iam umn 2.0.38.SP1

Reviewed-by: gtema <artem.goncharov@gmail.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>

docs/iam/umn/PARAMETERS.txt

@@ -0,0 +1,3 @@
+version=""
+language="en-us"
+type=""

docs/iam/umn/en-us_topic_0046611269.html

@@ -0,0 +1,17 @@
+<a name="en-us_topic_0046611269"></a><a name="en-us_topic_0046611269"></a>
+
+<h1 class="topictitle1">Creating a User Group</h1>
+<div id="body42302050"><p id="en-us_topic_0046611269__p53984193165620">You can plan user groups based on user responsibilities and grant the required permissions to the user groups. Users inherit permissions from the user groups to which they belong.</p>
+<div class="section" id="en-us_topic_0046611269__section30804749"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046611269__o025a4cf6ce6648bba2ce47207fa01037"><li id="en-us_topic_0046611269__lc08cd25179a54f4f92db62fcf9afdf49"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0046611269__uicontrol1092519519453"><b>User Groups</b></span>.</span></li><li id="en-us_topic_0046611269__lbdf5d121c2ac4d20b03354ca18e14647"><span>On the <strong id="en-us_topic_0046611269__en-us_topic_0046611269_b2385397092151">User Groups</strong> page, click <strong id="en-us_topic_0046611269__en-us_topic_0046611269_b362570492353">Create User Group</strong>.</span></li><li id="en-us_topic_0046611269__l339bc6f533a94445b1e9211f8c5f234c"><span>Enter a user group name.</span></li><li id="en-us_topic_0046611269__l97e2ee9e0c904c658edc5adca5716ef9"><span>(Optional) Enter a description for the user group.</span><p><div class="note" id="en-us_topic_0046611269__note11678786105823"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046611269__p348815281144">To enable users to directly view their permissions, set a description for the user group. For example, if you assign the <strong id="en-us_topic_0046611269__b449778452">Security Administrator</strong> role to a user group, you can set any description in the <strong id="en-us_topic_0046611269__b145034817517">Description</strong> text box. For example: <strong id="en-us_topic_0046611269__b350318816517">Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users.</strong> For details about the permissions for all cloud services, see <a href="https://docs.otc.t-systems.com/permissions/index.html" target="_blank" rel="noopener noreferrer">Permissions</a></p>
+</div></div>
+</p></li><li id="en-us_topic_0046611269__la3352beb5df44860b8f7ed621884e09f"><span>Click <span class="uicontrol" id="en-us_topic_0046611269__uicontrol835913281425"><b>OK</b></span>.</span><p><p id="en-us_topic_0046611269__ae95b4587c0894d58bad84b876a8ee99d">The user group is displayed in the user group list.</p>
+</p></li><li id="en-us_topic_0046611269__en-us_topic_0111879498_li2918054318"><span>In the row containing the user group, click <strong id="en-us_topic_0046611269__b1479843515422">Manage Permissions</strong>.</span></li><li id="en-us_topic_0046611269__li47981711141315"><span>On the <strong id="en-us_topic_0046611269__b178301540154211">Permissions</strong> tab page, click <strong id="en-us_topic_0046611269__b783434024213">Assign Permissions</strong> above the permission list.</span></li><li id="en-us_topic_0046611269__li82338188252"><span>Specify the authorization scope. If you select <strong id="en-us_topic_0046611269__b1414614312424">Region-specific projects</strong>, select one or more projects in the drop-down list.</span><p><ul id="en-us_topic_0046611269__ul127934246522"><li id="en-us_topic_0046611269__li779313242525"><strong id="en-us_topic_0046611269__b19694112183712">Global service project</strong>: Services deployed without specifying physical regions are called global services, such as Object Storage Service (OBS), Content Delivery Network (CDN), and Tag Management Service (TMS). Permissions for these services must be assigned in the global service project.</li><li id="en-us_topic_0046611269__li334132620527"><strong id="en-us_topic_0046611269__b1845666153719">Region-specific projects</strong>: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. If you want the permissions to take effect for all regions, grant them in all these regions.</li></ul>
+</p></li><li id="en-us_topic_0046611269__li1559103315530"><span>Select policies and click <strong id="en-us_topic_0046611269__b1396914433517">OK</strong>.</span></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0046611276.html

@@ -0,0 +1,21 @@
+<a name="en-us_topic_0046611276"></a><a name="en-us_topic_0046611276"></a>
+
+<h1 class="topictitle1">IAM Features</h1>
+<div id="body1503736806649"><p id="en-us_topic_0046611276__p5240337613233">IAM provides the following basic functions:</p>
+<ul id="en-us_topic_0046611276__ul411171964111"><li id="en-us_topic_0046611276__li41111199417">Refined permissions management<p id="en-us_topic_0046611276__p24061390153515"><a name="en-us_topic_0046611276__li41111199417"></a><a name="li41111199417"></a>You can control user access to different projects and grant different permissions to users for the same project. For example, you can grant some users permissions to manage Object Storage Service (OBS), and grant other users only the permissions to read data from OBS.</p>
+<div class="fignone" id="en-us_topic_0046611276__fig47322305144745"><span class="figcap"><b>Figure 1 </b>Permissions management model</span><br><span><img id="en-us_topic_0046611276__image25353776154931" src="en-us_image_0000001420034729.png"></span></div>
+<p id="en-us_topic_0046611276__p6056022715518"></p>
+</li><li id="en-us_topic_0046611276__li26142662132115">Simplified authorization<p id="en-us_topic_0046611276__p33957371132115"><a name="en-us_topic_0046611276__li26142662132115"></a><a name="li26142662132115"></a>You can authorize users in just two steps:</p>
+<ol id="en-us_topic_0046611276__ol37180886132115"><li id="en-us_topic_0046611276__li66192520132115">Plan user groups according to users' responsibilities and grant permissions to each user group.</li><li id="en-us_topic_0046611276__li58861770132115">Add a user to the user group that matches the user's responsibilities.</li></ol>
+</li><li id="en-us_topic_0046611276__li7111161910418">Federated identity authentication<p id="en-us_topic_0046611276__p6438914392519"><a name="en-us_topic_0046611276__li7111161910418"></a><a name="li7111161910418"></a>Federated identity authentication enables users in your identity authentication system to access your resources through single sign-on (SSO).</p>
+</li><li id="en-us_topic_0046611276__li15232175951616">Delegation of resource access to another account or a specific cloud service<p id="en-us_topic_0046611276__p6171725893116"><a name="en-us_topic_0046611276__li15232175951616"></a><a name="li15232175951616"></a>You can delegate your operation permissions to a cloud service or another account so that the cloud service or account can access your resources.</p>
+</li><li id="en-us_topic_0046611276__li5111121964117">User authentication and authorization for other cloud services<p id="en-us_topic_0046611276__p2011117194416"><a name="en-us_topic_0046611276__li5111121964117"></a><a name="li5111121964117"></a>Users can be authenticated by IAM to access other services, for example, Relational Database Service (RDS), Cloud Trace Service (CTS), and OBS, based on assigned permissions.</p>
+</li><li id="en-us_topic_0046611276__li1711112190419">Security policy management<p style="color:#000000;" id="en-us_topic_0046611276__p311231914117"><a name="en-us_topic_0046611276__li1711112190419"></a><a name="li1711112190419"></a>You can set multi-factor authentication (MFA), login authentication and password policies, and an access control list (ACL) to keep user information and system data secure.</p>
+</li></ul>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0021.html">Service Overview</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0046611308.html

