vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

IAM UMN 930 version

Browse Source 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>
This commit is contained in:
Wei, Hongmin 2023-02-02 16:20:41 +00:00 committed by zuul
parent 894279c39a
commit f37f5291ef
67 changed files with 751 additions and 362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
docs/iam/umn/.placeholder
View File

258
docs/iam/umn/ALL_META.TXT.json
View File

File diff suppressed because it is too large Load Diff

294
docs/iam/umn/CLASS.TXT.json
View File

File diff suppressed because it is too large Load Diff

0
docs/iam/umn/en-us_image_0000001420274825.png → docs/iam/umn/en-us_image_0000001088289742.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
docs/iam/umn/en-us_image_0000001420034737.png → docs/iam/umn/en-us_image_0000001088564514.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 22 KiB

0
docs/iam/umn/en-us_image_0000001420154953.png → docs/iam/umn/en-us_image_0000001089129340.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 17 KiB

0
docs/iam/umn/en-us_image_0000001420274829.png → docs/iam/umn/en-us_image_0000001135554103.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

0
docs/iam/umn/en-us_image_0000001369235158.png → docs/iam/umn/en-us_image_0000001180570109.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
docs/iam/umn/en-us_image_0000001369714794.png → docs/iam/umn/en-us_image_0274186850.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

0
docs/iam/umn/en-us_image_0000001420274845.png → docs/iam/umn/en-us_image_0274186856.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.1 KiB

After

Width:  |  Height:  |  Size: 8.1 KiB

0
docs/iam/umn/en-us_image_0000001369554798.png → docs/iam/umn/en-us_image_0274186858.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

0
docs/iam/umn/en-us_image_0000001369714790.png → docs/iam/umn/en-us_image_0274186863.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
docs/iam/umn/en-us_image_0000001420034741.png → docs/iam/umn/en-us_image_0274187167.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

0
docs/iam/umn/en-us_image_0000001419956133.png → docs/iam/umn/en-us_image_0274187171.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

0
docs/iam/umn/en-us_image_0000001369714802.png → docs/iam/umn/en-us_image_0274187188.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 22 KiB

0
docs/iam/umn/en-us_image_0000001369235146.png → docs/iam/umn/en-us_image_0274187193.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
docs/iam/umn/en-us_image_0000001369394890.png → docs/iam/umn/en-us_image_0274187197.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 32 KiB

0
docs/iam/umn/en-us_image_0000001369554802.png → docs/iam/umn/en-us_image_0274187199.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
docs/iam/umn/en-us_image_0000001420034725.png → docs/iam/umn/en-us_image_0274187205.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
docs/iam/umn/en-us_image_0000001369394878.png → docs/iam/umn/en-us_image_0274187214.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.8 KiB

After

Width:  |  Height:  |  Size: 3.8 KiB

0
docs/iam/umn/en-us_image_0000001419956121.png → docs/iam/umn/en-us_image_0274187218.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
docs/iam/umn/en-us_image_0000001369554818.png → docs/iam/umn/en-us_image_0274187226.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 728 KiB

After

Width:  |  Height:  |  Size: 728 KiB

0
docs/iam/umn/en-us_image_0000001420034721.png → docs/iam/umn/en-us_image_0274187229.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 57 KiB

0
docs/iam/umn/en-us_image_0000001419956113.png → docs/iam/umn/en-us_image_0274187237.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
docs/iam/umn/en-us_image_0000001369235150.png → docs/iam/umn/en-us_image_0274187239.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
docs/iam/umn/en-us_image_0000001420034729.png → docs/iam/umn/en-us_image_0274187240.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 17 KiB

BIN
docs/iam/umn/en-us_image_0274187264.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

0
docs/iam/umn/en-us_image_0000001369554806.png → docs/iam/umn/en-us_image_0274187275.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 48 KiB

0
docs/iam/umn/en-us_image_0000001369554814.png → docs/iam/umn/en-us_image_0274187277.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
docs/iam/umn/en-us_image_0000001369235154.png → docs/iam/umn/en-us_image_0291358588.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 227 B

After

Width:  |  Height:  |  Size: 227 B

11
docs/iam/umn/en-us_topic_0046611276.html
View File

@ -3,14 +3,14 @@
<h1 class="topictitle1">IAM Features</h1>
<div id="body1503736806649"><p id="en-us_topic_0046611276__p5240337613233">IAM provides the following basic functions:</p>
<ul id="en-us_topic_0046611276__ul411171964111"><li id="en-us_topic_0046611276__li41111199417">Refined permissions management<p id="en-us_topic_0046611276__p24061390153515"><a name="en-us_topic_0046611276__li41111199417"></a><a name="li41111199417"></a>You can control user access to different projects and grant different permissions to users for the same project. For example, you can grant some users permissions to manage Object Storage Service (OBS), and grant other users only the permissions to read data from OBS.</p>
<div class="fignone" id="en-us_topic_0046611276__fig47322305144745"><span class="figcap"><b>Figure 1 </b>Permissions management model</span><br><span><img id="en-us_topic_0046611276__image25353776154931" src="en-us_image_0000001420034729.png"></span></div>
<div class="fignone" id="en-us_topic_0046611276__fig47322305144745"><span class="figcap"><b>Figure 1 </b>Permissions management model</span><br><span><img id="en-us_topic_0046611276__image25353776154931" src="en-us_image_0274187240.png" width="438.90000000000003" height="203.88900000000004" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0046611276__p6056022715518"></p>
</li><li id="en-us_topic_0046611276__li26142662132115">Simplified authorization<p id="en-us_topic_0046611276__p33957371132115"><a name="en-us_topic_0046611276__li26142662132115"></a><a name="li26142662132115"></a>You can authorize users in just two steps:</p>
<ol id="en-us_topic_0046611276__ol37180886132115"><li id="en-us_topic_0046611276__li66192520132115">Plan user groups according to users' responsibilities and grant permissions to each user group.</li><li id="en-us_topic_0046611276__li58861770132115">Add a user to the user group that matches the user's responsibilities.</li></ol>
</li><li id="en-us_topic_0046611276__li7111161910418">Federated identity authentication<p id="en-us_topic_0046611276__p6438914392519"><a name="en-us_topic_0046611276__li7111161910418"></a><a name="li7111161910418"></a>Federated identity authentication enables users in your identity authentication system to access your resources through single sign-on (SSO).</p>
</li><li id="en-us_topic_0046611276__li15232175951616">Delegation of resource access to another account or a specific cloud service<p id="en-us_topic_0046611276__p6171725893116"><a name="en-us_topic_0046611276__li15232175951616"></a><a name="li15232175951616"></a>You can delegate your operation permissions to a cloud service or another account so that the cloud service or account can access your resources.</p>
</li><li id="en-us_topic_0046611276__li5111121964117">User authentication and authorization for other cloud services<p id="en-us_topic_0046611276__p2011117194416"><a name="en-us_topic_0046611276__li5111121964117"></a><a name="li5111121964117"></a>Users can be authenticated by IAM to access other services, for example, Relational Database Service (RDS), Cloud Trace Service (CTS), and OBS, based on assigned permissions.</p>
</li><li id="en-us_topic_0046611276__li1711112190419">Security policy management<p style="color:#000000;" id="en-us_topic_0046611276__p311231914117"><a name="en-us_topic_0046611276__li1711112190419"></a><a name="li1711112190419"></a>You can set multi-factor authentication (MFA), login authentication and password policies, and an access control list (ACL) to keep user information and system data secure.</p>
</li><li id="en-us_topic_0046611276__li1711112190419">Security policy management<p id="en-us_topic_0046611276__p311231914117"><a name="en-us_topic_0046611276__li1711112190419"></a><a name="li1711112190419"></a>You can set multi-factor authentication (MFA), login authentication and password policies, and an access control list (ACL) to keep user information and system data secure.</p>
</li></ul>
</div>
<div>
@ -19,3 +19,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

