/public_sys-resources/imagemaxhover.gif differ diff --git a/docs/iam/umn/public_sys-resources/macFFBgHack.png b/docs/iam/umn/public_sys-resources/macFFBgHack.png new file mode 100644 index 000000000..ec811470c Binary files /dev/null and b/docs/iam/umn/public_sys-resources/macFFBgHack.png differ