@@ -0,0 +1,31 @@
+<a name="en-us_topic_0046611308"></a><a name="en-us_topic_0046611308"></a>
+
+<h1 class="topictitle1">Account Settings</h1>
+<div id="body18475057"><p id="en-us_topic_0046611308__p25060148112042">Users with <strong id="en-us_topic_0046611308__b14092616142544_1">Security Administrator</strong> permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.</p>
+<div class="section" id="en-us_topic_0046611308__section13189358"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046611308__ol44452332165636"><li id="en-us_topic_0046611308__li13635782101049"><span>Set the login authentication policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol4698153165832"><li id="en-us_topic_0046611308__li56369151165814">In the navigation pane, choose <strong id="en-us_topic_0046611308__b1134181173132">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b6708568217327">Login Authentication Policy</strong>.</li><li id="en-us_topic_0046611308__li21440457171726">In the <strong id="en-us_topic_0046611308__b3984715114274_1">Account Lockout</strong> area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.<p id="en-us_topic_0046611308__p31242238171739">If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.</p>
+</li><li id="en-us_topic_0046611308__li1783612816593">In the <strong id="en-us_topic_0046611308__b39182424142735">Account Disabling</strong> area, select <strong id="en-us_topic_0046611308__b19659741142735">Disable account upon login if it is not used within the validity period</strong>, and set the user validity period. If the user does not access the cloud system through the management console or APIs within the validity period, the user will be disabled.<p id="en-us_topic_0046611308__p1159415392942">The account disabling setting is for security purposes. If a user is disabled, resources in the account will not be affected and the user can contact the administrator to enable the user again.</p>
+</li><li id="en-us_topic_0046611308__li425815345917">In the <strong id="en-us_topic_0046611308__b842352706103931_1">Session Timeout</strong> area, set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period. The timeout ranges from 15 minutes to 24 hours, and the default value is 15 minutes. If a user does not perform any operation within the specified duration, the user needs to log in again.</li><li id="en-us_topic_0046611308__li1757729293510">In the <strong id="en-us_topic_0046611308__b31411170142837">Recent Login Information</strong> area, select <strong id="en-us_topic_0046611308__b61276881142837">Display last login information upon successful login</strong>.<p id="en-us_topic_0046611308__p2453272893515">Users will be able to view the login information, such as the time of the last login, on the <strong id="en-us_topic_0046611308__b32672785142857">Login Verification</strong> page.</p>
+</li><li id="en-us_topic_0046611308__li20715860173943">In the <strong id="en-us_topic_0046611308__b63235652142917">Custom Information</strong> area, set custom information that will be displayed upon successful login.<p id="en-us_topic_0046611308__p65262093623">Users will be able to view this custom information on the <strong id="en-us_topic_0046611308__b23841293142940">Login Verification</strong> page.</p>
+</li><li id="en-us_topic_0046611308__li57243193112324">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol115083674816"><b>Save</b></span>.</li></ol>
+</p></li><li id="en-us_topic_0046611308__li31523988174041"><span>Set the password policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol31264140174112"><li id="en-us_topic_0046611308__li5941318717415">In the navigation pane, choose <strong id="en-us_topic_0046611308__b842352706112724_1">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b842352706112728_1">Password Policy</strong>.</li><li id="en-us_topic_0046611308__li61695623174820">In the <strong id="en-us_topic_0046611308__b842352706101424_1">Password Composition &amp; Reuse</strong> area, do as follows:<ul id="en-us_topic_0046611308__ul5901559155916"><li id="en-us_topic_0046611308__li57238117312">Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.</li><li id="en-us_topic_0046611308__li16901359135912">Set <strong id="en-us_topic_0046611308__b27521292319">Minimum Number of Characters</strong>.<div class="note" id="en-us_topic_0046611308__note49017595593"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046611308__p15901115911596">By default, a password must contain at least 6 characters.</p>
+</div></div>
+</li><li id="en-us_topic_0046611308__li390113597596">Select <strong id="en-us_topic_0046611308__b17942550135417">Restrict consecutive identical characters</strong> and set the maximum number of consecutive identical characters that can be contained in a password. The value ranges from 1 to 32.</li><li id="en-us_topic_0046611308__li6901459205915">Select <strong id="en-us_topic_0046611308__b561884211553">Disallow previously used passwords</strong> and set the number of recent passwords disallowed. The value ranges from 1 to 10.</li></ul>
+</li><li id="en-us_topic_0046611308__li6358188692210">In the <strong id="en-us_topic_0046611308__b15930355105912">Password Expiration</strong> area, select <strong id="en-us_topic_0046611308__b393055575915">Prompt password change 15 days before expiration and force password change upon expiration</strong>, and set the password validity period.<p id="en-us_topic_0046611308__p5618844892623">Users must change their password when the password has expired.</p>
+<div class="note" id="en-us_topic_0046611308__note98311814124017"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><div class="p" id="en-us_topic_0046611308__p15508542103017">The password must meet the following requirements:<ul id="en-us_topic_0046611308__ul1083331413403"><li id="en-us_topic_0046611308__li1183331417403">Must contain 6 to 32 characters.</li><li id="en-us_topic_0046611308__li3834201454016">Must contain at least two types of the following characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), spaces, and special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\=).</li><li id="en-us_topic_0046611308__li1183512140409">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="en-us_topic_0046611308__b1759355984017">A12345</strong>, the password cannot be <strong id="en-us_topic_0046611308__b7598145914020">A12345</strong>, <strong id="en-us_topic_0046611308__b759818593403">a12345</strong>, <strong id="en-us_topic_0046611308__b45989593405">54321A</strong>, or <strong id="en-us_topic_0046611308__b159855914011">54321a</strong>.</li><li id="en-us_topic_0046611308__li78487289224">Cannot contain the user's mobile number or email address.</li></ul>
+</div>
+</div></div>
+</li><li id="en-us_topic_0046611308__li5683690692342">In the <strong id="en-us_topic_0046611308__b5217997144231_1">Minimum Password Age</strong> area, select <strong id="en-us_topic_0046611308__b20004592144231_1">Allow a password to be changed only after it is used for a specified time</strong> and set the minimum password age.<p id="en-us_topic_0046611308__p6202758113833">Users can change their password only when the specified period has expired.</p>
+</li><li id="en-us_topic_0046611308__li62005948112420">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol1825452395112"><b>Save</b></span>.</li></ol>
+</p></li><li id="en-us_topic_0046611308__li127376929296"><span>Set the ACL.</span><p><ol type="a" id="en-us_topic_0046611308__ol6143777492938"><li id="en-us_topic_0046611308__li4219855610210">In the navigation pane, choose <strong id="en-us_topic_0046611308__b6550378716237">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b5266317816237">ACL</strong>.</li><li id="en-us_topic_0046611308__li201569217524">On the <strong id="en-us_topic_0046611308__b46359253114954">ACL</strong> page, enter the allowed IP address ranges or IPv4 CIDR blocks.<ul id="en-us_topic_0046611308__ul63791847203557"><li id="en-us_topic_0046611308__li45099837203557"><strong id="en-us_topic_0046611308__b185931564215">IP Address Ranges</strong>: only allow users to access the system using IP addresses in specified ranges.</li><li id="en-us_topic_0046611308__li4012021620360"><strong id="en-us_topic_0046611308__b244887540144534">IPv4 CIDR Blocks</strong>: only allow users of specified IPv4 CIDR blocks to access the system. For example: <strong id="en-us_topic_0046611308__b14486155212573">10.10.10.10/32</strong>.</li></ul>
+<div class="note" id="en-us_topic_0046611308__note523405593112"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046611308__ul12435347144449"><li id="en-us_topic_0046611308__li10854931192912">The ACL takes effect only for users under your account.</li><li id="en-us_topic_0046611308__li4299675995417">You can click <strong id="en-us_topic_0046611308__b14599479145211">Restore Defaults</strong> to restore the allowed IP address ranges to the default value, <strong id="en-us_topic_0046611308__b41707145145211">0.0.0.0</strong>-<strong id="en-us_topic_0046611308__b22835571145211">255.255.255.255</strong>, and to clear <strong id="en-us_topic_0046611308__b1275649384165146">IPv4 CIDR Blocks</strong>.</li><li id="en-us_topic_0046611308__li18944886144449">If both <strong id="en-us_topic_0046611308__b4120209145243">IP Address Ranges</strong> and <strong id="en-us_topic_0046611308__b65301516145243">IPv4 CIDR Blocks</strong> are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.</li></ul>
+</div></div>
+</li><li id="en-us_topic_0046611308__li60468370105318">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol955674717316"><b>Save</b></span>.</li></ol>
+</p></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0040.html">User Guide</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0046613147.html