18
docs/iam/umn/en-us_topic_0046611300.html
View File

@ -2,15 +2,21 @@
<h1 class="topictitle1">Change History</h1>
<div id="body1481683858040">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046611300__table21997797145555" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Change history</caption><thead align="left"><tr id="en-us_topic_0046611300__row57680627145555"><th align="left" class="cellrowborder" valign="top" width="29.95%" id="mcps1.3.1.2.3.1.1"><p id="en-us_topic_0046611300__p15004592145747"><strong id="en-us_topic_0046611300__b314928345">Released On</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0046611300__table21997797145555" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Change history</caption><thead align="left"><tr id="en-us_topic_0046611300__row57680627145555"><th align="left" class="cellrowborder" valign="top" width="29.95%" id="mcps1.3.1.2.3.1.1"><p id="en-us_topic_0046611300__p15004592145747"><strong id="en-us_topic_0046611300__b1823607969">Released On</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="70.05%" id="mcps1.3.1.2.3.1.2"><p id="en-us_topic_0046611300__p49738431145747"><strong id="en-us_topic_0046611300__b84235270621124_1">What's New</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0046611300__row820424910437"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p1220534916431">2022-10-21</p>
<tbody><tr id="en-us_topic_0046611300__row42351450203614"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p3360158144310">2022-11-21</p>
</td>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p320514913431">Optimized the document content.</p>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p9744402379">This release incorporates the following changes:</p>
<ul id="en-us_topic_0046611300__ul274414017378"><li id="en-us_topic_0046611300__li147443063713">Added section <a href="iam_08_0010.html">OpenID Connectbased Federated Identity Authentication</a>.</li><li id="en-us_topic_0046611300__li87441606375">Optimized section <a href="iam_08_0002.html">SAML-based Federated Identity Authentication</a>.</li></ul>
</td>
</tr>
<tr id="en-us_topic_0046611300__row8784454133214"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p5784195453216">2022-10-21</p>
</td>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p224985813363">Optimized the document content.</p>
</td>
</tr>
<tr id="en-us_topic_0046611300__row1069811547159"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p369811549153">2020-12-30</p>
@ -28,13 +34,13 @@
<tr id="en-us_topic_0046611300__row205621601438"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p185631509431">2020-07-21</p>
</td>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p8563140124314">This release incorporates the following changes:</p>
<ul id="en-us_topic_0046611300__ul165903501135"><li id="en-us_topic_0046611300__li16590205081315">Added the operations of binding and unbinding a virtual MFA device in <a href="iam_01_0012.html">IAM Operations That Can Be Recorded by CTS</a>.</li><li id="en-us_topic_0046611300__li125901650141319">Updated section <a href="iam_01_0031.html">Creating a User and Adding the User to a User Group</a>, <a href="en-us_topic_0046611303.html">Creating a User</a>, and <a href="en-us_topic_0274187246.html">Creating a Custom Policy</a> based on console changes.</li></ul>
<ul id="en-us_topic_0046611300__ul165903501135"><li id="en-us_topic_0046611300__li16590205081315">Added the operations of binding and unbinding a virtual MFA device in <a href="iam_01_0012.html">IAM Operations That Can Be Recorded by CTS</a>.</li><li id="en-us_topic_0046611300__li125901650141319">Updated section <a href="iam_01_0031.html">Creating a User and Adding the User to a User Group</a>, <a href="en-us_topic_0046611303.html">Creating a User</a>, and <a href="iam_01_0016.html">Creating a Custom Policy</a> based on console changes.</li></ul>
</td>
</tr>
<tr id="en-us_topic_0046611300__row735616480534"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p193572486530">2019-04-19</p>
</td>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p43571489535">This release incorporates the following change:</p>
<p id="en-us_topic_0046611300__p1187220275413">Added descriptions about the scope of custom policies in <a href="en-us_topic_0274187246.html">Creating a Custom Policy</a>.</p>
<p id="en-us_topic_0046611300__p1187220275413">Added descriptions about the scope of custom policies in <a href="iam_01_0016.html">Creating a Custom Policy</a>.</p>
</td>
</tr>
<tr id="en-us_topic_0046611300__row775115875515"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p117615583554">2019-04-18</p>
@ -52,7 +58,7 @@
<tr id="en-us_topic_0046611300__row12719931192317"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p12719123182315">2019-03-12</p>
</td>
<td class="cellrowborder" valign="top" width="70.05%" headers="mcps1.3.1.2.3.1.2 "><p id="en-us_topic_0046611300__p1719173112313">This release incorporates the following changes:</p>
<ul id="en-us_topic_0046611300__ul92781131102816"><li id="en-us_topic_0046611300__li7278153122813">Modified descriptions in sections <a href="iam_01_019.html">Fine-Grained Policies</a> and <a href="en-us_topic_0274187246.html">Creating a Custom Policy</a>.</li><li id="en-us_topic_0046611300__li1427833122820">Added a screenshot and modified descriptions in section <a href="iam_01_0017.html">Policy Syntax</a>.</li></ul>
<ul id="en-us_topic_0046611300__ul92781131102816"><li id="en-us_topic_0046611300__li7278153122813">Modified descriptions in sections <a href="iam_01_019.html">Fine-Grained Policies</a> and <a href="iam_01_0016.html">Creating a Custom Policy</a>.</li><li id="en-us_topic_0046611300__li1427833122820">Added a screenshot and modified descriptions in section <a href="iam_01_0017.html">Policy Syntax</a>.</li></ul>
</td>
</tr>
<tr id="en-us_topic_0046611300__row1229312113312"><td class="cellrowborder" valign="top" width="29.95%" headers="mcps1.3.1.2.3.1.1 "><p id="en-us_topic_0046611300__p122946263312">2019-02-26</p>

2
docs/iam/umn/en-us_topic_0046611303.html
View File

@ -70,7 +70,7 @@
<tr id="en-us_topic_0046611303__row12985998218"><td class="cellrowborder" valign="top" headers="mcps1.3.2.2.4.2.1.1.5.1.1 "><p id="en-us_topic_0046611303__p153512593212">Set now</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="en-us_topic_0046611303__p143511559112117">Select this option if you are the user. Then, set a password for login.</p>
<div class="note" id="en-us_topic_0046611303__note732163017136"><span class="notetitle"> NOTE: </span><div class="notebody"><div class="p" id="en-us_topic_0046611303__p17471521171317">The password must meet the following requirements:<ul id="en-us_topic_0046611303__ul124714216134"><li id="en-us_topic_0046611303__li1647112131313">Must contain 6 to 32 characters.</li><li id="en-us_topic_0046611303__li91823361153">Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and spaces or other special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\=).</li><li id="en-us_topic_0046611303__li947192110139">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="en-us_topic_0046611303__b9902181755720">A12345</strong>, the password cannot be <strong id="en-us_topic_0046611303__b4908191745717">A12345</strong>, <strong id="en-us_topic_0046611303__b189091173573">a12345</strong>, <strong id="en-us_topic_0046611303__b0910317105717">54321A</strong>, or <strong id="en-us_topic_0046611303__b1191111175571">54321a</strong>.</li><li id="en-us_topic_0046611303__li24713215132">Cannot contain the user's mobile number or email address.</li></ul>
<div class="note" id="en-us_topic_0046611303__note732163017136"><span class="notetitle"> NOTE: </span><div class="notebody"><div class="p" id="en-us_topic_0046611303__p17471521171317">The password must meet the following requirements:<ul id="en-us_topic_0046611303__ul124714216134"><li id="en-us_topic_0046611303__li1647112131313">Must contain 6 to 32 characters.</li><li id="en-us_topic_0046611303__li13545131125410">Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\= and spaces).</li><li id="en-us_topic_0046611303__li947192110139">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="en-us_topic_0046611303__b9902181755720">A12345</strong>, the password cannot be <strong id="en-us_topic_0046611303__b4908191745717">A12345</strong>, <strong id="en-us_topic_0046611303__b189091173573">a12345</strong>, <strong id="en-us_topic_0046611303__b0910317105717">54321A</strong>, or <strong id="en-us_topic_0046611303__b1191111175571">54321a</strong>.</li><li id="en-us_topic_0046611303__li24713215132">Cannot contain the user's mobile number or email address.</li></ul>
</div>
</div></div>
</td>

