doc-exports/docs/iam/umn/en-us_topic_0046611269.html

<a name="en-us_topic_0046611269"></a><a name="en-us_topic_0046611269"></a>

<h1 class="topictitle1">Creating a User Group and Assigning Permissions</h1>
<div id="body42302050"><p id="en-us_topic_0046611269__p53984193165620">You can plan user groups based on user responsibilities and grant the required permissions to the user groups. Users inherit permissions from the user groups to which they belong.</p>
<div class="section" id="en-us_topic_0046611269__section30804749"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046611269__o025a4cf6ce6648bba2ce47207fa01037"><li id="en-us_topic_0046611269__lc08cd25179a54f4f92db62fcf9afdf49"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0046611269__uicontrol1092519519453"><b>User Groups</b></span>.</span></li><li id="en-us_topic_0046611269__lbdf5d121c2ac4d20b03354ca18e14647"><span>On the <strong id="en-us_topic_0046611269__en-us_topic_0046611269_b2385397092151">User Groups</strong> page, click <strong id="en-us_topic_0046611269__en-us_topic_0046611269_b362570492353">Create User Group</strong>.</span></li><li id="en-us_topic_0046611269__l339bc6f533a94445b1e9211f8c5f234c"><span>Enter a user group name.</span></li><li id="en-us_topic_0046611269__l97e2ee9e0c904c658edc5adca5716ef9"><span>(Optional) Enter a description for the user group.</span><p><div class="note" id="en-us_topic_0046611269__note11678786105823"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046611269__p348815281144">To enable users to directly view their permissions, set a description for the user group. For example, if you assign the <strong id="en-us_topic_0046611269__b449778452">Security Administrator</strong> role to a user group, you can set any description in the <strong id="en-us_topic_0046611269__b145034817517">Description</strong> text box. For example: <strong id="en-us_topic_0046611269__b350318816517">Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users.</strong> For details about the permissions for all cloud services, see <a href="https://docs.otc.t-systems.com/additional/permissions.html" target="_blank" rel="noopener noreferrer">Permissions</a>.</p>
</div></div>
</p></li><li id="en-us_topic_0046611269__la3352beb5df44860b8f7ed621884e09f"><span>Click <span class="uicontrol" id="en-us_topic_0046611269__uicontrol835913281425"><b>OK</b></span>.</span><p><p id="en-us_topic_0046611269__ae95b4587c0894d58bad84b876a8ee99d">The user group is displayed in the user group list.</p>
</p></li><li id="en-us_topic_0046611269__en-us_topic_0111879498_li2918054318"><span>In the row containing the user group, click <strong id="en-us_topic_0046611269__b18588864173">Authorize</strong> in the <strong id="en-us_topic_0046611269__b5320131414170">Operation</strong> column.</span></li><li id="en-us_topic_0046611269__li5217237183211"><span>On the <strong id="en-us_topic_0046611269__b20950191771811">Authorize User Group</strong> page, select the permissions to be assigned to the user group.</span><p><p id="en-us_topic_0046611269__p14614448153414">If the system-defined policies do not meet your requirements, you can click <strong id="en-us_topic_0046611269__b202021780193">Create Policy</strong> in the upper right to create custom policies for fine-grained permissions control. For details, see <a href="iam_01_0016.html">Creating a Custom Policy</a>.</p>
<div class="fignone" id="en-us_topic_0046611269__fig41851951835"><span class="figcap"><b>Figure 1 </b>Selecting permissions</span><br><span><img id="en-us_topic_0046611269__image181852512316" src="en-us_image_0000001656493417.png" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="en-us_topic_0046611269__li1444519351044"><span>Click <strong id="en-us_topic_0046611269__b196303152112">Next</strong>.</span></li><li id="en-us_topic_0046611269__li18217237103214"><span>Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. <a href="#en-us_topic_0046611269__table13959113218281">Table 1</a> describes all the authorization scopes provided by IAM.</span><p>
<div class="tablenoborder"><a name="en-us_topic_0046611269__table13959113218281"></a><a name="table13959113218281"></a><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046611269__table13959113218281" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Authorization scopes</caption><thead align="left"><tr id="en-us_topic_0046611269__row119591322288"><th align="left" class="cellrowborder" valign="top" width="14.01%" id="mcps1.3.2.2.9.2.1.2.3.1.1"><p id="en-us_topic_0046611269__p11958133215282">Scope</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="85.99%" id="mcps1.3.2.2.9.2.1.2.3.1.2"><p id="en-us_topic_0046611269__p99581326288">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0046611269__row1959113212281"><td class="cellrowborder" valign="top" width="14.01%" headers="mcps1.3.2.2.9.2.1.2.3.1.1 "><p id="en-us_topic_0046611269__p13959332102812">All resources</p>
</td>
<td class="cellrowborder" valign="top" width="85.99%" headers="mcps1.3.2.2.9.2.1.2.3.1.2 "><p id="en-us_topic_0046611269__p09591732112810">IAM users can use the resources in all region-specific projects and the global services in your account based on the assigned permissions.</p>
</td>
</tr>
<tr id="en-us_topic_0046611269__row17959532122817"><td class="cellrowborder" valign="top" width="14.01%" headers="mcps1.3.2.2.9.2.1.2.3.1.1 "><p id="en-us_topic_0046611269__p795933213283">Region-specific projects</p>
</td>
<td class="cellrowborder" valign="top" width="85.99%" headers="mcps1.3.2.2.9.2.1.2.3.1.2 "><p id="en-us_topic_0046611269__p16959133210288">IAM users can use the resources in the region-specific projects you select based on the assigned permissions.</p>
<p id="en-us_topic_0046611269__p99591532182820">If some of the selected permissions belong to global services, the system automatically sets the authorization scope of these permissions to <strong id="en-us_topic_0046611269__b1169134514239">All resources</strong>. Selected permissions for project-level services will apply to the region-specific projects you select.</p>
</td>
</tr>
<tr id="en-us_topic_0046611269__row1395916328285"><td class="cellrowborder" valign="top" width="14.01%" headers="mcps1.3.2.2.9.2.1.2.3.1.1 "><p id="en-us_topic_0046611269__p69596322285">Global services</p>
</td>
<td class="cellrowborder" valign="top" width="85.99%" headers="mcps1.3.2.2.9.2.1.2.3.1.2 "><p id="en-us_topic_0046611269__p59597324289">IAM users can use global services based on the assigned permissions. Global services are deployed with no physical regions specified. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN).</p>
<p id="en-us_topic_0046611269__p16959203222811">If some of the selected permissions belong to project-level services, the system automatically sets the authorization scope of these permissions to <strong id="en-us_topic_0046611269__b893251272518">All resources</strong>. Selected permissions for global services will apply to the global services.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="en-us_topic_0046611269__li152884118264"><span>Click <strong id="en-us_topic_0046611269__b69316148253">OK</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0655.html">User Groups and Authorization</a></div>
</div>
</div>


<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>