@@ -0,0 +1,41 @@
+<a name="en-us_topic_0046613147"></a><a name="en-us_topic_0046613147"></a>
+
+<h1 class="topictitle1">Creating an Agency (by a Delegating Party)</h1>
+<div id="body1484205204048"><p id="en-us_topic_0046613147__p54443803141539">By creating an agency, you can share your resources with another account or a cloud service (such as ECS), or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.</p>
+<div class="section" id="en-us_topic_0046613147__section2672115"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613147__ol49998812"><li id="en-us_topic_0046613147__li1546779817427"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0046613147__uicontrol15440185205411"><b>Agencies</b></span>.</span></li><li id="en-us_topic_0046613147__li641684517427"><span>On the <strong id="en-us_topic_0046613147__b842352706151932">Agencies</strong> page, click <strong id="en-us_topic_0046613147__b842352706151938">Create Agency</strong>.</span></li><li id="en-us_topic_0046613147__li63471691104814"><span>Specify the agency name and type.</span><p>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046613147__table5607179122211" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Agency types</caption><thead align="left"><tr id="en-us_topic_0046613147__row19607109132216"><th align="left" class="cellrowborder" valign="top" width="21%" id="mcps1.3.2.2.3.2.1.2.3.1.1"><p id="en-us_topic_0046613147__p8464131619225"><strong id="en-us_topic_0046613147__b8423527061059">Agency Type</strong></p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="79%" id="mcps1.3.2.2.3.2.1.2.3.1.2"><p id="en-us_topic_0046613147__p16466101617224"><strong id="en-us_topic_0046613147__b36291382142815">Description</strong></p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="en-us_topic_0046613147__row1060715911225"><td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.2.2.3.2.1.2.3.1.1 "><p id="en-us_topic_0046613147__p104684169229">Account</p>
+</td>
+<td class="cellrowborder" valign="top" width="79%" headers="mcps1.3.2.2.3.2.1.2.3.1.2 "><p id="en-us_topic_0046613147__p64704162225">Share resources with another account or delegate an individual or team to manage your resources.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0046613147__row126078962210"><td class="cellrowborder" valign="top" width="21%" headers="mcps1.3.2.2.3.2.1.2.3.1.1 "><p id="en-us_topic_0046613147__p1847261611225">Cloud service</p>
+</td>
+<td class="cellrowborder" valign="top" width="79%" headers="mcps1.3.2.2.3.2.1.2.3.1.2 "><p id="en-us_topic_0046613147__p1447431614222">Delegate a specific service to access or maintain your data. For example, you can create an agency to delegate ECS to call data maintenance or monitoring APIs with an access key.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+<ul id="en-us_topic_0046613147__ul1340414594218"><li id="en-us_topic_0046613147__li7404759152120">If you set <strong id="en-us_topic_0046613147__b173791733154942">Agency Type</strong> to <strong id="en-us_topic_0046613147__b1309852594154942">Account</strong>, enter the domain name of an account to which you want to delegate resource access in <strong id="en-us_topic_0046613147__b842352706155610">Delegated Account</strong>.</li><li id="en-us_topic_0046613147__li18404659132115">If you set <strong id="en-us_topic_0046613147__b34375241145532">Agency Type</strong> to <strong id="en-us_topic_0046613147__b32931165145532">Cloud service</strong>, click <strong id="en-us_topic_0046613147__b50178709145532">Select</strong> and select a cloud service.</li></ul>
+</p></li><li id="en-us_topic_0046613147__li21344527114840"><span>Set the validity period and enter a description about the agency.</span></li><li id="en-us_topic_0046613147__li71689250418"><span>In the <strong id="en-us_topic_0046613147__b85592562913">Permissions</strong> area, click <strong id="en-us_topic_0046613147__b956016542911">Assign Permissions</strong> above the permission list. Then attach policies to the agency and click <strong id="en-us_topic_0046613147__b1056005132919">OK</strong>.</span><p><div class="note" id="en-us_topic_0046613147__note13177642133614"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613147__p12375426101815">For details about the permissions for all cloud services, see <a href="https://docs.otc.t-systems.com/en-us/permissions/index.html" target="_blank" rel="noopener noreferrer">Permissions</a>.</p>
+</div></div>
+</p></li><li id="en-us_topic_0046613147__li19340339165858"><span>Click <span class="uicontrol" id="en-us_topic_0046613147__uicontrol12980996410"><b>OK</b></span>.</span><p><p id="en-us_topic_0046613147__p6200558416599">The agency is displayed in the agency list. The delegated account can manage resources in your account by switching the role.</p>
+</p></li></ol>
+</div>
+<div class="section" id="en-us_topic_0046613147__section54138067163127"><h4 class="sectiontitle">Follow-up Operation</h4><ul id="en-us_topic_0046613147__ul6614161218300"><li id="en-us_topic_0046613147__li206143124300">In the agency list, click <strong id="en-us_topic_0046613147__b2140348132912">Modify</strong> in the row that contains the target agency to change the agency type, delegated account, validity period, description, and permissions.</li><li id="en-us_topic_0046613147__li19852151115312">In the agency list, click <strong id="en-us_topic_0046613147__b1542581113322">Delete</strong> to delete the agency.</li></ul>
+<div class="note" id="en-us_topic_0046613147__note97949543615"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613147__p97941058365">Cloud service agencies cannot be modified.</p>
+</div></div>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0079496986.html">Agency Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0046613148.html

@@ -0,0 +1,19 @@
+<a name="en-us_topic_0046613148"></a><a name="en-us_topic_0046613148"></a>
+
+<h1 class="topictitle1">Switching Roles (by a Delegated Party)</h1>
+<div id="body1548236199962"><p id="en-us_topic_0046613148__p3704131518217">When an account establishes a trust relationship between itself and your account, you become a delegated party. You and all the users you have authorized can switch to the delegating account and manage resources under the account based on assigned permissions.</p>
+<div class="section" id="en-us_topic_0046613148__section8625973163627"><h4 class="sectiontitle">Prerequisites</h4><ul id="en-us_topic_0046613148__ul88321119164115"><li id="en-us_topic_0046613148__li8832619154112">A trust relationship has been established between another account and your account.</li><li id="en-us_topic_0046613148__li1083291944119">You have obtained the name of the delegating account and the agency name.</li></ul>
+</div>
+<div class="section" id="en-us_topic_0046613148__section1608192323216"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046613148__ol1523164310324"><li id="en-us_topic_0046613148__li9238437320"><span>Log in to the system as the user created in <a href="iam_01_0063.html#iam_01_0063__li695863494610">3</a> of <a href="iam_01_0063.html">Assigning Permissions to a User (by a Delegated Party)</a>.</span><p><div class="note" id="en-us_topic_0046613148__note173853818336"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__p173993812333">The user created in <a href="iam_01_0063.html#iam_01_0063__li695863494610">3</a> of <a href="iam_01_0063.html">Assigning Permissions to a User (by a Delegated Party)</a> can switch roles to manage resources for the delegating party.</p>
+</div></div>
+</p></li><li id="en-us_topic_0046613148__li223144317322"><span>Point to the domain name in the upper right corner of the page and choose <span class="uicontrol" id="en-us_topic_0046613148__uicontrol20672111895612"><b>Switch Role</b></span>.</span></li><li id="en-us_topic_0046613148__li1623124320322"><span>On the <span class="wintitle" id="en-us_topic_0046613148__wintitle11768153114516"><b>Switch Role</b></span> page, enter the domain name of the delegating party.</span><p><div class="note" id="en-us_topic_0046613148__note14236195881113"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046613148__p423725861116">If an agency other than the agencies created by the delegating party is displayed, it indicates that you do not have access permissions. Select the correct agency in the <span class="uicontrol" id="en-us_topic_0046613148__uicontrol1068035713520"><b>Agency Name</b></span> drop-down list.</p>
+</div></div>
+</p></li><li id="en-us_topic_0046613148__li32394312324"><span>Click <strong id="en-us_topic_0046613148__b1735216175567">OK</strong> to switch to the delegating account.</span></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0079496986.html">Agency Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0046661675.html