14
docs/iam/umn/en-us_topic_0046611308.html
View File

@ -1,25 +1,25 @@
<a name="en-us_topic_0046611308"></a><a name="en-us_topic_0046611308"></a>
<h1 class="topictitle1">Account Settings</h1>
<div id="body18475057"><p id="en-us_topic_0046611308__p25060148112042">Users with <strong id="en-us_topic_0046611308__b14092616142544_1">Security Administrator</strong> permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.</p>
<div class="section" id="en-us_topic_0046611308__section13189358"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046611308__ol44452332165636"><li id="en-us_topic_0046611308__li13635782101049"><span>Set the login authentication policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol4698153165832"><li id="en-us_topic_0046611308__li56369151165814">In the navigation pane, choose <strong id="en-us_topic_0046611308__b1134181173132">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b6708568217327">Login Authentication Policy</strong>.</li><li id="en-us_topic_0046611308__li21440457171726">In the <strong id="en-us_topic_0046611308__b3984715114274_1">Account Lockout</strong> area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.<p id="en-us_topic_0046611308__p31242238171739">If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.</p>
<div id="body18475057"><p id="en-us_topic_0046611308__p25060148112042">Users with <strong id="en-us_topic_0046611308__b13547131816717">Security Administrator</strong> permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.</p>
<div class="section" id="en-us_topic_0046611308__section13189358"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0046611308__ol44452332165636"><li id="en-us_topic_0046611308__li13635782101049"><span>Set the login authentication policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol4698153165832"><li id="en-us_topic_0046611308__li56369151165814">In the navigation pane, choose <strong id="en-us_topic_0046611308__b11145101916419"></strong><strong id="en-us_topic_0046611308__b11456193416">Security Settings</strong> &gt; <strong id="en-us_topic_0046611308__b188624711401">Login Authentication Policy</strong>.</li><li id="en-us_topic_0046611308__li21440457171726">In the <strong id="en-us_topic_0046611308__b3984715114274_1">Account Lockout</strong> area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.<p id="en-us_topic_0046611308__p31242238171739">If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.</p>
</li><li id="en-us_topic_0046611308__li1783612816593">In the <strong id="en-us_topic_0046611308__b39182424142735">Account Disabling</strong> area, select <strong id="en-us_topic_0046611308__b19659741142735">Disable account upon login if it is not used within the validity period</strong>, and set the user validity period. If the user does not access the cloud system through the management console or APIs within the validity period, the user will be disabled.<p id="en-us_topic_0046611308__p1159415392942">The account disabling setting is for security purposes. If a user is disabled, resources in the account will not be affected and the user can contact the administrator to enable the user again.</p>
</li><li id="en-us_topic_0046611308__li425815345917">In the <strong id="en-us_topic_0046611308__b842352706103931_1">Session Timeout</strong> area, set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period. The timeout ranges from 15 minutes to 24 hours, and the default value is 15 minutes. If a user does not perform any operation within the specified duration, the user needs to log in again.</li><li id="en-us_topic_0046611308__li1757729293510">In the <strong id="en-us_topic_0046611308__b31411170142837">Recent Login Information</strong> area, select <strong id="en-us_topic_0046611308__b61276881142837">Display last login information upon successful login</strong>.<p id="en-us_topic_0046611308__p2453272893515">Users will be able to view the login information, such as the time of the last login, on the <strong id="en-us_topic_0046611308__b32672785142857">Login Verification</strong> page.</p>
</li><li id="en-us_topic_0046611308__li20715860173943">In the <strong id="en-us_topic_0046611308__b63235652142917">Custom Information</strong> area, set custom information that will be displayed upon successful login.<p id="en-us_topic_0046611308__p65262093623">Users will be able to view this custom information on the <strong id="en-us_topic_0046611308__b23841293142940">Login Verification</strong> page.</p>
</li><li id="en-us_topic_0046611308__li57243193112324">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol115083674816"><b>Save</b></span>.</li></ol>
</p></li><li id="en-us_topic_0046611308__li31523988174041"><span>Set the password policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol31264140174112"><li id="en-us_topic_0046611308__li5941318717415">In the navigation pane, choose <strong id="en-us_topic_0046611308__b842352706112724_1">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b842352706112728_1">Password Policy</strong>.</li><li id="en-us_topic_0046611308__li61695623174820">In the <strong id="en-us_topic_0046611308__b842352706101424_1">Password Composition &amp; Reuse</strong> area, do as follows:<ul id="en-us_topic_0046611308__ul5901559155916"><li id="en-us_topic_0046611308__li57238117312">Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.</li><li id="en-us_topic_0046611308__li16901359135912">Set <strong id="en-us_topic_0046611308__b27521292319">Minimum Number of Characters</strong>.<div class="note" id="en-us_topic_0046611308__note49017595593"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046611308__p15901115911596">By default, a password must contain at least 6 characters.</p>
</p></li><li id="en-us_topic_0046611308__li31523988174041"><span>Set the password policy.</span><p><ol type="a" id="en-us_topic_0046611308__ol31264140174112"><li id="en-us_topic_0046611308__li5941318717415">In the navigation pane, choose <strong id="en-us_topic_0046611308__b198006154218"></strong><strong id="en-us_topic_0046611308__b1580011111429">Security Settings</strong> &gt; <strong id="en-us_topic_0046611308__b1180016144210">Password Policy</strong>.</li><li id="en-us_topic_0046611308__li61695623174820">In the <strong id="en-us_topic_0046611308__b842352706101424_1">Password Composition &amp; Reuse</strong> area, do as follows:<ul id="en-us_topic_0046611308__ul5901559155916"><li id="en-us_topic_0046611308__li57238117312">Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.</li><li id="en-us_topic_0046611308__li16901359135912">Set <strong id="en-us_topic_0046611308__b27521292319">Minimum Number of Characters</strong>.<div class="note" id="en-us_topic_0046611308__note49017595593"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0046611308__p15901115911596">By default, a password must contain at least 6 characters.</p>
</div></div>
</li><li id="en-us_topic_0046611308__li390113597596">Select <strong id="en-us_topic_0046611308__b17942550135417">Restrict consecutive identical characters</strong> and set the maximum number of consecutive identical characters that can be contained in a password. The value ranges from 1 to 32.</li><li id="en-us_topic_0046611308__li6901459205915">Select <strong id="en-us_topic_0046611308__b561884211553">Disallow previously used passwords</strong> and set the number of recent passwords disallowed. The value ranges from 1 to 10.</li></ul>
</li><li id="en-us_topic_0046611308__li6358188692210">In the <strong id="en-us_topic_0046611308__b15930355105912">Password Expiration</strong> area, select <strong id="en-us_topic_0046611308__b393055575915">Prompt password change 15 days before expiration and force password change upon expiration</strong>, and set the password validity period.<p id="en-us_topic_0046611308__p5618844892623">Users must change their password when the password has expired.</p>
<div class="note" id="en-us_topic_0046611308__note98311814124017"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><div class="p" id="en-us_topic_0046611308__p15508542103017">The password must meet the following requirements:<ul id="en-us_topic_0046611308__ul1083331413403"><li id="en-us_topic_0046611308__li1183331417403">Must contain 6 to 32 characters.</li><li id="en-us_topic_0046611308__li3834201454016">Must contain at least two types of the following characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), spaces, and special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\=).</li><li id="en-us_topic_0046611308__li1183512140409">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="en-us_topic_0046611308__b1759355984017">A12345</strong>, the password cannot be <strong id="en-us_topic_0046611308__b7598145914020">A12345</strong>, <strong id="en-us_topic_0046611308__b759818593403">a12345</strong>, <strong id="en-us_topic_0046611308__b45989593405">54321A</strong>, or <strong id="en-us_topic_0046611308__b159855914011">54321a</strong>.</li><li id="en-us_topic_0046611308__li78487289224">Cannot contain the user's mobile number or email address.</li></ul>
<div class="note" id="en-us_topic_0046611308__note98311814124017"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><div class="p" id="en-us_topic_0046611308__p15508542103017">The password must meet the following requirements:<ul id="en-us_topic_0046611308__ul1083331413403"><li id="en-us_topic_0046611308__li1183331417403">Must contain 6 to 32 characters.</li><li id="en-us_topic_0046611308__li3834201454016">Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\= and spaces).</li><li id="en-us_topic_0046611308__li1183512140409">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="en-us_topic_0046611308__b1759355984017">A12345</strong>, the password cannot be <strong id="en-us_topic_0046611308__b7598145914020">A12345</strong>, <strong id="en-us_topic_0046611308__b759818593403">a12345</strong>, <strong id="en-us_topic_0046611308__b45989593405">54321A</strong>, or <strong id="en-us_topic_0046611308__b159855914011">54321a</strong>.</li><li id="en-us_topic_0046611308__li78487289224">Cannot contain the user's mobile number or email address.</li></ul>
</div>
</div></div>
</li><li id="en-us_topic_0046611308__li5683690692342">In the <strong id="en-us_topic_0046611308__b5217997144231_1">Minimum Password Age</strong> area, select <strong id="en-us_topic_0046611308__b20004592144231_1">Allow a password to be changed only after it is used for a specified time</strong> and set the minimum password age.<p id="en-us_topic_0046611308__p6202758113833">Users can change their password only when the specified period has expired.</p>
</li><li id="en-us_topic_0046611308__li62005948112420">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol1825452395112"><b>Save</b></span>.</li></ol>
</p></li><li id="en-us_topic_0046611308__li127376929296"><span>Set the ACL.</span><p><ol type="a" id="en-us_topic_0046611308__ol6143777492938"><li id="en-us_topic_0046611308__li4219855610210">In the navigation pane, choose <strong id="en-us_topic_0046611308__b6550378716237">Account Settings</strong> &gt; <strong id="en-us_topic_0046611308__b5266317816237">ACL</strong>.</li><li id="en-us_topic_0046611308__li201569217524">On the <strong id="en-us_topic_0046611308__b46359253114954">ACL</strong> page, enter the allowed IP address ranges or IPv4 CIDR blocks.<ul id="en-us_topic_0046611308__ul63791847203557"><li id="en-us_topic_0046611308__li45099837203557"><strong id="en-us_topic_0046611308__b185931564215">IP Address Ranges</strong>: only allow users to access the system using IP addresses in specified ranges.</li><li id="en-us_topic_0046611308__li4012021620360"><strong id="en-us_topic_0046611308__b244887540144534">IPv4 CIDR Blocks</strong>: only allow users of specified IPv4 CIDR blocks to access the system. For example: <strong id="en-us_topic_0046611308__b14486155212573">10.10.10.10/32</strong>.</li></ul>
<div class="note" id="en-us_topic_0046611308__note523405593112"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046611308__ul12435347144449"><li id="en-us_topic_0046611308__li10854931192912">The ACL takes effect only for users under your account.</li><li id="en-us_topic_0046611308__li4299675995417">You can click <strong id="en-us_topic_0046611308__b14599479145211">Restore Defaults</strong> to restore the allowed IP address ranges to the default value, <strong id="en-us_topic_0046611308__b41707145145211">0.0.0.0</strong>-<strong id="en-us_topic_0046611308__b22835571145211">255.255.255.255</strong>, and to clear <strong id="en-us_topic_0046611308__b1275649384165146">IPv4 CIDR Blocks</strong>.</li><li id="en-us_topic_0046611308__li18944886144449">If both <strong id="en-us_topic_0046611308__b4120209145243">IP Address Ranges</strong> and <strong id="en-us_topic_0046611308__b65301516145243">IPv4 CIDR Blocks</strong> are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.</li></ul>
</p></li><li id="en-us_topic_0046611308__li390334519147"><span>Set the ACL.</span><p><ol type="a" id="en-us_topic_0046611308__ol13904184561414"><li id="en-us_topic_0046611308__li10904104512142">In the navigation pane, choose <strong id="en-us_topic_0046611308__b14944171713435"></strong><strong id="en-us_topic_0046611308__b394411171432">Security Settings</strong> &gt; <strong id="en-us_topic_0046611308__b1678211399422">ACL</strong>.</li><li id="en-us_topic_0046611308__li139042456141">On the <strong id="en-us_topic_0046611308__b3101727184310">ACL</strong> page, enter the allowed IP address ranges or IPv4 CIDR blocks.<ul id="en-us_topic_0046611308__ul109042045181411"><li id="en-us_topic_0046611308__li11904645121417"><strong id="en-us_topic_0046611308__b185931564215">IP Address Ranges</strong>: only allow users to access the system using IP addresses in specified ranges.</li><li id="en-us_topic_0046611308__li149041045101418"><strong id="en-us_topic_0046611308__b244887540144534">IPv4 CIDR Blocks</strong>: only allow users of specified IPv4 CIDR blocks to access the system. For example: <strong id="en-us_topic_0046611308__b14486155212573">10.10.10.10/32</strong>.</li></ul>
<div class="note" id="en-us_topic_0046611308__note1390474517146"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0046611308__ul209041345101413"><li id="en-us_topic_0046611308__li19904845191417">The ACL takes effect only for users under your account.</li><li id="en-us_topic_0046611308__li99045451149">You can click <strong id="en-us_topic_0046611308__b14599479145211">Restore Defaults</strong> to restore the allowed IP address ranges to the default value, <strong id="en-us_topic_0046611308__b41707145145211">0.0.0.0</strong>-<strong id="en-us_topic_0046611308__b22835571145211">255.255.255.255</strong>, and to clear <strong id="en-us_topic_0046611308__b1275649384165146">IPv4 CIDR Blocks</strong>.</li><li id="en-us_topic_0046611308__li8904204518145">If both <strong id="en-us_topic_0046611308__b4120209145243">IP Address Ranges</strong> and <strong id="en-us_topic_0046611308__b65301516145243">IPv4 CIDR Blocks</strong> are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.</li></ul>
</div></div>
</li><li id="en-us_topic_0046611308__li60468370105318">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol955674717316"><b>Save</b></span>.</li></ol>
</li><li id="en-us_topic_0046611308__li11905184515144">Click <span class="uicontrol" id="en-us_topic_0046611308__uicontrol446793817437"><b>Save</b></span>.</li></ol>
</p></li></ol>
</div>
</div>

