A company has three functional teams, including the management (admin group), development, and test teams. After the company administrator creates an account, the default group admin is automatically generated and has full permissions for all cloud services. The administrator only needs to create another two groups in IAM for the development and test teams, respectively.
Creating User Groups
Assigning Permissions to User Groups
Developers in the company need to use ECS, RDS, ELB, VPC, EVS, and OBS, so the administrator needs to assign the required permissions to the Developers group to enable access to these services. Testers in this company need to use APM, so the administrator needs to assign the required permissions to the Testers group to enable access to the service. After permissions are assigned, users in the two groups can access the corresponding services. For details about the permissions of all cloud services, see "Permissions".
- Determine the permissions policies to be attached to each user group.
Determine the policies (see Table 1). Regions are geographic areas where services are deployed. If a project-level service policy is attached to a user group for a project in a specific region, the policy takes effect only for that project.
Table 1 Required permissions policies User Group
Cloud Service
Region
Policy or Role
Developers
ECS
Specific regions
ECS Admin
RDS
Specific regions
RDS Admin
ELB
Specific regions
ELB Admin
VPC
Specific regions
VPC Administrator
EVS
Specific regions
EVS Admin
OBS
Global
OBS Buckets Viewer
Testers
APM
Specific regions
APM Admin
- In the user group list, click Authorize in the row containing the user group Developers.
Figure 3 Authorizing a user group
- Assign permissions to the user group for region-specific projects.
- All the services in Table 1 except OBS are deployed in specific projects. Select desired permissions for project-level services and click Next.
- Specify the scope as Region-specific projects, select an authorized region, and click OK.
Then users in the Developers group can access the specified project-level services in authorized regions but do not have permissions to access the services in other regions.
- Assign permissions to the user group for the global service project.
- Select OBS Buckets Viewer and click Next.
- Specify the scope as Global service project and click OK.
- Repeat steps 2 to 5 to attach the APM Admin role to the Testers group.
- Creating User Groups
- Assigning Permissions to User Groups