@@ -0,0 +1,72 @@
+<a name="en-us_topic_0046661675"></a><a name="en-us_topic_0046661675"></a>
+
+<h1 class="topictitle1">Viewing and Modifying User Information</h1>
+<div id="body1484269500700"><p id="en-us_topic_0046661675__p7313288104849">As an administrator, you can view and modify the basic information, user groups, and logs of each user. In addition, you can change the groups to which a user belongs if the user's responsibilities have changed, or modify the login credentials of a user if the user forgets their password or access key.</p>
+<div class="section" id="en-us_topic_0046661675__section36783718"><h4 class="sectiontitle">Viewing User Information</h4><p id="en-us_topic_0046661675__p64139644142141">In the user list, view the detailed information about a user, including the basic information, user groups, and logs.</p>
+</div>
+<div class="section" id="en-us_topic_0046661675__section4671248204913"><h4 class="sectiontitle">Modifying User Information</h4><div class="p" id="en-us_topic_0046661675__p19293214143838">Click <strong id="en-us_topic_0046661675__b842352706162732">Modify</strong> in the <strong id="en-us_topic_0046661675__b842352706162729">Operation</strong> column of the row that contains the target user.<ul id="en-us_topic_0046661675__ul4270938793341"><li id="en-us_topic_0046661675__li540360993341"><strong id="en-us_topic_0046661675__b155979147519">Status</strong>: A user is enabled by default after being created. You can change the status of a user to <strong id="en-us_topic_0046661675__b1890515204012">Disabled</strong> if you will no longer use it.</li><li id="en-us_topic_0046661675__li1291614119619"><strong id="en-us_topic_0046661675__b1465244955">Login Authentication</strong><ul id="en-us_topic_0046661675__ul4263145519519"><li id="en-us_topic_0046661675__li2687151720523"><strong id="en-us_topic_0046661675__b9117181815119">Virtual MFA device</strong>: Change the login authentication mode to virtual MFA device only if the user has been bound to an MFA device. The user needs to enter an MFA verification code during login.</li><li id="en-us_topic_0046661675__li1625013351511"><strong id="en-us_topic_0046661675__b2072210313518">SMS</strong>: Change the login authentication mode to SMS only if the user has been bound to a mobile number. The user needs to enter an SMS verification code during login.</li><li id="en-us_topic_0046661675__li20422842175115"><strong id="en-us_topic_0046661675__b8304133465118">Email</strong>: Change the login authentication mode to email only if the user has been bound to an email address. The user needs to enter an email verification code during login.</li></ul>
+</li><li id="en-us_topic_0046661675__li73441539114013"><strong id="en-us_topic_0046661675__b1939354175211">Email Address</strong>, <strong id="en-us_topic_0046661675__b2396115711522">Mobile Number</strong>, and <strong id="en-us_topic_0046661675__b1638575914527">Description</strong></li><li id="en-us_topic_0046661675__li20930259831"><strong id="en-us_topic_0046661675__b164648182533">Virtual MFA Device</strong>: Bind an MFA device to or unbind an MFA device from the user.</li><li id="en-us_topic_0046661675__li50086696144514"><strong id="en-us_topic_0046661675__b0444134514549">User Groups</strong>: Add the user to or remove the user from one or more user groups.<div class="note" id="en-us_topic_0046661675__note37646756141748"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046661675__p3276485141748">You can enter a keyword to quickly find the target user group.</p>
+</div></div>
+</li></ul>
+</div>
+</div>
+<div class="section" id="en-us_topic_0046661675__section17362720871"><h4 class="sectiontitle">Setting User Credentials</h4><div class="p" id="en-us_topic_0046661675__p4282133915812">In the user list, click <strong id="en-us_topic_0046661675__b4251950135718">Set Credentials</strong> in the <strong id="en-us_topic_0046661675__b430185015574">Operation</strong> column of the row that contains the target user to change the password or manage access keys.
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046661675__table022714719410" frame="border" border="1" rules="all"><thead align="left"><tr id="en-us_topic_0046661675__row722464717416"><th align="left" class="cellrowborder" valign="top" width="17.990000000000002%" id="mcps1.3.4.2.3.1.5.1.1"><p id="en-us_topic_0046661675__p10224194774113"><strong id="en-us_topic_0046661675__b84235270618341">Credential Type</strong></p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="21.89%" id="mcps1.3.4.2.3.1.5.1.2"><p id="en-us_topic_0046661675__p5224164714415"><strong id="en-us_topic_0046661675__b84235270615166">Generation Method</strong></p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="30.75%" id="mcps1.3.4.2.3.1.5.1.3"><p id="en-us_topic_0046661675__p7224154712411"><strong id="en-us_topic_0046661675__b14438018113629">Description</strong></p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="29.37%" id="mcps1.3.4.2.3.1.5.1.4"><p id="en-us_topic_0046661675__p8224184754119"><strong id="en-us_topic_0046661675__b84235270614261">Application Scenario</strong></p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="en-us_topic_0046661675__row1522584713416"><td class="cellrowborder" rowspan="3" valign="top" width="17.990000000000002%" headers="mcps1.3.4.2.3.1.5.1.1 "><p id="en-us_topic_0046661675__p32511243581">Password</p>
+</td>
+<td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.4.2.3.1.5.1.2 "><p id="en-us_topic_0046661675__p14225247144115">Set by user</p>
+</td>
+<td class="cellrowborder" valign="top" width="30.75%" headers="mcps1.3.4.2.3.1.5.1.3 "><p id="en-us_topic_0046661675__p1522514473413">The user can set a password by clicking on the one-time login URL sent over email.</p>
+</td>
+<td class="cellrowborder" valign="top" width="29.37%" headers="mcps1.3.4.2.3.1.5.1.4 "><p id="en-us_topic_0046661675__p17225154719413">Resetting the password of a user who has been associated with an email address and needs to use the password to log in to the management console.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0046661675__row1522534712416"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.1 "><p id="en-us_topic_0046661675__p722513477410">Automatically generated</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.2 "><p id="en-us_topic_0046661675__p12225247154111">The system automatically generates a 10-character password.</p>
+<div class="note" id="en-us_topic_0046661675__note10225164718417"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="en-us_topic_0046661675__p1622512472412">You can download the password after clicking <strong id="en-us_topic_0046661675__b489123735714">OK</strong> when the user is created.</p>
+</div></div>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.3 "><p id="en-us_topic_0046661675__p1922518479415">Resetting the password of a user who uses a development tool (such as APIs, CLI, and SDK) that supports password authentication to access the cloud system.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0046661675__row7225847114115"><td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.1 "><p id="en-us_topic_0046661675__p2225247194118">Set now</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.2 "><p id="en-us_topic_0046661675__p222574713418">Set password for the user.</p>
+</td>
+<td class="cellrowborder" valign="top" headers="mcps1.3.4.2.3.1.5.1.3 "><p id="en-us_topic_0046661675__p14225184794110">Setting a password for a user.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0046661675__row522714764114"><td class="cellrowborder" valign="top" width="17.990000000000002%" headers="mcps1.3.4.2.3.1.5.1.1 "><p id="en-us_topic_0046661675__p13226124724116">Access key</p>
+</td>
+<td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.4.2.3.1.5.1.2 "><p id="en-us_topic_0046661675__p3226174719417">Created by a user or security administrator</p>
+</td>
+<td class="cellrowborder" valign="top" width="30.75%" headers="mcps1.3.4.2.3.1.5.1.3 "><p id="en-us_topic_0046661675__p182265470415">Create or delete access keys in the <strong id="en-us_topic_0046661675__b842352706162923">Access Keys</strong> area.</p>
+<div class="note" id="en-us_topic_0046661675__note14226847114115"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="en-us_topic_0046661675__p14226114754118">Each user can have a maximum of two access keys, which are valid for 360 days. To ensure account security, keep the access keys properly.</p>
+</div></div>
+</td>
+<td class="cellrowborder" valign="top" width="29.37%" headers="mcps1.3.4.2.3.1.5.1.4 "><p id="en-us_topic_0046661675__p42261547134110">Creating or deleting access keys of users who access the cloud system using access keys.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<ul id="en-us_topic_0046661675__ul21044156142133"><li id="en-us_topic_0046661675__li29477804162741"><strong id="en-us_topic_0046661675__b383122645916">Password Reset</strong>: If you select <strong id="en-us_topic_0046661675__b459813495920">Automatically generated</strong> or <strong id="en-us_topic_0046661675__b126083405918">Set now</strong>, you can choose whether to require password reset when the user logs in. For security purposes, do not deselect this option.</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0059870089.html

@@ -0,0 +1,19 @@
+<a name="en-us_topic_0059870089"></a><a name="en-us_topic_0059870089"></a>
+
+<h1 class="topictitle1">Federated Identity Authentication</h1>
+<div id="body1495091891975"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="en-us_topic_0079620341.html">Introduction</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="iam_08_0002.html">SAML-based Federated Identity Authentication</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="en-us_topic_0079620340.html">Syntax of Identity Conversion Rules</a></strong><br>
+</li>
+</ul>
+
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0040.html">User Guide</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0066738518.html