2
docs/iam/umn/en-us_topic_0059870089.html
View File

@ -8,6 +8,8 @@
</li>
<li class="ulchildlink"><strong><a href="iam_08_0002.html">SAML-based Federated Identity Authentication</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_08_0010.html">OpenID Connectbased Federated Identity Authentication</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0079620340.html">Syntax of Identity Conversion Rules</a></strong><br>
</li>
</ul>

13
docs/iam/umn/en-us_topic_0079496985.html
View File

@ -2,11 +2,11 @@
<h1 class="topictitle1">Managing Users and Permissions</h1>
<div id="body1536567611765"><p id="en-us_topic_0079496985__p39876842105823">As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud system based on assigned permissions.</p>
<ol id="en-us_topic_0079496985__ol070104113459"><li id="en-us_topic_0079496985__li1701041114519"><span>Create projects in a region to isolate resources.</span><p><div class="fignone" id="en-us_topic_0079496985__fig34229460145619"><span class="figcap"><b>Figure 1 </b>Project isolating model</span><br><span><img id="en-us_topic_0079496985__image839103118276" src="en-us_image_0000001419956113.png"></span></div>
<ol id="en-us_topic_0079496985__ol070104113459"><li id="en-us_topic_0079496985__li1701041114519"><span>Create projects in a region to isolate resources.</span><p><div class="fignone" id="en-us_topic_0079496985__fig34229460145619"><span class="figcap"><b>Figure 1 </b>Project isolating model</span><br><span><img id="en-us_topic_0079496985__image839103118276" src="en-us_image_0274187237.png" width="492.06675000000007" height="192.01875" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0079496985__p17634111114111"></p>
</p></li><li id="en-us_topic_0079496985__li1468045511455"><span>Plan user groups according to user responsibilities and grant the required permissions to the user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig20564070145723"><span class="figcap"><b>Figure 2 </b>User group authorization model</span><br><span><img id="en-us_topic_0079496985__image1177561446" src="en-us_image_0000001369554798.png"></span></div>
</p></li><li id="en-us_topic_0079496985__li1468045511455"><span>Plan user groups according to user responsibilities and grant the required permissions to the user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig20564070145723"><span class="figcap"><b>Figure 2 </b>User group authorization model</span><br><span><img id="en-us_topic_0079496985__image1177561446" src="en-us_image_0274186858.png" height="245.48475" width="492.06675000000007" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0079496985__p1297126113914"></p>
</p></li><li id="en-us_topic_0079496985__li103541366461"><span>Create users and add them to the corresponding user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig2093618145932"><span class="figcap"><b>Figure 3 </b>User authorization model</span><br><span><img id="en-us_topic_0079496985__image19809191354" src="en-us_image_0000001420034721.png"></span></div>
</p></li><li id="en-us_topic_0079496985__li103541366461"><span>Create users and add them to the corresponding user groups.</span><p><div class="fignone" id="en-us_topic_0079496985__fig2093618145932"><span class="figcap"><b>Figure 3 </b>User authorization model</span><br><span><img id="en-us_topic_0079496985__image19809191354" src="en-us_image_0274187229.png" height="416.157" width="492.06675000000007" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0079496985__p28477933911"></p>
</p></li><li id="en-us_topic_0079496985__li14819151644610"><span>Log in as the users and access the cloud system based on assigned permissions.</span></li></ol>
</div>
@ -16,3 +16,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

8
docs/iam/umn/en-us_topic_0079620340.html
View File

@ -78,8 +78,8 @@
]
}
] </pre>
<p style="color:#000000;" id="en-us_topic_0079620340__p10201464173157">In this example, the username of a federated user will be "the value of the first remote attribute+space+the value of the second remote attribute" in the cloud system, that is, <em id="en-us_topic_0079620340__i1924325611354">FirstName LastName</em>. The groups to which the user belongs are the value of the third remote attribute <em id="en-us_topic_0079620340__i09341310360">Groups</em>.</p>
<p style="color:#000000;" id="en-us_topic_0079620340__p24704315173157">If the following assertion is received, the username of the federated user will be <strong id="en-us_topic_0079620340__b18567822173612">John Smith</strong> in the cloud system and the user will belong to the <strong id="en-us_topic_0079620340__b557312220366">admin</strong> and <strong id="en-us_topic_0079620340__b14574102218361">manager</strong> groups.</p>
<p id="en-us_topic_0079620340__p10201464173157">In this example, the username of a federated user will be "the value of the first remote attribute+space+the value of the second remote attribute" in the cloud system, that is, <em id="en-us_topic_0079620340__i1924325611354">FirstName LastName</em>. The groups to which the user belongs are the value of the third remote attribute <em id="en-us_topic_0079620340__i09341310360">Groups</em>.</p>
<p id="en-us_topic_0079620340__p24704315173157">If the following assertion is received, the username of the federated user will be <strong id="en-us_topic_0079620340__b18567822173612">John Smith</strong> in the cloud system and the user will belong to the <strong id="en-us_topic_0079620340__b557312220366">admin</strong> and <strong id="en-us_topic_0079620340__b14574102218361">manager</strong> groups.</p>
<pre class="screen" id="en-us_topic_0079620340__screen65063182173943">{FirstName: John}
{LastName: Smith}
{Groups: [admin, manager]}</pre>
@ -111,7 +111,7 @@
}
] </pre>
<p id="en-us_topic_0079620340__p444271434417">The username of the federated user in the cloud system is the value of the first remote attribute, that is, <em id="en-us_topic_0079620340__i74422150398">UserName</em>. The federated user belongs to the <strong id="en-us_topic_0079620340__b1558582453910">admin</strong> group. This rule takes effect only for users who are members of the <strong id="en-us_topic_0079620340__b752273693913">idp_admin</strong> group in the identity provider system.</p>
<p style="color:#000000;" id="en-us_topic_0079620340__p47423388162946">If a federated user will belong to multiple user groups in the cloud system, the identity conversion rule can be configured as follows:</p>
<p id="en-us_topic_0079620340__p47423388162946">If a federated user will belong to multiple user groups in the cloud system, the identity conversion rule can be configured as follows:</p>
<pre class="screen" id="en-us_topic_0079620340__screen7145556162946">[
{
"local": [
@ -137,7 +137,7 @@
]
}
] </pre>
<p style="color:#000000;" id="en-us_topic_0079620340__p5011758162946">The username of the federated user in the cloud system is the value of the first remote attribute, that is, <em id="en-us_topic_0079620340__i921892615408">UserName</em>. The federated user belongs to the <strong id="en-us_topic_0079620340__b201881932144016">admin</strong> and <strong id="en-us_topic_0079620340__b719473213401">manager</strong> groups. This rule takes effect only for users who are members of the <strong id="en-us_topic_0079620340__b11444123924016">idp_admin</strong> group in the identity provider system.</p>
<p id="en-us_topic_0079620340__p5011758162946">The username of the federated user in the cloud system is the value of the first remote attribute, that is, <em id="en-us_topic_0079620340__i921892615408">UserName</em>. The federated user belongs to the <strong id="en-us_topic_0079620340__b201881932144016">admin</strong> and <strong id="en-us_topic_0079620340__b719473213401">manager</strong> groups. This rule takes effect only for users who are members of the <strong id="en-us_topic_0079620340__b11444123924016">idp_admin</strong> group in the identity provider system.</p>
<ul id="en-us_topic_0079620340__ul16111192316382"><li id="en-us_topic_0079620340__li7569719143813">The following assertion indicates that the federated user John Smith is a member of the <strong id="en-us_topic_0079620340__b6732167204117">idp_admin</strong> group. Therefore, the user can access the cloud system.<pre class="screen" id="en-us_topic_0079620340__screen323130672098">{UserName: John Smith}
{Groups: [idp_user, idp_admin, idp_agency]}</pre>
</li><li id="en-us_topic_0079620340__li2708726113814">The following assertion indicates that the federated user John Smith is not a member of the <strong id="en-us_topic_0079620340__b317993414115">idp_admin</strong> group. Therefore, the rule does not take effect for the user and the user cannot access the cloud system.<pre class="screen" id="en-us_topic_0079620340__screen553114872098">{UserName: John Smith}

