Administrators can create user groups, assign policies or roles to these groups, and then add users to the groups, thereby granting the users the corresponding permissions. IAM provides predefined common permissions for various services, such as administrator permissions and read-only permissions. Administrators can directly assign these system permissions to user groups. Once authorized, users can perform operations on cloud services based on their assigned permissions.
Creating a User Group
Step 1: The administrator logs in to the eSurfing Cloud official website using a registered eSurfing Cloud account.
Step 2: Click the account name in the upper-right corner, then select Personal Center from the dropdown menu.
Step 3: In the left navigation pane of Personal Center, click IAM.
Step 4: In the left navigation pane of IAM, click User Group.
Step 5: On the User Group page, click Create User Group.
Step 6: Enter the User Group Name and Description, then click Confirm.
The newly created user group will be displayed in the user group list upon returning to the list page.
Authorizing Permissions to a User Group
The following steps apply only to adding permissions to a user group. If you need to remove permissions, refer to Removing User Group Permissions.
Step 1: The enterprise administrator logs in to the eSurfing Cloud official website using a registered eSurfing Cloud account.
Step 2: Click Console at the top of the homepage. On the Management Center page, under the Management and Deployment category, click Unified ID Authentication.
Step 3: On the IAM management page, select the UserGroup from the left-hand menu, then click Authorize next to the target user group to which permissions need to be added.
Step 4: On the User Group Select Policy page, check the permissions to be granted to the user group. Then, click Next.
If the system policies fail to meet the authorization requirements, you can click Create Custom Policy in the upper-right corner of the permissions list to define a custom policy. Then, select the newly created policy to enable fine-grained permission management. Custom policies serve as an extension and supplement to system policies. For details, refer to Creating Custom Policies.
Step 5: Select the permission scope. The system will automatically recommend authorization scope options based on the selected policies, making it easier to choose an appropriate permission scope for users. The table below lists all available authorization scope schemes provided by IAM.
Table: Authorization Scope Scheme
Optional Solutions | Solution Specification |
All Resources | IAM users can access resources across all regional projects and global services within the account based on the assigned permissions. |
Designated Enterprise Project Resources | Select the specified enterprise project, and IAM users can utilize the resources within that enterprise project based on their permissions. |
Designated Regional Project Resources | Select the specified regional project, and IAM users can utilize the resources within that regional project based on their permissions. If the scope of effect is set to Regional Project and the selected policies include global service permissions, the system will automatically set the scope of global service permissions to All Resources, while the scope of the selected regional project permissions will remain limited to the specified regional project. |
Global Service Resources | IAM users can access global services based on their permissions. Global services are not bound to specific physical regions during deployment. When accessing global services (such as OBS), there is no need to switch regions. If the scope of effect is set to Global Service and the selected policies include project-specific service permissions, the system will automatically expand the scope of project permissions to All Resources, while the scope of the selected global service permissions remains Global Service. |
Step 6: Click Confirm to complete the user group authorization.