@@ -0,0 +1,39 @@
+<a name="en-us_topic_0066738518"></a><a name="en-us_topic_0066738518"></a>
+
+<h1 class="topictitle1">Managing Projects</h1>
+<div id="body1500257318214"><p id="en-us_topic_0066738518__p7554761172349">Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources in your account must be managed under projects. As a security administrator, you can access IAM, and create projects in a region to manage resources.</p>
+<div class="section" id="en-us_topic_0066738518__section51118979101057"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0066738518__ol28461291101332"><li id="en-us_topic_0066738518__li66899533101332"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0066738518__uicontrol1280218522477"><b>Projects</b></span>.</span></li><li id="en-us_topic_0066738518__li65224888101332"><span>On the <strong id="en-us_topic_0066738518__b297760351549">Projects</strong> page, click <strong id="en-us_topic_0066738518__b4624936915429">Create Project</strong>.</span></li><li id="en-us_topic_0066738518__li48724613101332"><span>On the <strong id="en-us_topic_0066738518__b148633441098">Create Project</strong> page, select a region from the <strong id="en-us_topic_0066738518__b630802471098">Region</strong> drop-down list.</span></li><li id="en-us_topic_0066738518__li35868336101332"><span>Set <strong id="en-us_topic_0066738518__b1128409715556">Project Name</strong>.</span><p><div class="note" id="en-us_topic_0066738518__note664154103745"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0066738518__ul4316165018369"><li id="en-us_topic_0066738518__li1131620509366">The project name format is <em id="en-us_topic_0066738518__i6463517610957_1">Region Name</em>_<em id="en-us_topic_0066738518__i95791410957_1">Project Name</em>. <em id="en-us_topic_0066738518__i1048223310957_1">Region Name</em> cannot be modified.</li><li id="en-us_topic_0066738518__li7655175233611">The project name can only contain letters, digits, hyphens (-), and underscores (_). The length of <em id="en-us_topic_0066738518__i62238673101018">Region Name</em>_<em id="en-us_topic_0066738518__i8167743101018">Project Name</em> cannot exceed 64 characters.</li></ul>
+</div></div>
+</p></li><li id="en-us_topic_0066738518__li54379570101332"><span>(Optional) Enter a description for the project.</span></li><li id="en-us_topic_0066738518__li40445067101332"><span>Click <span class="uicontrol" id="en-us_topic_0066738518__uicontrol17656183341311"><b>OK</b></span>.</span><p><p id="en-us_topic_0066738518__p48476965101332">The project list is displayed, and the newly created project is in the <strong id="en-us_topic_0066738518__b69241853192017">Normal</strong> state.</p>
+</p></li></ol>
+</div>
+<div class="section" id="en-us_topic_0066738518__section13675102471011"><h4 class="sectiontitle">Follow-Up Procedure</h4><p id="en-us_topic_0066738518__p10693103864813">Assigning permissions for a specific project</p>
+<p id="en-us_topic_0066738518__p2361193814422">On the user group details page, click the <strong id="en-us_topic_0066738518__b1831511287118">Permissions</strong> tab, select <strong id="en-us_topic_0066738518__b169811037110">Project View</strong>, click <strong id="en-us_topic_0066738518__b1915712121227">Modify Permissions</strong> in the row containing the target project, and then modify the permissions for this project. For details, see <a href="en-us_topic_0046611269.html">Creating a User Group</a>.</p>
+</div>
+<div class="section" id="en-us_topic_0066738518__section645408871296"><h4 class="sectiontitle">Related Operations</h4><ul class="subitemlist" id="en-us_topic_0066738518__ul10146306101110"><li id="en-us_topic_0066738518__li24207892101110">Viewing project details<ol class="subitemlist" id="en-us_topic_0066738518__ol16544437101110"><li id="en-us_topic_0066738518__li4509552119243">View the projects of the corresponding region in the project list.</li><li id="en-us_topic_0066738518__li2885857319243">Click <strong id="en-us_topic_0066738518__b1248156510274_1">View</strong> in the <strong id="en-us_topic_0066738518__b437381410274_1">Operation</strong> column of the row that contains the target project.<p class="litext" id="en-us_topic_0066738518__p5840056519243">View project details and the users bound to the project.</p>
+<div class="note" id="en-us_topic_0066738518__note40555512114658"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0066738518__p87042515457">After you add a user to a user group that has been granted permissions for a specific project, the user inherits permissions of the group and is associated with the project. The user can switch to this project to access resources in it.</p>
+</div></div>
+</li><li id="en-us_topic_0066738518__li5584303719243">Click <strong id="en-us_topic_0066738518__b25491132102740">View Permissions</strong> in the <strong id="en-us_topic_0066738518__b51515784102740">Operation</strong> column of the user permission list.<p id="en-us_topic_0066738518__p3282528619243">View the permissions of the user for the project.</p>
+</li></ol>
+</li></ul>
+<ul class="subitemlist" id="en-us_topic_0066738518__ul57293664101110"><li id="en-us_topic_0066738518__li45880935101110">Modifying project information<ol id="en-us_topic_0066738518__ol7428182316495"><li id="en-us_topic_0066738518__li14192123015496">In the project list, expand the region where the target project resides.</li><li id="en-us_topic_0066738518__li9428142313491">Click <strong id="en-us_topic_0066738518__b30638814102924">Modify</strong> in the <strong id="en-us_topic_0066738518__b65824906102924">Operation</strong> column of the row that contains the target project. In the displayed <strong id="en-us_topic_0066738518__b30217137102924">Modify Project</strong> dialog box, modify <strong id="en-us_topic_0066738518__b31669053102924">Project Name</strong> and <strong id="en-us_topic_0066738518__b15056534102924">Description</strong>.</li></ol>
+<div class="note" id="en-us_topic_0066738518__note9578348113241"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0066738518__p19096275113241">The project name format is <em id="en-us_topic_0066738518__i6463517610957_3">Region Name</em>_<em id="en-us_topic_0066738518__i95791410957_3">Project Name</em>. <em id="en-us_topic_0066738518__i1048223310957_3">Region Name</em> cannot be modified.</p>
+</div></div>
+</li><li id="en-us_topic_0066738518__li1165536010853">Deleting a project<div class="notice" id="en-us_topic_0066738518__note1679772935216"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="en-us_topic_0066738518__p59789312525">After a project is deleted successfully, the resources in the project are also deleted.</p>
+</div></div>
+<div class="subitemlist" id="en-us_topic_0066738518__p1722962818523"><ol id="en-us_topic_0066738518__ol556420257525"><li class="subitemlist" id="en-us_topic_0066738518__li18564112513522">Click <strong id="en-us_topic_0066738518__b11341259244">Delete</strong> in the row that contains the project you want to delete.<div class="note" id="en-us_topic_0066738518__note10564152525217"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0066738518__p1356412258528">Only subprojects created in a region can be deleted. The default project of the region cannot be deleted.</p>
+</div></div>
+</li><li id="en-us_topic_0066738518__li135641725155217">Enter the password and verification code.</li><li id="en-us_topic_0066738518__li13564192519528">Click <span class="uicontrol" id="en-us_topic_0066738518__uicontrol11478122291714"><b>Yes</b></span>.<p id="en-us_topic_0066738518__p1756422515212">In the project list, the status of the project changes to <strong id="en-us_topic_0066738518__b842352706145451">Deleting</strong>.</p>
+<div class="note" id="en-us_topic_0066738518__note125641425175210"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0066738518__p15641258524">After resources in the project are deleted, the project is deleted completely.</p>
+</div></div>
+</li></ol>
+</div>
+</li><li id="en-us_topic_0066738518__li1448962144329">For details about how to switch between projects, see <a href="en-us_topic_0079497018.html">Switching Projects or Regions</a>.</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0079496985.html

@@ -0,0 +1,18 @@
+<a name="en-us_topic_0079496985"></a><a name="en-us_topic_0079496985"></a>
+
+<h1 class="topictitle1">Managing Users and Permissions</h1>
+<div id="body1536567611765"><p id="en-us_topic_0079496985__p39876842105823">As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud system based on assigned permissions.</p>
+<ol id="en-us_topic_0079496985__ol070104113459"><li id="en-us_topic_0079496985__li1701041114519"><span>Create projects in a region to isolate resources.</span><p><div class="fignone" id="en-us_topic_0079496985__fig34229460145619"><span class="figcap"><b>Figure 1 </b>Project isolating model</span><br><span><img id="en-us_topic_0079496985__image839103118276" src="en-us_image_0000001419956113.png"></span></div>
+<p id="en-us_topic_0079496985__p17634111114111"></p>
+</p></li><li id="en-us_topic_0079496985__li1468045511455"><span>Plan user groups according to user responsibilities and grant the required permissions to the user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig20564070145723"><span class="figcap"><b>Figure 2 </b>User group authorization model</span><br><span><img id="en-us_topic_0079496985__image1177561446" src="en-us_image_0000001369554798.png"></span></div>
+<p id="en-us_topic_0079496985__p1297126113914"></p>
+</p></li><li id="en-us_topic_0079496985__li103541366461"><span>Create users and add them to the corresponding user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig2093618145932"><span class="figcap"><b>Figure 3 </b>User authorization model</span><br><span><img id="en-us_topic_0079496985__image19809191354" src="en-us_image_0000001420034721.png"></span></div>
+<p id="en-us_topic_0079496985__p28477933911"></p>
+</p></li><li id="en-us_topic_0079496985__li14819151644610"><span>Log in as the users and access the cloud system based on assigned permissions.</span></li></ol>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0079496986.html

@@ -0,0 +1,21 @@
+<a name="en-us_topic_0079496986"></a><a name="en-us_topic_0079496986"></a>
+
+<h1 class="topictitle1">Agency Management</h1>
+<div id="body1507717801361"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="iam_01_0054.html">Delegating Resource Access to Another Account</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="en-us_topic_0046613147.html">Creating an Agency (by a Delegating Party)</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="iam_01_0063.html">Assigning Permissions to a User (by a Delegated Party)</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="en-us_topic_0046613148.html">Switching Roles (by a Delegated Party)</a></strong><br>
+</li>
+</ul>
+
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0040.html">User Guide</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0079497018.html

