Managing Permissions of Master Accounts, Sub-accounts and IAM

Distributed Messaging Service (Kafka) is associated with eSurfing Cloud Identity and Access Management (IAM) and can control user access and operations through dimensions like console buttons, menus, and OpenAPIs, so as to achieve fine-grained management of user permissions and ensure access security.

Introduction to IAM

Identity and Access Management (IAM) is a basic service that supports user permission management and can help you securely control access and operation permissions of your cloud services and resources. Currently, eSurfing Cloud provides dedicated CTIAM services, which can be used for free after application. You only need to pay for the cloud services and resources in your account. For more information about IAM, see Identity and Access Management.

Main Concepts in IAM

l  Master user: This is the account automatically created upon registration on eSurfing Cloud. The user has full access to the resources under the account, and can reset the user password as well as grant user permissions. If multiple people want to use the same eSurfing Cloud resources, it is recommended that you use sub-users for daily management to ensure account security.

l  Sub-user: This is the account created in the User Center with IAM permissions granted. The username and password of a sub-user are controlled by the user that grant IAM permissions. Sub-users can also log in to the eSurfing Cloud console. The login portal is the same as that of the master user. But the resources they have access to are subject to their permissions granted.

l  User group: A user group is a collection of users. IAM uses user groups to control user permissions. You must add an IAM user to a specific user group for the IAM user to be granted with permissions. Otherwise, the IAM user cannot access any resources or cloud services in your account.

l  System Policy: Maintained by the product team. This involves common permissions preset in the system, mainly for read-only permissions or administrator permissions of multiple cloud services, such as read-only permissions or administrator permissions of ECS. System policies can only be used for authorization in the IAM console and cannot be edited or modified.

l  Custom Policy: Permission sets that are created and managed by yourself in the IAM console. These permissions can be customized as an extension and supplement to system policies.

l  Enterprise Project: The foundation for implementing fine-grained permission control over an enterprise organization. Cloud resources and enterprise members are managed by enterprise projects. User groups with authorization are bound with cloud resources through enterprise projects. Users' permissions to use cloud resources in the enterprise projects are subject to the permissions of the user groups.

System Policy

By default, Kafka provides three system policies for users to choose from, covering only permissions of features in the management console. Permissions of features out of the management console, such as order placement, must be configured separately. The three default policies are administrator policy (admin), user policy (user), and reviewer policy (reviewer). The permission models of the three policies are as follows: