What should I do if I cannot find the permissions for a specific service?
The eSurfing Cloud services are divided into project-specific services and global services. It is necessary to correctly select the permission scope to locate specific permissions. For example, OBS is a global service, while ECS is a project-specific service.
If you still cannot find the service after correctly selecting the service level and service name, then the service requiring permission configuration does not currently support IAM.
What should I do if the permissions are not taking effect?
After an enterprise administrator sets permissions for an IAM user on the IAM Console, the IAM sub-user may find that the permissions do not take effect upon logging into eSurfing Cloud and cannot use the services.
1. Possible Cause: The administrator granted incorrect permissions to the user group to which the IAM user belongs.
Solution: The administrator should verify and modify the permissions assigned to the user group. For details, refer to User Guide > User Groups and Authorization.
2. Possible Cause: The granted permissions include a denial statement for the relevant operation.
Solution: The administrator should review the details of the system permissions granted to the IAM user and check whether any deny statements exist. For details, refer to User Guide > Permission Management > Policies. If the system permissions fail to meet the requirements, the administrator can create a custom policy to allow the corresponding operation. For details, refer to User Guide > Permission Management > Custom Policies.
3. Possible Cause: The administrator granted permissions to a user group but forgot to add the IAM user to the group.
Solution: The administrator should add the IAM user to the appropriate user group. For details, refer to User Guide > User Groups and Authorization > Add/Remove Users from a User Group.
4. Possible Cause: For region-specific services, the administrator did not grant permissions in the corresponding region.
Solution: When assigning permissions to the IAM user group, the administrator must select the correct region. If the administrator grants permissions only for the default region project, the user can only access resources in that default project and will not have permissions for IAM sub-projects under it. It is recommended to grant the IAM user the minimum necessary regional permissions. For details, refer to User Guide > User Groups and Authorization > Create a User Group and Assign Permissions.
5. Possible Cause: For region-specific services, the IAM user did not switch to the authorized region after logging into the console.
Solution: When accessing region-specific services, the IAM user must switch to the authorized region. For details, refer to User Guide > Projects.
6. Possible Cause: Due to system design, OBS permissions may take 15-30 minutes to take effect after being granted.
Solution: The IAM user and administrator should wait 15-30 minutes before retrying.
7. Possible Cause: Browser caching may prevent permission updates from being reflected.
Solution: Clear the browser cache and try again.
8. Possible Cause: If the administrator assigns permissions in both IAM and Enterprise Management, the Enterprise Management permissions may not take effect because IAM authorization takes precedence.
Solution: The administrator should adjust the user permissions on the IAM Console as needed.
Check that rules are set for both IAM and Enterprise Management authorizations simultaneously.
When a user initiates an access request, the system performs an authorization check based on the actions defined in the user's granted access policies. The check rules are as follows:
1. The user initiates an access request.
2. The system first searches for permissions granted based on IAM project authorization among the user's assigned access permissions, looking for the action corresponding to the request.
3. If a matching action (Allow or Deny) is found, the system returns the authorization decision (Allow or Deny) for the request, and the authorization process ends.
4. If no corresponding action is found in the IAM project-based permissions, the system continues to search for permissions granted based on enterprise project authorization, looking for the action corresponding to the request.
5. If a matching action (Allow or Deny) is found, the system returns the authorization decision (Allow or Deny) for the request, and the authorization process ends.
6. If the user has no permissions at all, the system returns the authorization decision Deny, and the authorization process ends.