yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
8af0f653c62826e99afeb45bbd2fb0ad702f0fce
doc-exports/docs/iam/umn/iam_01_0063.html
weihongmin1 8af0f653c6 IAM UMN 25.9.0 Version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: weihongmin1 <weihongmin1@huawei.com>
Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
2026-03-12 13:14:16 +00:00

45 lines
9.2 KiB
HTML
Raw Blame History

<a name="iam_01_0063"></a><a name="iam_01_0063"></a>
<h1 class="topictitle1">Assigning Agency Permissions to an IAM User</h1>
<div id="body1484205204048"><p id="iam_01_0063__en-us_topic_0170090700_p1990517262426">When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the <strong id="iam_01_0063__en-us_topic_0170090700_b8832448546">admin</strong> group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.</p>
<p id="iam_01_0063__en-us_topic_0170090700_p113724394279">You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.</p>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section8625973163627"><h4 class="sectiontitle">Prerequisites</h4><ul id="iam_01_0063__en-us_topic_0170090700_ul29219768113237"><li id="iam_01_0063__en-us_topic_0170090700_li6222311493312">A trust relationship has been established between another account and your account.</li><li id="iam_01_0063__en-us_topic_0170090700_li55189331113237">You have obtained the name of the delegating account and the name and ID of the created agency.</li></ul>
</div>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section126738501115"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0063__en-us_topic_0170090700_ol12911218193512"><li id="iam_01_0063__en-us_topic_0170090700_li135311310144613"><a name="iam_01_0063__en-us_topic_0170090700_li135311310144613"></a><a name="en-us_topic_0170090700_li135311310144613"></a><span>Create a user group and grant permissions to it.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol185478381413"><li id="iam_01_0063__en-us_topic_0170090700_lbf179c35bf344bd6880e02f7987e3646">On the <strong id="iam_01_0063__en-us_topic_0170090700_a77708ffee09d4381b4dfc8f4ee4a58fe">User Groups</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611269_b362570492353">Create User Group</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lc5c9922fb20841fab6f29ae09468afcc">Enter a user group name.</li><li id="iam_01_0063__en-us_topic_0170090700_lb24e36a0bdae42dba9d4aecca47a38b6">Click <strong id="iam_01_0063__en-us_topic_0170090700_b89714992012">OK</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0111879498_li2918054318">In the row containing the user group, click <strong id="iam_01_0063__en-us_topic_0170090700_b18676718616">Authorize</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li7818855162215">Create a custom policy.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note1936081162414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p336012115247">This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to step <a href="#iam_01_0063__en-us_topic_0170090700_li027318403345">6</a>.</p>
</div></div>
<ol class="substepthirdol" id="iam_01_0063__en-us_topic_0170090700_ol441072882414"><li id="iam_01_0063__en-us_topic_0170090700_li541082814245">On the <strong id="iam_01_0063__en-us_topic_0170090700_b15655103525214">Select Policy/Role</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_b035264217521">Create Policy</strong> in the upper right corner of the permission list.</li><li id="iam_01_0063__en-us_topic_0170090700_li24106288249">Enter a policy name.</li><li id="iam_01_0063__en-us_topic_0170090700_li10410528122413">Select <strong id="iam_01_0063__en-us_topic_0170090700_b19217161175316">JSON</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b1121712117538">Policy View</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li134101228182419">In the <span class="parmname" id="iam_01_0063__en-us_topic_0170090700_parmname1099651564"><b>Policy Content</b></span> area, enter the following content:<pre class="screen" id="iam_01_0063__en-us_topic_0170090700_screen7410102852411">{
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:tokens:assume"
],
"Resource": {
"uri": [
"/iam/agencies/agencyTest"
]
},
"Effect": "Allow"
}
]
}</pre>
