If you need to view all authorization relationships under the current account, you can go to the IAM > Authorization Management page. IAM Permission Management displays all authorization relationships in your account, allowing you to filter and view specific authorizations using criteria such as Policy Name, User Name/User Group Name/Trust Name, Project Region, Enterprise Project (if enabled), and Subject Type.
l If you have activated and are using enterprise projects, you can choose between the IAM Project View and Enterprise Project View to view the authorization relationships for IAM projects and enterprise projects, respectively.
l If you have not yet activated enterprise projects, the IAM project view will be displayed by default.
IAM Project View
In the IAM Project View, you can filter authorization records by the following conditions.
l Policy Name: The name of the policy. Click the policy name to view policy details.
To view authorization records for a specific permission, select Policy Name as the filter condition, enter the target permission name, and check the authorization records for that permission.
l Username/User Group Name/Trust Name: The name of an IAM user, user group, or delegation.
To view the IAM project authorization records for a specific IAM user/user group/trust, select Username, User Group Name, or Delegation Name as the filter condition, enter the corresponding name, and check its authorization records.
Description:
Based on IAM project authorization, the minimum authorization unit is the user group. When viewing the authorization records of a specified IAM user under the IAM project view, the authorization records of the user group to which the IAM user belongs will be displayed.
l Project Region: IAM project or region name, which defines the scope of permissions. To view IAM project authorization details, please select:
¡ Global Services: View all global service authorization records.
¡ All Projects: View authorization records based on All Projects permissions. When authorized for All Projects, the permissions apply to all projects, including global services and all existing or future projects.
¡ Specified Project: View authorization records based on default region and sub-project permissions.
l Subject Type: The authorized object type can be selected from three options: User, User Group, or Delegation. In the IAM project view, the principal type can be chosen as User Group or Delegation. If the User is selected, the filtering result will be empty.
l Enterprise Project: Name of the enterprise project. If you are in the IAM user view and select Enterprise Project as the filter condition, then enter the enterprise project name, the system will automatically switch to the enterprise project view.
Enterprise Project View
In the Enterprise Project View, you can select the following filter conditions to view corresponding authorization records.
l Policy Name: Permission Name. Click the permission name to view permission details.
To view the authorization records for a specific permission, select Policy Name as the filter condition, enter the name of the specified permission, and check the authorization records for that permission.
l Username/User Group Name/Delegation Name: IAM User, User Group, Delegation Name.
To view the enterprise project authorization records for a specified IAM user/user group, select User Name or User Group Name as the filter condition, enter the corresponding name, and check its authorization records.
Description:
l The enterprise project does not support the delegation feature. Please select either User Name or User Group Name as the filter condition.
l For enterprise project-based authorization where the minimum authorization unit is a user, when viewing the authorization records of a specified IAM user under the enterprise project view, the system displays both the IAM user's authorization records and those of their affiliated user groups.
l Enterprise project: The name of the enterprise project, which defines the scope of the permission. To view the authorization records for a specified enterprise project, select the region filter as Enterprise Project, enter the enterprise project name, and view all authorization records based on that enterprise project.
l Principal type: The type of objects that are authorized. There are three principal types: User, User Group, and Agency. In the Enterprise Project view, you can choose the principal type as User or User Group. If Agency is selected, no results will be displayed.
l Project region: IAM project or region. If you are in the enterprise project view and select Project Region as the filter condition, then choose a specific project, the system will automatically switch to the IAM project view.