15
docs/iam/umn/en-us_topic_0079620341.html
View File

@ -6,23 +6,23 @@
<ul id="en-us_topic_0079620341__ul2307400011351"><li id="en-us_topic_0079620341__li1716908217349">Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the system using browsers.</li><li id="en-us_topic_0079620341__li640104671740">API calling: Development tools (such as OpenStack Client) are used as the communication media. This authentication type enables enterprise users and common users to access the system by calling APIs.<p id="en-us_topic_0079620341__p15699139910"><a name="en-us_topic_0079620341__li640104671740"></a><a name="li640104671740"></a>Users in your enterprise can choose SP-initiated or IdP-initiated federated identity authentication for API calling depending on your identity provider system.</p>
</li></ul>
<div class="section" id="en-us_topic_0079620341__section1938813653310"><h4 class="sectiontitle">Without Federated Identity Authentication</h4><ul id="en-us_topic_0079620341__ul474654173317"><li id="en-us_topic_0079620341__li1195542263517">SSO not supported<p id="en-us_topic_0079620341__p1180012243355"><a name="en-us_topic_0079620341__li1195542263517"></a><a name="li1195542263517"></a>Users authenticated by the identity provider of an enterprise management system cannot access the cloud system.</p>
<div class="fignone" id="en-us_topic_0079620341__fig39358512151043"><span class="figcap"><b>Figure 1 </b>User authentication model (1)</span><br><span><img id="en-us_topic_0079620341__image2065418345613" src="en-us_image_0000001419956121.png"></span></div>
<div class="fignone" id="en-us_topic_0079620341__fig39358512151043"><span class="figcap"><b>Figure 1 </b>User authentication model (1)</span><br><span><img id="en-us_topic_0079620341__image2065418345613" src="en-us_image_0274187218.png" height="136.81005100000002" width="465.5" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0079620341__p1242336414473"></p>
</li></ul>
</div>
<ul id="en-us_topic_0079620341__ul14618956153319"><li id="en-us_topic_0079620341__li750575023510">Complex user management<p id="en-us_topic_0079620341__p755010522352"><a name="en-us_topic_0079620341__li750575023510"></a><a name="li750575023510"></a>The enterprise administrator has to create users in both the enterprise management system and the cloud system.</p>
</li><li id="en-us_topic_0079620341__li145931556143816">Complex user operations<p id="en-us_topic_0079620341__p0107189398"><a name="en-us_topic_0079620341__li145931556143816"></a><a name="li145931556143816"></a>Users have to use different accounts to log in to the enterprise management system and cloud system.</p>
<div class="fignone" id="en-us_topic_0079620341__fig10591543151411"><span class="figcap"><b>Figure 2 </b>User login model (1)</span><br><span><img id="en-us_topic_0079620341__image1274514144393" src="en-us_image_0000001369554806.png"></span></div>
<div class="fignone" id="en-us_topic_0079620341__fig10591543151411"><span class="figcap"><b>Figure 2 </b>User login model (1)</span><br><span><img id="en-us_topic_0079620341__image1274514144393" src="en-us_image_0274187275.png" width="465.5" height="365.89603400000004" title="Click to enlarge" class="imgResize"></span></div>
</li></ul>
<p id="en-us_topic_0079620341__p16815830184410"></p>
<div class="section" id="en-us_topic_0079620341__section1468942416348"><h4 class="sectiontitle">With Federated Identity Authentication</h4><ul id="en-us_topic_0079620341__ul17811133943410"><li id="en-us_topic_0079620341__li8175175413366">SSO supported<p id="en-us_topic_0079620341__p841325633613"><a name="en-us_topic_0079620341__li8175175413366"></a><a name="li8175175413366"></a>Users authenticated by the identity provider can access the cloud system through SSO.</p>
<div class="fignone" id="en-us_topic_0079620341__fig6128398015113"><span class="figcap"><b>Figure 3 </b>User authentication model (2)</span><br><span><img id="en-us_topic_0079620341__image54358535614" src="en-us_image_0000001369714794.png"></span></div>
<div class="fignone" id="en-us_topic_0079620341__fig6128398015113"><span class="figcap"><b>Figure 3 </b>User authentication model (2)</span><br><span><img id="en-us_topic_0079620341__image54358535614" src="en-us_image_0274186850.png" height="135.04926400000002" width="498.351" title="Click to enlarge" class="imgResize"></span></div>
<p id="en-us_topic_0079620341__p31425569144729"></p>
</li></ul>
</div>
<ul id="en-us_topic_0079620341__ul4409204783417"><li id="en-us_topic_0079620341__li184885263377">Simplified user management<p id="en-us_topic_0079620341__p682793183817"><a name="en-us_topic_0079620341__li184885263377"></a><a name="li184885263377"></a>The enterprise administrator does not need to create users in the cloud system.</p>
</li><li id="en-us_topic_0079620341__li77551533163917">Easy user operations<p id="en-us_topic_0079620341__p237614416374"><a name="en-us_topic_0079620341__li77551533163917"></a><a name="li77551533163917"></a>Users can access the cloud system through the enterprise management system.</p>
<div class="fignone" id="en-us_topic_0079620341__fig35819891151116"><span class="figcap"><b>Figure 4 </b>User login model (2)</span><br><span><img id="en-us_topic_0079620341__image211596609461" src="en-us_image_0000001369235150.png"></span></div>
<div class="fignone" id="en-us_topic_0079620341__fig35819891151116"><span class="figcap"><b>Figure 4 </b>User login model (2)</span><br><span><img id="en-us_topic_0079620341__image211596609461" src="en-us_image_0274187239.png" width="445.757879" height="283.29" title="Click to enlarge" class="imgResize"></span></div>
</li></ul>
</div>
<div>
@ -31,3 +31,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

2
docs/iam/umn/en-us_topic_0085605493.html
View File

@ -2,7 +2,7 @@
<h1 class="topictitle1">Viewing and Modifying User Group Information</h1>
<div id="body1511769445459"><p id="en-us_topic_0085605493__p3334189411217">As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the groups to which the users belong.</p>
<div class="section" id="en-us_topic_0085605493__section30804749"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0085605493__ol48598242"><li id="en-us_topic_0085605493__li44143566"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0085605493__uicontrol9867135935214"><b>User Groups</b></span>.</span></li><li id="en-us_topic_0085605493__li61747774"><span>In the user group list, view or modify user group information.</span><p><ul id="en-us_topic_0085605493__ul4436035125718"><li id="en-us_topic_0085605493__li16436935125713">Viewing user group information<p id="en-us_topic_0085605493__p1943633519575"><a name="en-us_topic_0085605493__li16436935125713"></a><a name="li16436935125713"></a>In the user group list, click <span><img id="en-us_topic_0085605493__image202519579572" src="en-us_image_0000001369235154.png"></span> next to the target user group to view its details, including the basic information, permissions, and users.</p>
<div class="section" id="en-us_topic_0085605493__section30804749"><h4 class="sectiontitle">Procedure</h4><ol id="en-us_topic_0085605493__ol48598242"><li id="en-us_topic_0085605493__li44143566"><span>In the navigation pane, choose <span class="uicontrol" id="en-us_topic_0085605493__uicontrol9867135935214"><b>User Groups</b></span>.</span></li><li id="en-us_topic_0085605493__li61747774"><span>In the user group list, view or modify user group information.</span><p><ul id="en-us_topic_0085605493__ul4436035125718"><li id="en-us_topic_0085605493__li16436935125713">Viewing user group information<p id="en-us_topic_0085605493__p1943633519575"><a name="en-us_topic_0085605493__li16436935125713"></a><a name="li16436935125713"></a>In the user group list, click <span><img id="en-us_topic_0085605493__image202519579572" src="en-us_image_0291358588.png"></span> next to the target user group to view its details, including the basic information, permissions, and users.</p>
</li><li id="en-us_topic_0085605493__li9436435135710">Modifying user group information<div class="p" id="en-us_topic_0085605493__p8436335195710"><a name="en-us_topic_0085605493__li9436435135710"></a><a name="li9436435135710"></a>Click <strong id="en-us_topic_0085605493__b842352706162732">Modify</strong> in the <strong id="en-us_topic_0085605493__b842352706162729">Operation</strong> column of the row that contains the target user group to go to the <strong id="en-us_topic_0085605493__b842352706132449">Modify User Group</strong> page.<div class="note" id="en-us_topic_0085605493__note184361535205718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0085605493__ul6436335175715"><li id="en-us_topic_0085605493__li18436635145713">For the default user group, you can only manage its users and cannot modify its basic information or permissions.</li><li id="en-us_topic_0085605493__li143633585715">If the name of a user group has been configured in the identity conversion rules of an identity provider, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.</li></ul>
</div></div>
</div>