<div class="note" id="iam_01_0063__en-us_topic_0170090700_note14410928162419"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0063__en-us_topic_0170090700_ul1241020281240"><li id="iam_01_0063__en-us_topic_0170090700_li741015282242">Replace <strong id="iam_01_0063__en-us_topic_0170090700_b585112403616">agencyTest</strong> with the agency name obtained from a delegating party. Copy the other content without making any changes.</li><li id="iam_01_0063__en-us_topic_0170090700_li15410328112415">For more information about permissions, see <a href="iam_01_0015.html">Permissions</a>.</li></ul>
</div></div>
</li><li id="iam_01_0063__en-us_topic_0170090700_li44101728132415">Click <strong id="iam_01_0063__en-us_topic_0170090700_b684191413531">Next</strong>.</li></ol>
</li><li id="iam_01_0063__en-us_topic_0170090700_li027318403345"><a name="iam_01_0063__en-us_topic_0170090700_li027318403345"></a><a name="en-us_topic_0170090700_li027318403345"></a>Select the policy created in the previous step or the <span class="parmvalue" id="iam_01_0063__en-us_topic_0170090700_parmvalue58281727155316"><b>Agent Operator</b></span> role and click <strong id="iam_01_0063__en-us_topic_0170090700_b12369931155519">Next</strong>.<ul id="iam_01_0063__en-us_topic_0170090700_ul420813653713"><li id="iam_01_0063__en-us_topic_0170090700_li14514154073710">Custom policy: Allows a user to manage resources only for an agency identified by a specific ID.</li><li id="iam_01_0063__en-us_topic_0170090700_li451415401377"><strong id="iam_01_0063__en-us_topic_0170090700_b73021448105510">Agent Operator</strong> role: Allows a user to manage resources for all agencies.</li></ul>
</li><li id="iam_01_0063__en-us_topic_0170090700_li2784645193516">Specify the authorization scope.</li><li id="iam_01_0063__en-us_topic_0170090700_lf9efb0c8fbcf4319876dfb166db82d93">Click <strong id="iam_01_0063__en-us_topic_0170090700_b1736119357239">OK</strong>.</li></ol>
</p></li><li id="iam_01_0063__en-us_topic_0170090700_li695863494610"><span>Create an IAM user and add the user to the user group.</span><p><ol type="a" id="iam_01_0063__en-us_topic_0170090700_ol1973131318477"><li id="iam_01_0063__en-us_topic_0170090700_en-us_topic_0046611303_li19845579">On the <strong id="iam_01_0063__en-us_topic_0170090700_a806108f280b94df388a55abcd07ffd75">Users</strong> page, click <strong id="iam_01_0063__en-us_topic_0170090700_a5e6c8cf39bbc4493a122994663de10ea">Create User</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_leff3e1e7fed4402aa331ea7848149a5d">On the <strong id="iam_01_0063__en-us_topic_0170090700_b16514132925511">Create User</strong> page, enter a username.</li><li id="iam_01_0063__en-us_topic_0170090700_l325822f9287240eb9847d7175bcc7196">Select <strong id="iam_01_0063__en-us_topic_0170090700_b1236755731016">Management console access</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b01597117574">Access Type</strong> and then select <strong id="iam_01_0063__en-us_topic_0170090700_b132081954191018">Set by user</strong> for <strong id="iam_01_0063__en-us_topic_0170090700_b136131148165610">Credential Type</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_li179817611281">Enable login protection and click <strong id="iam_01_0063__en-us_topic_0170090700_b82544931311">Next</strong>.</li><li id="iam_01_0063__en-us_topic_0170090700_lae070020d47a4845b25fd84d72d5e582">Select the user group created in step <a href="#iam_01_0063__en-us_topic_0170090700_li135311310144613">1</a> and click <strong id="iam_01_0063__en-us_topic_0170090700_b41421028165815">Create</strong>.<div class="note" id="iam_01_0063__en-us_topic_0170090700_note6447104555618"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0063__en-us_topic_0170090700_p171308275572">After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.</p>
</div></div>
</li></ol>
</p></li></ol>
</div>
<div class="section" id="iam_01_0063__en-us_topic_0170090700_section118851627142810"><h4 class="sectiontitle">Related Operations</h4><p id="iam_01_0063__en-us_topic_0170090700_p14370115122913">The delegated account or the authorized IAM users can <a href="en-us_topic_0046613148.html#en-us_topic_0046613148">switch their roles</a> to the delegating account to view and use its resources.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0054.html">Delegating Another Account for Resource Management</a></div>
</div>
</div>
View Git Blame Copy Permalink