Permission
By default, IAM sub-users created by administrators do not have any permissions. They need to be added to a user group, and the user group is granted policies or roles for the users within the group to obtain corresponding permissions. This process is called authorization. After authorization, users can operate cloud services based on the permissions granted.
Classification of Permissions
Permissions are categorized into roles and policies based on the granularity of authorization.
l Role: IAM initially provided a coarse-grained authorization mechanism that defined permissions based on users' job functions. This mechanism operated at the service level, offering a limited set of service-related roles for authorization. Due to the business dependencies between eSurfing Cloud services, granting a user a role might also require assigning additional dependent roles to properly complete business tasks. These roles cannot fully meet users' demands for fine-grained authorization, nor can they completely satisfy enterprises' security control requirements for the principle of least privilege.
l Policy: The latest IAM offering introduces a fine-grained authorization capability that can precisely control specific service operations, resources, and request conditions. Policy-based authorization is a more flexible approach, enabling enterprises to meet the principle of least privilege for security and access control. For example, in the ECS service, administrators can restrict IAM users to performing only a specified type of management operation on cloud server resources.
Policies are categorized into system policies and custom policies based on the entity that creates them.
Policy-System Policies
Cloud services come with preconfigured common authorization items in IAM, known as system policies. When administrators grant permissions to user groups, they can directly apply these system policies. System policies can only be used as-is and cannot be modified.
If an administrator cannot find the system policy for a specific service when granting permissions to a user group or delegation on the IAM Console, it is because that service currently does not support IAM.
Policy-Custom Policy
If system policies cannot meet the authorization requirements, administrators can create custom policies based on the supported authorization items of each service and grant these policies to user groups for fine-grained access control. Custom policies serve as an extension and supplement to system policies. Currently, IAM supports two configuration methods for custom policies: visual editor and JSON view.