When using the IAM service, common basic concepts include: Account, IAM User, Relationship Between Account and IAM User, User Group, Credentials, Authorization, Permission, Project, Delegation, and Identity Credentials.
Account
The account you registered when first using eSurfing Cloud serves as the entity for resource ownership and usage billing. It has full access to all owned resources and cloud services, enabling operations such as resetting user passwords and assigning user permissions.
The account cannot be modified or deleted in IAM. You may update account information in the Personal Center on the eSurfing Cloud official website. If you need to delete the account, you can cancel it in the Personal Center.
IAM User
IAM users are created by an account within IAM, typically serving as personnel who operate specific cloud services. They possess independent credentials (passwords and access keys) and utilize resources based on permissions granted by the account.
If you forget an IAM user's login password, you can reset it via eSurfing Cloud's official website under Personal Center > IAM > User.
Relationship Between Accounts and IAM Users
The account and IAM users can be compared to a parent-child relationship. The account is the entity responsible for resource ownership and billing, possessing full permissions over its resources. IAM users are created by the account and can only have the resource usage permissions granted by the account. The account can modify or revoke the usage permissions of IAM users at any time.
Figure: Account and IAM Users
Authorization
Authorization is the process of granting IAM users the necessary permissions to perform specific tasks. It takes effect by defining permission policies. By assigning policies (including system policies and custom policies) to user groups, users within those groups gain the permissions specified in the policies—this entire process is called authorization. Once users obtain permissions for specific cloud services, they can perform operations on those services. For example, they can manage ECS resources within your account.
Figure: Authorization
User Group
A user group is a collection of users. IAM leverages user groups to grant permissions to users. The IAM users you create must join specific user groups to obtain corresponding permissions; otherwise, they cannot access any resources or cloud services in your account. When a user joins multiple user groups, they will possess the permissions of all those groups—effectively the union of permissions across all assigned user groups.
The admin is a system-default user group with operational permissions for all eSurfing Cloud service resources. After adding an IAM user to this group, the IAM user can operate and use all cloud resources, including but not limited to creating user groups and users, modifying user group permissions, managing resources, etc.
Figure: User Groups and Users
Permissions
If you only grant an IAM user permissions for ECS, that IAM user will not be able to access any other services besides ECS. If they attempt to access other services, the system will display a "No permissions" prompt.
Figure: "No permissions" prompt in the system
Permissions are divided into policies and roles based on the granularity of authorization.
Roles: Roles are a coarse-grained authorization capability initially provided by IAM. Currently, some cloud services do not support role-based authorization. Roles cannot fully meet users' requirements for fine-grained permission management.
Policies: Policies represent IAM's latest fine-grained authorization capability, enabling precise control down to specific actions and conditions. Policy-based authorization offers a more flexible approach to access management, helping enterprises meet least-privilege security requirements. For example, in ECS services, administrators can restrict IAM users to performing only designated management operations on specific types of cloud server resources.
Policies include system policies and custom policies.
1. In IAM, common authorization items are predefined for cloud services and are referred to as system policies. When administrators grant permissions to a user group, they can directly use these system policies, which are only available for the application and cannot be modified. If an administrator cannot find the system policy for a specific service when granting permissions to a user group or delegation on the IAM Console because the service does not currently support IAM.
2. If system policies fail to meet authorization requirements, administrators can create custom policies based on the supported authorization items of each service and grant these custom policies to user groups for fine-grained access control. Custom policies serve as an extension and supplement to system policies. Currently, both a visual editor and a JSON view are supported for configuring custom policies.
Figure: Permission Policy Example
Identity Credentials
Identity credentials serve as the basis for verifying user identity. When accessing cloud services through the console or APIs, you must use identity credentials for system authentication and authorization. Identity credentials include passwords and access keys, which can be managed in IAM for both yourself and the IAM users under your account.
Password: A common type of identity credential used to log in to the console.
Access Key: Also known as AK/SK (Access Key ID/Secret Access Key), it serves as the identity credential for calling cloud service APIs and cannot be used to log in to the console. The access key contains a signature for identity verification, ensuring confidentiality, integrity, and the authenticity of both parties in the request through encrypted signature validation.
Project
Each resource pool is associated with a default project, which is preconfigured by the system to isolate resources (such as compute, storage, and network resources) across different resource pools. Authorization is scoped to this default project, allowing users to access all resources within the corresponding resource node (i.e., the default project) in your account.
Delegation
Delegation is divided into delegation to other accounts and delegation to other cloud services based on the different delegation objects.
Delegate to other eSurfing Cloud accounts: Through the delegation trust feature, you can grant resource operation permissions in your account to another account. The delegated account can perform resource O&M on your behalf based on the assigned permissions.
Delegate to other cloud services: Due to business interactions between cloud services, certain services may require collaboration with others. In such cases, you can create a cloud service delegation to grant operational permissions, allowing the service to act on your behalf. This enables the service to utilize other cloud services and perform automated resource management tasks for you.