@@ -0,0 +1,14 @@
+<a name="en-us_topic_0079497018"></a><a name="en-us_topic_0079497018"></a>
+
+<h1 class="topictitle1">Switching Projects or Regions</h1>
+<div id="body1507717948338"><p id="en-us_topic_0079497018__p1070751310130">Resources in different projects or regions are isolated. You can access resources only in the projects or regions for which you have been granted permissions. If you do not have permissions for the current project or region, switch to another project or region which you have been authorized to access.</p>
+<div class="section" id="en-us_topic_0079497018__section12400141218336"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0079497018__ol1491712717331"><li id="en-us_topic_0079497018__li1891742753313"><span>Log in to the management console.</span></li><li id="en-us_topic_0079497018__li2932103911330"><span>In the upper left corner, select the project or region you want to access from the drop-down list.</span><p><p id="en-us_topic_0079497018__p7932143912335">After switching to the target project or region, you can access resources in the project or region.</p>
+</p></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0079620341.html

@@ -0,0 +1,33 @@
+<a name="en-us_topic_0079620341"></a><a name="en-us_topic_0079620341"></a>
+
+<h1 class="topictitle1">Introduction</h1>
+<div id="body1507796925646"><p id="en-us_topic_0079620341__p174191925123217">If you have an identity authentication system, you do not need to create new users in the service provider system. Instead, you can configure federated identity authentication to allow users in your identity authentication system to access cloud resources through SSO.</p>
+<p id="en-us_topic_0079620341__p60884823143636">The cloud system supports two types of federated identity authentication:</p>
+<ul id="en-us_topic_0079620341__ul2307400011351"><li id="en-us_topic_0079620341__li1716908217349">Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the system using browsers.</li><li id="en-us_topic_0079620341__li640104671740">API calling: Development tools (such as OpenStack Client) are used as the communication media. This authentication type enables enterprise users and common users to access the system by calling APIs.<p id="en-us_topic_0079620341__p15699139910"><a name="en-us_topic_0079620341__li640104671740"></a><a name="li640104671740"></a>Users in your enterprise can choose SP-initiated or IdP-initiated federated identity authentication for API calling depending on your identity provider system.</p>
+</li></ul>
+<div class="section" id="en-us_topic_0079620341__section1938813653310"><h4 class="sectiontitle">Without Federated Identity Authentication</h4><ul id="en-us_topic_0079620341__ul474654173317"><li id="en-us_topic_0079620341__li1195542263517">SSO not supported<p id="en-us_topic_0079620341__p1180012243355"><a name="en-us_topic_0079620341__li1195542263517"></a><a name="li1195542263517"></a>Users authenticated by the identity provider of an enterprise management system cannot access the cloud system.</p>
+<div class="fignone" id="en-us_topic_0079620341__fig39358512151043"><span class="figcap"><b>Figure 1 </b>User authentication model (1)</span><br><span><img id="en-us_topic_0079620341__image2065418345613" src="en-us_image_0000001419956121.png"></span></div>
+<p id="en-us_topic_0079620341__p1242336414473"></p>
+</li></ul>
+</div>
+<ul id="en-us_topic_0079620341__ul14618956153319"><li id="en-us_topic_0079620341__li750575023510">Complex user management<p id="en-us_topic_0079620341__p755010522352"><a name="en-us_topic_0079620341__li750575023510"></a><a name="li750575023510"></a>The enterprise administrator has to create users in both the enterprise management system and the cloud system.</p>
+</li><li id="en-us_topic_0079620341__li145931556143816">Complex user operations<p id="en-us_topic_0079620341__p0107189398"><a name="en-us_topic_0079620341__li145931556143816"></a><a name="li145931556143816"></a>Users have to use different accounts to log in to the enterprise management system and cloud system.</p>
+<div class="fignone" id="en-us_topic_0079620341__fig10591543151411"><span class="figcap"><b>Figure 2 </b>User login model (1)</span><br><span><img id="en-us_topic_0079620341__image1274514144393" src="en-us_image_0000001369554806.png"></span></div>
+</li></ul>
+<p id="en-us_topic_0079620341__p16815830184410"></p>
+<div class="section" id="en-us_topic_0079620341__section1468942416348"><h4 class="sectiontitle">With Federated Identity Authentication</h4><ul id="en-us_topic_0079620341__ul17811133943410"><li id="en-us_topic_0079620341__li8175175413366">SSO supported<p id="en-us_topic_0079620341__p841325633613"><a name="en-us_topic_0079620341__li8175175413366"></a><a name="li8175175413366"></a>Users authenticated by the identity provider can access the cloud system through SSO.</p>
+<div class="fignone" id="en-us_topic_0079620341__fig6128398015113"><span class="figcap"><b>Figure 3 </b>User authentication model (2)</span><br><span><img id="en-us_topic_0079620341__image54358535614" src="en-us_image_0000001369714794.png"></span></div>
+<p id="en-us_topic_0079620341__p31425569144729"></p>
+</li></ul>
+</div>
+<ul id="en-us_topic_0079620341__ul4409204783417"><li id="en-us_topic_0079620341__li184885263377">Simplified user management<p id="en-us_topic_0079620341__p682793183817"><a name="en-us_topic_0079620341__li184885263377"></a><a name="li184885263377"></a>The enterprise administrator does not need to create users in the cloud system.</p>
+</li><li id="en-us_topic_0079620341__li77551533163917">Easy user operations<p id="en-us_topic_0079620341__p237614416374"><a name="en-us_topic_0079620341__li77551533163917"></a><a name="li77551533163917"></a>Users can access the cloud system through the enterprise management system.</p>
+<div class="fignone" id="en-us_topic_0079620341__fig35819891151116"><span class="figcap"><b>Figure 4 </b>User login model (2)</span><br><span><img id="en-us_topic_0079620341__image211596609461" src="en-us_image_0000001369235150.png"></span></div>
+</li></ul>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0059870089.html">Federated Identity Authentication</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0080335069.html

@@ -0,0 +1,12 @@
+<a name="en-us_topic_0080335069"></a><a name="en-us_topic_0080335069"></a>
+
+<h1 class="topictitle1">Modifying User Permissions</h1>
+<div id="body1508316321288"><p id="en-us_topic_0080335069__p1605102720505">You can modify user permissions using either of the following methods:</p>
+<ul id="en-us_topic_0080335069__ul11749184944618"><li id="en-us_topic_0080335069__li12410119524">Change the user groups to which a user belongs on the <strong id="en-us_topic_0080335069__b842352706132710">Modify User</strong> page. Choose this method if you want to modify the permissions of a single user. For details, see <a href="en-us_topic_0046661675.html">Viewing and Modifying User Information</a>.</li><li id="en-us_topic_0080335069__li14911121134817">Modify the permissions of a user group or change the users included in the user group. Choose this method if you want to modify the permissions of multiple users. For details, see <a href="en-us_topic_0085605493.html">Viewing and Modifying User Group Information</a>.</li></ul>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0085605493.html