56
docs/iam/umn/en-us_topic_0274187246.html
View File

@ -1,56 +0,0 @@
<a name="en-us_topic_0274187246"></a><a name="en-us_topic_0274187246"></a>
<h1 class="topictitle1">Creating a Custom Policy</h1>
<div id="body1597751871933"><p id="en-us_topic_0274187246__p178751134152415">You can create custom policies to supplement system-defined policies and implement more refined access control.</p>
<div class="section" id="en-us_topic_0274187246__section127131384256"><h4 class="sectiontitle">Creating a Custom Policy in the Visual Editor</h4><ol id="en-us_topic_0274187246__ol349213810218"><li id="en-us_topic_0274187246__li1249213383220"><span>On the IAM console, choose <span class="uicontrol" id="en-us_topic_0274187246__uicontrol19744191362413"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="en-us_topic_0274187246__uicontrol2749121319246"><b>Create Custom Policy</b></span>.</span></li><li id="en-us_topic_0274187246__li1049216384218"><span>Enter a policy name.</span></li><li id="en-us_topic_0274187246__li186751681668"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="en-us_topic_0274187246__ul206753813617"><li id="en-us_topic_0274187246__li6675178467"><strong id="en-us_topic_0274187246__b18583192142615">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b51019293264">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="en-us_topic_0274187246__li66755811617"><strong id="en-us_topic_0274187246__b6256557152616">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b439896162715">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
<p id="en-us_topic_0274187246__p156751812611">For example, when creating a custom policy containing the action <strong id="en-us_topic_0274187246__b614332195114">evs:volumes:create</strong> for EVS, specify the scope as <strong id="en-us_topic_0274187246__b7192032145116">Project-level services</strong>.</p>
<div class="note" id="en-us_topic_0274187246__note8675138861"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p2067512815610">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="en-us_topic_0274187246__b498333912713">Global services</strong> and <strong id="en-us_topic_0274187246__b1698913394274">Project-level services</strong>.</p>
</div></div>
</p></li><li id="en-us_topic_0274187246__li499013117715"><span>Select <strong id="en-us_topic_0274187246__b13900115615276">Visual editor</strong>.</span></li><li id="en-us_topic_0274187246__li11144122232119"><span>Set the policy content.</span><p><ol type="a" id="en-us_topic_0274187246__ol67011432182116"><li id="en-us_topic_0274187246__li161466351218">Select <strong id="en-us_topic_0274187246__b720815292812">Allow</strong> or <strong id="en-us_topic_0274187246__b8213821283">Deny</strong>.</li><li id="en-us_topic_0274187246__li1684612437215">Select a cloud service.<div class="note" id="en-us_topic_0274187246__note9255142512522"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p1625582510529">Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click <strong id="en-us_topic_0274187246__b273715172817">Add Permissions</strong> or switch to the JSON view.</p>
</div></div>
</li><li id="en-us_topic_0274187246__li195205468218">Select actions.</li><li id="en-us_topic_0274187246__li16567649112113">Select all resources, or select specific resources by specifying their paths.</li><li id="en-us_topic_0274187246__li127011432162115">(Optional) Add request conditions by specifying condition keys, operators, and values.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0274187246__table42344414207" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Condition parameters</caption><thead align="left"><tr id="en-us_topic_0274187246__row5234843202"><th align="left" class="cellrowborder" valign="top" width="16.07%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.1"><p id="en-us_topic_0274187246__p1723412452010">Name</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="83.93%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.2"><p id="en-us_topic_0274187246__p1123516462012">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0274187246__row1023512410207"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p1123514412016">Condition Key</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p1235184122019">A key in the <strong id="en-us_topic_0274187246__b684427105311">Condition</strong> element of a statement. There are global and service-level condition keys. Global condition keys (starting with <strong id="en-us_topic_0274187246__b47103763010">g:</strong>) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as <strong id="en-us_topic_0274187246__b987914143305">obs:</strong>) are available only for operations of the corresponding service.</p>
</td>
</tr>
<tr id="en-us_topic_0274187246__row1123514182018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p523518422018">Operator</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p7235134102010">Used together with a condition key to form a complete condition statement.</p>
</td>
</tr>
<tr id="en-us_topic_0274187246__row3235134162018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="en-us_topic_0274187246__p9235846201">Value</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="en-us_topic_0274187246__p1323524182010">Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ol>
</p></li><li id="en-us_topic_0274187246__li18130645181019"><span>(Optional) Switch to the JSON view and modify the policy content in the JSON format.</span><p><div class="note" id="en-us_topic_0274187246__note4789183210143"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p1079033220141">If the policy content is incorrect after modification, check and modify the content, or click <strong id="en-us_topic_0274187246__b14102651163016">Reset</strong> to cancel the modifications.</p>
</div></div>
</p></li><li id="en-us_topic_0274187246__li9754244913"><span>(Optional) To add another permission block for the policy, click <strong id="en-us_topic_0274187246__b1053158143012">Add Permissions</strong>. Alternatively, click the plus (+) icon on the right of an existing permission block to clone its permissions.</span></li><li id="en-us_topic_0274187246__li148711411476"><span>(Optional) Enter a brief description for the policy.</span></li><li id="en-us_topic_0274187246__li435416457312"><span>Click <strong id="en-us_topic_0274187246__b1914192083117">OK</strong>.</span></li><li id="en-us_topic_0274187246__li14344102511819"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
</div>
<div class="section" id="en-us_topic_0274187246__section199855814265"><h4 class="sectiontitle">Creating a Custom Policy in JSON View</h4><ol id="en-us_topic_0274187246__ol06251565191"><li id="en-us_topic_0274187246__li1116202310310"><span>On the IAM console, choose <span class="uicontrol" id="en-us_topic_0274187246__uicontrol133681436153116"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="en-us_topic_0274187246__uicontrol337493673110"><b>Create Custom Policy</b></span>.</span></li><li id="en-us_topic_0274187246__li7625105616193"><span>Enter a policy name.</span></li><li id="en-us_topic_0274187246__li18626656161912"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="en-us_topic_0274187246__ul1343810211968"><li id="en-us_topic_0274187246__li1987713580105"><strong id="en-us_topic_0274187246__b1491218450315">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b137261847183110">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="en-us_topic_0274187246__li21871151191112"><strong id="en-us_topic_0274187246__b2165105493114">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="en-us_topic_0274187246__b1811805613317">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
<p id="en-us_topic_0274187246__p1143812117615">For example, when creating a custom policy containing the action <strong id="en-us_topic_0274187246__b827087175512">evs:volumes:create</strong> for EVS, specify the scope as <strong id="en-us_topic_0274187246__b1427620710556">Project-level services</strong>.</p>
<div class="note" id="en-us_topic_0274187246__note64381521166"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0274187246__p14438721361">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="en-us_topic_0274187246__b5680145143217">Global services</strong> and <strong id="en-us_topic_0274187246__b14682857329">Project-level services</strong>.</p>
</div></div>
</p></li><li id="en-us_topic_0274187246__li1993914919215"><span>Select <strong id="en-us_topic_0274187246__b1766716616327">JSON</strong>.</span></li><li id="en-us_topic_0274187246__li1862615614192"><span>(Optional) Click <strong id="en-us_topic_0274187246__b845691218322">Select Existing Policy</strong>, and select a policy to use it as a template, such as <span class="parmvalue" id="en-us_topic_0274187246__parmvalue246331253211"><b>VPC Admin</b></span>.</span></li><li id="en-us_topic_0274187246__li462625651918"><span>Click <strong id="en-us_topic_0274187246__b1967120463323">OK</strong>.</span></li><li id="en-us_topic_0274187246__li12626556101911"><span>Modify the statement in the template.</span><p><ul id="en-us_topic_0274187246__ul1962675611912"><li id="en-us_topic_0274187246__li8626156181918"><strong id="en-us_topic_0274187246__b1321618355552">Effect</strong>: Set it to <strong id="en-us_topic_0274187246__b18222335185517">Allow</strong> or <strong id="en-us_topic_0274187246__b2222193517555">Deny</strong>.</li><li id="en-us_topic_0274187246__li15627156151917"><strong id="en-us_topic_0274187246__b728719582329">Action</strong>: Enter the actions provided in the API actions table of the EVS service, for example, <strong id="en-us_topic_0274187246__b12293958153214">evs:volumes:create</strong>.<div class="note" id="en-us_topic_0274187246__note46271956111920"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="en-us_topic_0274187246__ul14627185611910"><li id="en-us_topic_0274187246__li1862717561195">The version of each custom policy is fixed at <strong id="en-us_topic_0274187246__b19951318173319">1.1</strong>.</li></ul>
</div></div>
</li></ul>
</p></li><li id="en-us_topic_0274187246__li106271756131914"><span>(Optional) Enter a brief description for the policy.</span></li><li id="en-us_topic_0274187246__li1162725661910"><span>Click <strong id="en-us_topic_0274187246__b163841614349">OK</strong>. If the policy list is displayed, the policy is created successfully.</span></li><li id="en-us_topic_0274187246__li4291119181"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0015.html">Fine-Grained Policy Management</a></div>
</div>
</div>

