Multi user access control is mainly used to help users manage access rights to resources under the cloud account. It is applicable to different roles in the enterprise. Different staff can be given different rights to use products. When your enterprise has multi-user collaborative resources, it is recommended that you use multi-user access control.
It is applicable to the following use scenarios:
Medium and large enterprise customers: authorization management for multiple employees in the company;
Technical vendor or SAAS platform provider: manage resources and permissions for proxy customers;
Small and medium-sized developers or small enterprises: add project members or collaborators for resource management.
Create User
After the main account user logs in, select "Multi user Access Control" on the console to enter the user management page.
Click "User Management" on the left navigation bar, and click "New User" on the "Sub user Management List" page.
In the pop-up "New User" dialog box, complete the "User Name" and confirm, and return to the "Sub user Management List" area to view the sub user just created.
Configure Policy
EIP supports system policy and user-defined policy, and implements EIP product level permission and instance level permission control respectively.
System strategy: Baidu Intelligent Cloud System pre-defined permission set for resource management. This kind of strategy can be directly authorized for sub users, and users can only use it but cannot modify it.
User defined policy: it is created by users themselves. It is a more detailed permission set for managing resources. It can configure permissions for a single instance, and more flexibly meet the differentiated permission management of accounts for different users.
explain:
The EIP includes several sub products, and the permissions of each sub product can be divided into three categories: read-only, operation and maintenance, and management.
For each product, the operation and maintenance permissions completely cover the read-only permissions, and the management permissions completely cover the read-only and operation and maintenance permissions.The following table only shows the parts of superior permissions that are different from subordinate permissions.
Since a custom policy is given to a specific instance and can only take effect on these instances, the custom policy does not have permission to create.
Scope of authority
The corresponding relationship between the name of each product system policy and the three-level permissions is as follows:
product
Read-only rights
Operation and maintenance authority
Manage permissions
EIP
EipReadOnlyAccessPolicy
EipOperateAccessPolicy
EIPFullControlPolicy
EIP_BP
EIP_BPReadOnlyAccessPolicy
EIP_BPOperateAccessPolicy
EIP_BPFullControlPolicy
EIPGROUP
EipGroupReadOnlyAccessPolicy
EipGroupOperateAccessPolicy
EIPGROUPFullControlPolicy
TBSP
TBSPReadAccessPolicy
TBSPOperateAccessPolicy
TBSPFullControlAccessPolicy
The policy authority range of each product is detailed as follows:
Query instance list, view instance details, modify shared bandwidth name and description, monitor, alarm, create shared bandwidth, release shared bandwidth, bandwidth adjustment, IP number upgrade, billing change, and cancel billing change
Bandwidth packet (EIP_BP)
Query instance list and view instance details
Query the instance list, view the instance details, and modify the bandwidth package name
Query instance list, view instance details, modify bandwidth packet name and description, create bandwidth packet, release bandwidth packet, and adjust bandwidth
Traffic Burst Service Pack (TBSP)
Query instance list and view instance details
Query instance list, view instance details, modify service package name and description, and add protection IP
Query instance list, view instance details, modify service package name and description, add protection IP, upgrade capacity, and release service package
User authorization
Select "Edit Permission" in the "Operation" column of the corresponding sub user on the "User Management ->Sub user" management list page, and select system permissions or user-defined policies for users to authorize.
explain:If you want to modify the permissions of a sub user without modifying the existing policy rules, you can only delete the existing policy and add a new policy. You cannot uncheck the added policy permissions.
Sub user login
After the primary account finishes authorizing the sub user, it can send the link to the sub user;Sub users can log in to the management console of the main account through the IAM user login link, and operate and view the main account resources according to the authorized policies.