@@ -0,0 +1,23 @@
+<a name="en-us_topic_0085605493"></a><a name="en-us_topic_0085605493"></a>
+
+<h1 class="topictitle1">Viewing and Modifying User Group Information</h1>
+<div id="body1511769445459"><p id="en-us_topic_0085605493__p3334189411217">As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the groups to which the users belong.</p>
+<div class="section" id="en-us_topic_0085605493__section30804749"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0085605493__ol48598242"><li id="en-us_topic_0085605493__li44143566"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0085605493__uicontrol9867135935214"><b>User Groups</b></span>.</span></li><li id="en-us_topic_0085605493__li61747774"><span>In the user group list, view or modify user group information.</span><p><ul id="en-us_topic_0085605493__ul4436035125718"><li id="en-us_topic_0085605493__li16436935125713">Viewing user group information<p id="en-us_topic_0085605493__p1943633519575"><a name="en-us_topic_0085605493__li16436935125713"></a><a name="li16436935125713"></a>In the user group list, click <span><img id="en-us_topic_0085605493__image202519579572" src="en-us_image_0000001369235154.png"></span> next to the target user group to view its details, including the basic information, permissions, and users.</p>
+</li><li id="en-us_topic_0085605493__li9436435135710">Modifying user group information<div class="p" id="en-us_topic_0085605493__p8436335195710"><a name="en-us_topic_0085605493__li9436435135710"></a><a name="li9436435135710"></a>Click <strong id="en-us_topic_0085605493__b842352706162732">Modify</strong> in the <strong id="en-us_topic_0085605493__b842352706162729">Operation</strong> column of the row that contains the target user group to go to the <strong id="en-us_topic_0085605493__b842352706132449">Modify User Group</strong> page.<div class="note" id="en-us_topic_0085605493__note184361535205718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0085605493__ul6436335175715"><li id="en-us_topic_0085605493__li18436635145713">For the default user group, you can only manage its users and cannot modify its basic information or permissions.</li><li id="en-us_topic_0085605493__li143633585715">If the name of a user group has been configured in the identity conversion rules of an identity provider, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.</li></ul>
+</div></div>
+</div>
+</li><li id="en-us_topic_0085605493__li82963550222">Modifying user group permissions<div class="p" id="en-us_topic_0085605493__p64686430427"><a name="en-us_topic_0085605493__li82963550222"></a><a name="li82963550222"></a>You can assign new permissions to or cancel the existing permissions of a user group in the policy view or project view.<ul id="en-us_topic_0085605493__ul18148125815487"><li id="en-us_topic_0085605493__li6148558154817">Changing the authorization scope in the policy view<ol type="a" id="en-us_topic_0085605493__ol15723476811"><li id="en-us_topic_0085605493__li18607131373611">Choose <strong id="en-us_topic_0085605493__b183211452172">User Groups</strong> in the navigation pane, and click <strong id="en-us_topic_0085605493__b2837245151714">Manage Permissions</strong> in the row containing the user group you want to modify. On the <strong id="en-us_topic_0085605493__b11837184591713">Permissions</strong> tab page, select <strong id="en-us_topic_0085605493__b083820451179">Policy View</strong>.</li><li id="en-us_topic_0085605493__li77313471585">Click <strong id="en-us_topic_0085605493__b2132193412449">Change Project</strong> on the right of a policy.</li><li id="en-us_topic_0085605493__li166134454488">On the <strong id="en-us_topic_0085605493__b20885160174614">Change Project</strong> page, select or deselect desired projects.</li><li id="en-us_topic_0085605493__li119299525103">Click <strong id="en-us_topic_0085605493__b74761341465">OK</strong>.</li></ol>
+</li><li id="en-us_topic_0085605493__li36169120137">Modifying permissions for certain projects in the project view<ol type="a" id="en-us_topic_0085605493__ol1049033510134"><li id="en-us_topic_0085605493__li1929172716457">Choose <strong id="en-us_topic_0085605493__b284941761818">User Groups</strong> in the navigation pane, and click <strong id="en-us_topic_0085605493__b198548176186">Manage Permissions</strong> on the right of a user group. On the <strong id="en-us_topic_0085605493__b12855111761810">Permissions</strong> tab page, select <strong id="en-us_topic_0085605493__b16855517151820">Project View</strong>.</li><li id="en-us_topic_0085605493__li1149018353130">Click <strong id="en-us_topic_0085605493__b17547162514460">Modify Permissions</strong> on the right of a project.</li><li id="en-us_topic_0085605493__li282716481139">Select or deselect desire policies, and click <strong id="en-us_topic_0085605493__b17601130184615">OK</strong>.</li></ol>
+</li></ul>
+</div>
+</li><li id="en-us_topic_0085605493__li14128545192320">Managing Users<ol type="a" id="en-us_topic_0085605493__ol532302717180"><li id="en-us_topic_0085605493__li15323182718181">In the user group list, click <strong id="en-us_topic_0085605493__b93889592485">Manage User</strong> in the row containing the user group you want to modify.</li><li id="en-us_topic_0085605493__li532382711810">In the <strong id="en-us_topic_0085605493__b153416311495">Available Users</strong> area, select users you want to add to the user group.</li><li id="en-us_topic_0085605493__li1932317278180">In the <strong id="en-us_topic_0085605493__b166031511174911">Selected Users</strong> area, remove users from the user group.</li></ol>
+</li></ul>
+</p></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_06.html">User and User Group Management</a></div>
+</div>
+</div>
+

docs/iam/umn/en-us_topic_0274187246.html

@@ -0,0 +1,56 @@
+<a name="en-us_topic_0274187246"></a><a name="en-us_topic_0274187246"></a>
+
+<h1 class="topictitle1">Creating a Custom Policy</h1>
+<div id="body1597751871933"><p id="en-us_topic_0274187246__p178751134152415">You can create custom policies to supplement system-defined policies and implement more refined access control.</p>
+<div class="section" id="en-us_topic_0274187246__section127131384256"><h4 class="sectiontitle">Creating a Custom Policy in the Visual Editor</h4><ol id="en-us_topic_0274187246__ol349213810218"><li id="en-us_topic_0274187246__li1249213383220"><span>On the IAM console, choose <span class="uicontrol" id="en-us_topic_0274187246__uicontrol19744191362413"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="en-us_topic_0274187246__uicontrol2749121319246"><b>Create Custom Policy</b></span>.</span></li><li id="en-us_topic_0274187246__li1049216384218"><span>Enter a policy name.</span></li><li id="en-us_topic_0274187246__li186751681668"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="en-us_topic_0274187246__ul206753813617"><li id="en-us_topic_0274187246__li6675178467"><strong id="en-us_topic_0274187246__b18583192142615">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b51019293264">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="en-us_topic_0274187246__li66755811617"><strong id="en-us_topic_0274187246__b6256557152616">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b439896162715">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
+<p id="en-us_topic_0274187246__p156751812611">For example, when creating a custom policy containing the action <strong id="en-us_topic_0274187246__b614332195114">evs:volumes:create</strong> for EVS, specify the scope as <strong id="en-us_topic_0274187246__b7192032145116">Project-level services</strong>.</p>
+<div class="note" id="en-us_topic_0274187246__note8675138861"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p2067512815610">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="en-us_topic_0274187246__b498333912713">Global services</strong> and <strong id="en-us_topic_0274187246__b1698913394274">Project-level services</strong>.</p>
+</div></div>
+</p></li><li id="en-us_topic_0274187246__li499013117715"><span>Select <strong id="en-us_topic_0274187246__b13900115615276">Visual editor</strong>.</span></li><li id="en-us_topic_0274187246__li11144122232119"><span>Set the policy content.</span><p><ol type="a" id="en-us_topic_0274187246__ol67011432182116"><li id="en-us_topic_0274187246__li161466351218">Select <strong id="en-us_topic_0274187246__b720815292812">Allow</strong> or <strong id="en-us_topic_0274187246__b8213821283">Deny</strong>.</li><li id="en-us_topic_0274187246__li1684612437215">Select a cloud service.<div class="note" id="en-us_topic_0274187246__note9255142512522"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p1625582510529">Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click <strong id="en-us_topic_0274187246__b273715172817">Add Permissions</strong> or switch to the JSON view.</p>
+</div></div>
+</li><li id="en-us_topic_0274187246__li195205468218">Select actions.</li><li id="en-us_topic_0274187246__li16567649112113">Select all resources, or select specific resources by specifying their paths.</li><li id="en-us_topic_0274187246__li127011432162115">(Optional) Add request conditions by specifying condition keys, operators, and values.
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0274187246__table42344414207" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Condition parameters</caption><thead align="left"><tr id="en-us_topic_0274187246__row5234843202"><th align="left" class="cellrowborder" valign="top" width="16.07%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.1"><p id="en-us_topic_0274187246__p1723412452010">Name</p>
+</th>
+<th align="left" class="cellrowborder" valign="top" width="83.93%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.2"><p id="en-us_topic_0274187246__p1123516462012">Description</p>
+</th>
+</tr>
+</thead>
+<tbody><tr id="en-us_topic_0274187246__row1023512410207"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p1123514412016">Condition Key</p>
+</td>
+<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p1235184122019">A key in the <strong id="en-us_topic_0274187246__b684427105311">Condition</strong> element of a statement. There are global and service-level condition keys. Global condition keys (starting with <strong id="en-us_topic_0274187246__b47103763010">g:</strong>) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as <strong id="en-us_topic_0274187246__b987914143305">obs:</strong>) are available only for operations of the corresponding service.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0274187246__row1123514182018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p523518422018">Operator</p>
+</td>
+<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p7235134102010">Used together with a condition key to form a complete condition statement.</p>
+</td>
+</tr>
+<tr id="en-us_topic_0274187246__row3235134162018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p9235846201">Value</p>
+</td>
+<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p1323524182010">Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</li></ol>
+</p></li><li id="en-us_topic_0274187246__li18130645181019"><span>(Optional) Switch to the JSON view and modify the policy content in the JSON format.</span><p><div class="note" id="en-us_topic_0274187246__note4789183210143"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p1079033220141">If the policy content is incorrect after modification, check and modify the content, or click <strong id="en-us_topic_0274187246__b14102651163016">Reset</strong> to cancel the modifications.</p>
+</div></div>
+</p></li><li id="en-us_topic_0274187246__li9754244913"><span>(Optional) To add another permission block for the policy, click <strong id="en-us_topic_0274187246__b1053158143012">Add Permissions</strong>. Alternatively, click the plus (+) icon on the right of an existing permission block to clone its permissions.</span></li><li id="en-us_topic_0274187246__li148711411476"><span>(Optional) Enter a brief description for the policy.</span></li><li id="en-us_topic_0274187246__li435416457312"><span>Click <strong id="en-us_topic_0274187246__b1914192083117">OK</strong>.</span></li><li id="en-us_topic_0274187246__li14344102511819"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
+</div>
+<div class="section" id="en-us_topic_0274187246__section199855814265"><h4 class="sectiontitle">Creating a Custom Policy in JSON View</h4><ol id="en-us_topic_0274187246__ol06251565191"><li id="en-us_topic_0274187246__li1116202310310"><span>On the IAM console, choose <span class="uicontrol" id="en-us_topic_0274187246__uicontrol133681436153116"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="en-us_topic_0274187246__uicontrol337493673110"><b>Create Custom Policy</b></span>.</span></li><li id="en-us_topic_0274187246__li7625105616193"><span>Enter a policy name.</span></li><li id="en-us_topic_0274187246__li18626656161912"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="en-us_topic_0274187246__ul1343810211968"><li id="en-us_topic_0274187246__li1987713580105"><strong id="en-us_topic_0274187246__b1491218450315">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b137261847183110">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="en-us_topic_0274187246__li21871151191112"><strong id="en-us_topic_0274187246__b2165105493114">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b1811805613317">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
+<p id="en-us_topic_0274187246__p1143812117615">For example, when creating a custom policy containing the action <strong id="en-us_topic_0274187246__b827087175512">evs:volumes:create</strong> for EVS, specify the scope as <strong id="en-us_topic_0274187246__b1427620710556">Project-level services</strong>.</p>
+<div class="note" id="en-us_topic_0274187246__note64381521166"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p14438721361">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="en-us_topic_0274187246__b5680145143217">Global services</strong> and <strong id="en-us_topic_0274187246__b14682857329">Project-level services</strong>.</p>
+</div></div>
+</p></li><li id="en-us_topic_0274187246__li1993914919215"><span>Select <strong id="en-us_topic_0274187246__b1766716616327">JSON</strong>.</span></li><li id="en-us_topic_0274187246__li1862615614192"><span>(Optional) Click <strong id="en-us_topic_0274187246__b845691218322">Select Existing Policy</strong>, and select a policy to use it as a template, such as <span class="parmvalue" id="en-us_topic_0274187246__parmvalue246331253211"><b>VPC Admin</b></span>.</span></li><li id="en-us_topic_0274187246__li462625651918"><span>Click <strong id="en-us_topic_0274187246__b1967120463323">OK</strong>.</span></li><li id="en-us_topic_0274187246__li12626556101911"><span>Modify the statement in the template.</span><p><ul id="en-us_topic_0274187246__ul1962675611912"><li id="en-us_topic_0274187246__li8626156181918"><strong id="en-us_topic_0274187246__b1321618355552">Effect</strong>: Set it to <strong id="en-us_topic_0274187246__b18222335185517">Allow</strong> or <strong id="en-us_topic_0274187246__b2222193517555">Deny</strong>.</li><li id="en-us_topic_0274187246__li15627156151917"><strong id="en-us_topic_0274187246__b728719582329">Action</strong>: Enter the actions provided in the API actions table of the EVS service, for example, <strong id="en-us_topic_0274187246__b12293958153214">evs:volumes:create</strong>.<div class="note" id="en-us_topic_0274187246__note46271956111920"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0274187246__ul14627185611910"><li id="en-us_topic_0274187246__li1862717561195">The version of each custom policy is fixed at <strong id="en-us_topic_0274187246__b19951318173319">1.1</strong>.</li></ul>
+</div></div>
+</li></ul>
+</p></li><li id="en-us_topic_0274187246__li106271756131914"><span>(Optional) Enter a brief description for the policy.</span></li><li id="en-us_topic_0274187246__li1162725661910"><span>Click <strong id="en-us_topic_0274187246__b163841614349">OK</strong>. If the policy list is displayed, the policy is created successfully.</span></li><li id="en-us_topic_0274187246__li4291119181"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0015.html">Fine-Grained Policy Management</a></div>
+</div>
+</div>
+