9
docs/iam/umn/iam_01_0003.html
View File

@ -7,7 +7,7 @@
<p id="iam_01_0003__p69271453125714">For more information, see <a href="iam_10_0002.html">MFA Authentication and Virtual MFA Device</a>.</p>
<div class="section" id="iam_01_0003__section62446212165914"><h4 class="sectiontitle">Prerequisites</h4><p id="iam_01_0003__p37510634165923">You have installed an MFA application (for example, Google Authenticator) on your smartphone.</p>
</div>
<div class="section" id="iam_01_0003__section27800412164913"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0003__ol25454498165752"><li id="iam_01_0003__li21572507165752"><span>On the management console, hover the mouse pointer over the username in the upper right corner and choose <strong id="iam_01_0003__b4119115175216">My Credentials</strong> from the drop-down list.</span></li><li id="iam_01_0003__li22883496165752"><span>On the <strong id="iam_01_0003__b37863209528">My Credentials</strong> page, click <strong id="iam_01_0003__b1479111207521">Bind</strong> next to the <strong id="iam_01_0003__b679172019524">Virtual MFA Device</strong> parameter.</span></li><li id="iam_01_0003__li55236718165752"><span>Go to the <strong id="iam_01_0003__b11170155110617">Bind Virtual MFA Device</strong> page.</span><p><div class="fignone" id="iam_01_0003__fig599215242196"><span class="figcap"><b>Figure 1 </b>Binding a virtual MFA device</span><br><span><img id="iam_01_0003__image14992182414194" src="en-us_image_0000001420274825.png"></span></div>
<div class="section" id="iam_01_0003__section27800412164913"><h4 class="sectiontitle">Procedure</h4><ol id="iam_01_0003__ol25454498165752"><li id="iam_01_0003__li21572507165752"><span>On the management console, hover the mouse pointer over the username in the upper right corner and choose <strong id="iam_01_0003__b4119115175216">My Credentials</strong> from the drop-down list.</span></li><li id="iam_01_0003__li22883496165752"><span>On the <strong id="iam_01_0003__b37863209528">My Credentials</strong> page, click <strong id="iam_01_0003__b1479111207521">Bind</strong> next to the <strong id="iam_01_0003__b679172019524">Virtual MFA Device</strong> parameter.</span></li><li id="iam_01_0003__li55236718165752"><span>Go to the <strong id="iam_01_0003__b11170155110617">Bind Virtual MFA Device</strong> page.</span><p><div class="fignone" id="iam_01_0003__fig599215242196"><span class="figcap"><b>Figure 1 </b>Binding a virtual MFA device</span><br><span><img id="iam_01_0003__image14992182414194" src="en-us_image_0000001088289742.png" height="144.526711" width="465.5" title="Click to enlarge" class="imgResize"></span></div>
<div class="p" id="iam_01_0003__p1022661314174"><div class="note" id="iam_01_0003__note622691313174"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0003__p322615139176">The secret key is a one-time credential that you can use to obtain an MFA verification code. To ensure account security, do not share the secret key with anyone.</p>
</div></div>
</div>
@ -25,3 +25,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

4
docs/iam/umn/iam_01_0012.html
View File

@ -155,14 +155,14 @@
</td>
<td class="cellrowborder" valign="top" width="23.169999999999998%" headers="mcps1.3.2.2.4.1.2 "><p id="iam_01_0012__p77717187245">userGroup</p>
</td>
<td class="cellrowborder" valign="top" width="41.28%" headers="mcps1.3.2.2.4.1.3 "><p id="iam_01_0012__p15775182244"><span style="color:#252B3A;">updateUserGroup</span></p>
<td class="cellrowborder" valign="top" width="41.28%" headers="mcps1.3.2.2.4.1.3 "><p id="iam_01_0012__p15775182244">updateUserGroup</p>
</td>
</tr>
<tr id="iam_01_0012__row64911828163754"><td class="cellrowborder" valign="top" width="35.55%" headers="mcps1.3.2.2.4.1.1 "><p id="iam_01_0012__p47712186241">Deleting a user group</p>
</td>
<td class="cellrowborder" valign="top" width="23.169999999999998%" headers="mcps1.3.2.2.4.1.2 "><p id="iam_01_0012__p1777151842420">userGroup</p>
</td>
<td class="cellrowborder" valign="top" width="41.28%" headers="mcps1.3.2.2.4.1.3 "><p id="iam_01_0012__p156121350131314"><span style="color:#252B3A;">deleteUserGroup</span></p>
<td class="cellrowborder" valign="top" width="41.28%" headers="mcps1.3.2.2.4.1.3 "><p id="iam_01_0012__p156121350131314">deleteUserGroup</p>
</td>
</tr>
<tr id="iam_01_0012__row16403151312615"><td class="cellrowborder" valign="top" width="35.55%" headers="mcps1.3.2.2.4.1.1 "><p id="iam_01_0012__p1066212282617">Adding a user to a user group</p>

