When another account establishes a delegation relationship with you (i.e., you are the delegated party), only high-permission users (the account itself and members of the admin user group) can manage the delegated resources by default. If you require assistance from regular IAM users to manage the delegation, you can grant delegation management permissions to IAM sub-users.
If you have multiple delegation relationships, you may assign broad delegation permissions to IAM users (allowing them to manage all delegations) or grant fine-grained permissions, restricting them to managing only specified delegations. In this case, when an IAM user switches roles, they can only assume the authorized delegation(s) and cannot access others. You can create fine-grained delegation permissions to authorize IAM users to manage only designated delegations.
Prerequisites
l An existing eSurfing Cloud account has established a delegation relationship with you.
l You have obtained the delegating party's account name, delegation name, and delegation ID.
Procedure
Step 1: Create a user group and assign permissions.
1. The delegated party logs in to the eSurfing Cloud official website using their eSurfing Cloud account.
2. Click Console at the top of the homepage, then navigate to Management and Deployment in the Management Center and select IAM.
3. In the left navigation pane of IAM, click User Group.
4. On the User Group page, click Create User Group, then click Create User Group again on the redirected page.
5. In the pop-up window, enter the User Group Name and Description.
6. Click Confirm to return to the User Group list page in IAM. The newly created user group will be displayed in the list.
7. Click Authorize next to the newly created user group.
8. Create a custom policy.
Description:
To grant IAM users fine-grained delegation permissions (restricting them to managing only specified delegations), follow these steps to create fine-grained delegation permissions. If fine-grained delegation authorization is not required and you want to grant IAM users permissions to manage all delegations, skip this step and proceed directly to the next step.
a. On the Select Policy page, click Create Custom Policy in the upper-right corner of the permissions list.
b. Enter a policy name.
c. Select JSON View for Policy content.
d. In the Policy content area, enter the following content:
{
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:tokens:assume"
],
"Resource": {
"uri": [
"/iam/agencies/agencyTest"
]
},
"Effect": "Allow"
}
]
}
Description:
l Replace agencyTest with the authorized delegation name, which is obtained from a delegating party in advance. Copy the other content without making any changes.
l This document briefly explains the necessary steps to quickly complete fine-grained delegation authorization. For more details on permissions, see the Permission Management section.
e. Click Next to proceed with authorization.
9. Select the custom policy created in the previous step or the Agent Operator permission, and click Next. Custom policy: Users can only manage delegations with specified IDs and cannot manage other delegations. Agent Operator permission: Users can manage all delegations.
10. Select the authorization scope solution.
11. Click Confirm, and the user group authorization is completed.
Step 2: Create an IAM user and add it to a user group.
1. In the left navigation pane of the IAM, click User.
2. On the User page, click Create User. Then, click Create Sub-User on the redirected page.
3. In the Create Sub-User dialog box, enter basic user information such as Email Address, Username, and Mobile Number.
4. In the User Group dropdown menu, select the user group created in Step 1.
5. Click Create to complete the IAM sub-user creation.
Description:
After the delegation permission assignment is complete, the newly created IAM user can switch roles to the delegating party's account and help you manage the delegated resources.
Follow-up Procedure
After logging in to eSurfing Cloud, both the delegated account and IAM users with delegated permissions can Switch Role to the delegating party's account to view and utilize delegated resources according to their assigned permissions.