docs/iam/umn/iam_01_0000.html

@@ -0,0 +1,17 @@
+<a name="iam_01_0000"></a><a name="iam_01_0000"></a>
+
+<h1 class="topictitle1">FAQs</h1>
+<div id="body1507717801361"></div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="iam_01_0002.html">How Do I Enable Login Authentication?</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="iam_01_0003.html">How Do I Bind a Virtual MFA Device?</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="iam_01_0001.html">How Do I Obtain MFA Verification Codes?</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="iam_01_0004.html">How Do I Unbind a Virtual MFA Device?</a></strong><br>
+</li>
+</ul>
+</div>
+

docs/iam/umn/iam_01_0001.html

@@ -0,0 +1,11 @@
+<a name="iam_01_0001"></a><a name="iam_01_0001"></a>
+
+<h1 class="topictitle1">How Do I Obtain MFA Verification Codes?</h1>
+<div id="body1524552459482"><p id="iam_01_0001__p2054154253014">After MFA–based login authentication is enabled, you need to enter an MFA verification code in addition to the username and password when logging in to the console. Open the bound MFA application and view the verification code displayed for your account.</p>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0000.html">FAQs</a></div>
+</div>
+</div>
+

docs/iam/umn/iam_01_0002.html

@@ -0,0 +1,19 @@
+<a name="iam_01_0002"></a><a name="iam_01_0002"></a>
+
+<h1 class="topictitle1">How Do I Enable Login Authentication?</h1>
+<div id="body1524533836165"><p id="iam_01_0002__p3728866695136">For account security purposes, you are advised to enable login authentication. After this function is enabled, users need to enter an SMS, MFA, or email verification code on the <strong id="iam_01_0002__b3484442103911">Login Verification</strong> page when logging in to the cloud system.</p>
+<div class="section" id="iam_01_0002__section14898167161121"><h4 class="sectiontitle">Prerequisites</h4><p id="iam_01_0002__p5368336516366">Users have bound a mobile number, email address, or <a href="iam_01_0003.html">virtual MFA device</a> to their account.</p>
+</div>
+<div class="section" id="iam_01_0002__section5855840094234"><h4 class="sectiontitle">Procedure</h4><ul id="iam_01_0002__ul2634851716038"><li id="iam_01_0002__li5070896616038">Enabling login authentication on the <strong id="iam_01_0002__b842352706162640">Modify User</strong> page of the IAM console</li></ul>
+<ol id="iam_01_0002__ol185505316456"><li id="iam_01_0002__li5436105516456"><span>In the navigation pane, choose <span class="uicontrol" id="iam_01_0002__uicontrol478911296187"><b>Users</b></span>.</span></li><li id="iam_01_0002__li1948744916456"><span>Click <strong id="iam_01_0002__b842352706162732_1">Modify</strong> in the <strong id="iam_01_0002__b842352706162729">Operation</strong> column of the row that contains the target user.</span></li><li id="iam_01_0002__li4116932016456"><span>On the <strong id="iam_01_0002__b842352706163048_1">Modify User</strong> page, select a login verification method, and enter the verification code.</span></li><li id="iam_01_0002__li4035037016849"><span>Click <span class="uicontrol" id="iam_01_0002__uicontrol63177125354"><b>OK</b></span>.</span></li></ol>
+<p id="iam_01_0002__p1236748915301"></p>
+<ul id="iam_01_0002__ul3433533316521"><li id="iam_01_0002__li6044972516521">Enabling login authentication on the <strong id="iam_01_0002__b842352706224638">My Credentials</strong> page</li></ul>
+<ol id="iam_01_0002__ol1445910994319"><li id="iam_01_0002__li4523113194319"><span>Hover the mouse pointer over the username in the upper right corner and choose <strong id="iam_01_0002__b84235270616171">My Credentials</strong> from the drop-down list.</span></li><li id="iam_01_0002__li734927594753"><span>On the <strong id="iam_01_0002__b842352706162751">My Credentials</strong> page, click <strong id="iam_01_0002__b842352706162732_3">Change</strong> next to <strong id="iam_01_0002__b84235270693049">Login Authentication</strong>.</span></li><li id="iam_01_0002__li4882711394941"><span>On the <strong id="iam_01_0002__b842352706163048_3">Change Verification Method</strong> page, select a login verification method, and enter the verification code.</span></li><li id="iam_01_0002__li2859213316623"><span>Click <strong id="iam_01_0002__b842352706162233_1">OK</strong>.</span></li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0000.html">FAQs</a></div>
+</div>
+</div>
+