11
docs/iam/umn/iam_01_0013.html
View File

@ -5,8 +5,8 @@
<div class="section" id="iam_01_0013__section85961038162216"><h4 class="sectiontitle">Viewing IAM Audit Logs</h4><ol id="iam_01_0013__ol1194546193110"><li id="iam_01_0013__li10838950182817"><span>Log in to the management console.</span></li><li id="iam_01_0013__li155741795333"><span>Click <strong id="iam_01_0013__b3796124865619">Service List</strong> in the upper part of the page and choose <strong id="iam_01_0013__b880216481565">Cloud Trace Service</strong> under <strong id="iam_01_0013__b680214875610">Management &amp; Deployment</strong>.</span></li><li id="iam_01_0013__li8240924153816"><span>In the navigation pane, choose <strong id="iam_01_0013__b1085537195718">Trace List</strong>.</span></li><li id="iam_01_0013__li1199125415539"><span>Click <strong id="iam_01_0013__b928021795715">Filter</strong> in the upper right corner of the trace list to set filter conditions.</span><p><div class="p" id="iam_01_0013__p1348504172220">The following filters are available:<ul class="subitemlist" id="iam_01_0013__ul4173195016221"><li id="iam_01_0013__li25120207165721"><strong id="iam_01_0013__b842352706161410">Trace Source</strong>, <strong id="iam_01_0013__b84235270616143">Resource Type</strong>, and <strong id="iam_01_0013__b842352706161359">Search By</strong><ul id="iam_01_0013__ul138358421566"><li id="iam_01_0013__li422110403562">Select a filter criteria from the drop-down list. Specifically, select <strong id="iam_01_0013__b842352706161141">IAM</strong> from the <strong id="iam_01_0013__b842352706161230">Trace Source</strong> drop-down list.</li><li id="iam_01_0013__li5224174025618">If you select <strong id="iam_01_0013__b842352706153249">Trace name</strong> for <strong id="iam_01_0013__b1803301537153246">Search By</strong>, select a trace name.</li><li id="iam_01_0013__li222614017560">If you select <strong id="iam_01_0013__b1369790384153349">Resource ID</strong> for <strong id="iam_01_0013__b1590770393153349">Search By</strong>, select or enter a resource ID.</li><li id="iam_01_0013__li1822754014568">If you select <strong id="iam_01_0013__b565110228153447">Resource name</strong> for <strong id="iam_01_0013__b1329536783153447">Search By</strong>, select or enter a resource name.</li></ul>
</li><li id="iam_01_0013__li16990144143538"><strong id="iam_01_0013__b842352706153633">Operator</strong>: Select an operator (a user rather than domain).</li><li id="iam_01_0013__li2227630716221"><strong id="iam_01_0013__b842352706153531">Trace Status</strong>: Available options include <strong id="iam_01_0013__b1447794024144642">All trace statuses</strong>, <strong id="iam_01_0013__b842352706153558">normal</strong>, <span class="parmvalue" id="iam_01_0013__parmvalue9654017118"><b>incident, </b></span>and <strong id="iam_01_0013__b84235270615364">warning</strong>.</li><li id="iam_01_0013__li2484476616221">Specify the start time and end time for querying traces.</li></ul>
</div>
</p></li><li id="iam_01_0013__li1326512181411"><span>Click <strong id="iam_01_0013__b842352706161557">Query</strong>.</span></li><li id="iam_01_0013__li11445413104011"><span>Expand the details of a trace, as shown in <a href="#iam_01_0013__fig181771925164317">Figure 1</a>.</span><p><div class="fignone" id="iam_01_0013__fig181771925164317"><a name="iam_01_0013__fig181771925164317"></a><a name="fig181771925164317"></a><span class="figcap"><b>Figure 1 </b>Expanding trace details</span><br><span><img id="iam_01_0013__image317762564313" src="en-us_image_0000001420274829.png"></span></div>
</p></li><li id="iam_01_0013__li157172804213"><span>Click <strong id="iam_01_0013__b842352706154059">View Trace</strong> in the <strong id="iam_01_0013__b18195288151449">Operation</strong> column. In the <strong id="iam_01_0013__b25439609151522">View Trace</strong> dialog box as shown in <a href="#iam_01_0013__fig9310171012116">Figure 2</a>, the trace details are displayed.</span><p><div class="fignone" id="iam_01_0013__fig9310171012116"><a name="iam_01_0013__fig9310171012116"></a><a name="fig9310171012116"></a><span class="figcap"><b>Figure 2 </b>Viewing a trace</span><br><span><img id="iam_01_0013__image2112195535814" src="en-us_image_0000001420034725.png"></span></div>
</p></li><li id="iam_01_0013__li1326512181411"><span>Click <strong id="iam_01_0013__b842352706161557">Query</strong>.</span></li><li id="iam_01_0013__li11445413104011"><span>Expand the details of a trace, as shown in <a href="#iam_01_0013__fig181771925164317">Figure 1</a>.</span><p><div class="fignone" id="iam_01_0013__fig181771925164317"><a name="iam_01_0013__fig181771925164317"></a><a name="fig181771925164317"></a><span class="figcap"><b>Figure 1 </b>Expanding trace details</span><br><span><img id="iam_01_0013__image317762564313" src="en-us_image_0000001135554103.png" height="71.82000000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_01_0013__li157172804213"><span>Click <strong id="iam_01_0013__b842352706154059">View Trace</strong> in the <strong id="iam_01_0013__b18195288151449">Operation</strong> column. In the <strong id="iam_01_0013__b25439609151522">View Trace</strong> dialog box as shown in <a href="#iam_01_0013__fig9310171012116">Figure 2</a>, the trace details are displayed.</span><p><div class="fignone" id="iam_01_0013__fig9310171012116"><a name="iam_01_0013__fig9310171012116"></a><a name="fig9310171012116"></a><span class="figcap"><b>Figure 2 </b>Viewing a trace</span><br><span><img id="iam_01_0013__image2112195535814" src="en-us_image_0274187205.png" height="269.02575" width="492.06675000000007" title="Click to enlarge" class="imgResize"></span></div>
</p></li></ol>
</div>
</div>
@ -16,3 +16,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

2
docs/iam/umn/iam_01_0015.html
View File

@ -8,7 +8,7 @@
</li>
<li class="ulchildlink"><strong><a href="iam_01_0017.html">Policy Syntax</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="en-us_topic_0274187246.html">Creating a Custom Policy</a></strong><br>
<li class="ulchildlink"><strong><a href="iam_01_0016.html">Creating a Custom Policy</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_01_0600.html">Custom Policy Use Cases</a></strong><br>
</li>

56
docs/iam/umn/iam_01_0016.html Normal file
View File

@ -0,0 +1,56 @@
<a name="iam_01_0016"></a><a name="iam_01_0016"></a>
<h1 class="topictitle1">Creating a Custom Policy</h1>
<div id="body1597751871933"><p id="iam_01_0016__p178751134152415">You can create custom policies to supplement system-defined policies and implement more refined access control.</p>
<div class="section" id="iam_01_0016__section127131384256"><h4 class="sectiontitle">Creating a Custom Policy in the Visual Editor</h4><ol id="iam_01_0016__ol349213810218"><li id="iam_01_0016__li1249213383220"><span>On the IAM console, choose <span class="uicontrol" id="iam_01_0016__uicontrol19744191362413"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="iam_01_0016__uicontrol2749121319246"><b>Create Custom Policy</b></span>.</span></li><li id="iam_01_0016__li1049216384218"><span>Enter a policy name.</span></li><li id="iam_01_0016__li186751681668"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="iam_01_0016__ul206753813617"><li id="iam_01_0016__li6675178467"><strong id="iam_01_0016__b18583192142615">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="iam_01_0016__b51019293264">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="iam_01_0016__li66755811617"><strong id="iam_01_0016__b6256557152616">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="iam_01_0016__b439896162715">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
<p id="iam_01_0016__p156751812611">For example, when creating a custom policy containing the action <strong id="iam_01_0016__b614332195114">evs:volumes:create</strong> for EVS, specify the scope as <strong id="iam_01_0016__b7192032145116">Project-level services</strong>.</p>
<div class="note" id="iam_01_0016__note8675138861"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0016__p2067512815610">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="iam_01_0016__b498333912713">Global services</strong> and <strong id="iam_01_0016__b1698913394274">Project-level services</strong>.</p>
</div></div>
</p></li><li id="iam_01_0016__li499013117715"><span>Select <strong id="iam_01_0016__b13900115615276">Visual editor</strong>.</span></li><li id="iam_01_0016__li11144122232119"><span>Set the policy content.</span><p><ol type="a" id="iam_01_0016__ol67011432182116"><li id="iam_01_0016__li161466351218">Select <strong id="iam_01_0016__b720815292812">Allow</strong> or <strong id="iam_01_0016__b8213821283">Deny</strong>.</li><li id="iam_01_0016__li1684612437215">Select a cloud service.<div class="note" id="iam_01_0016__note9255142512522"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0016__p1625582510529">Only one cloud service can be selected for each permission block. To configure permissions for multiple cloud services, click <strong id="iam_01_0016__b273715172817">Add Permissions</strong> or switch to the JSON view.</p>
</div></div>
</li><li id="iam_01_0016__li195205468218">Select actions.</li><li id="iam_01_0016__li16567649112113">Select all resources, or select specific resources by specifying their paths.</li><li id="iam_01_0016__li127011432162115">(Optional) Add request conditions by specifying condition keys, operators, and values.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="iam_01_0016__table42344414207" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Condition parameters</caption><thead align="left"><tr id="iam_01_0016__row5234843202"><th align="left" class="cellrowborder" valign="top" width="16.07%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.1"><p id="iam_01_0016__p1723412452010">Name</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="83.93%" id="mcps1.3.2.2.5.2.1.5.1.2.3.1.2"><p id="iam_01_0016__p1123516462012">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="iam_01_0016__row1023512410207"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="iam_01_0016__p1123514412016">Condition Key</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="iam_01_0016__p1235184122019">A key in the <strong id="iam_01_0016__b684427105311">Condition</strong> element of a statement. There are global and service-level condition keys. Global condition keys (starting with <strong id="iam_01_0016__b47103763010">g:</strong>) are available for operations of all services, while service-level condition keys (starting with a service abbreviation name such as <strong id="iam_01_0016__b987914143305">obs:</strong>) are available only for operations of the corresponding service.</p>
</td>
</tr>
<tr id="iam_01_0016__row1123514182018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="iam_01_0016__p523518422018">Operator</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="iam_01_0016__p7235134102010">Used together with a condition key to form a complete condition statement.</p>
</td>
</tr>
<tr id="iam_01_0016__row3235134162018"><td class="cellrowborder" valign="top" width="16.07%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.1 "><p id="iam_01_0016__p9235846201">Value</p>
</td>
<td class="cellrowborder" valign="top" width="83.93%" headers="mcps1.3.2.2.5.2.1.5.1.2.3.1.2 "><p id="iam_01_0016__p1323524182010">Used together with a condition key and an operator that requires a keyword, to form a complete condition statement.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ol>
</p></li><li id="iam_01_0016__li18130645181019"><span>(Optional) Switch to the JSON view and modify the policy content in the JSON format.</span><p><div class="note" id="iam_01_0016__note4789183210143"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0016__p1079033220141">If the policy content is incorrect after modification, check and modify the content, or click <strong id="iam_01_0016__b14102651163016">Reset</strong> to cancel the modifications.</p>
</div></div>
</p></li><li id="iam_01_0016__li9754244913"><span>(Optional) To add another permission block for the policy, click <strong id="iam_01_0016__b1053158143012">Add Permissions</strong>. Alternatively, click the plus (+) icon on the right of an existing permission block to clone its permissions.</span></li><li id="iam_01_0016__li148711411476"><span>(Optional) Enter a brief description for the policy.</span></li><li id="iam_01_0016__li435416457312"><span>Click <strong id="iam_01_0016__b1914192083117">OK</strong>.</span></li><li id="iam_01_0016__li14344102511819"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
</div>
<div class="section" id="iam_01_0016__section199855814265"><h4 class="sectiontitle">Creating a Custom Policy in JSON View</h4><ol id="iam_01_0016__ol06251565191"><li id="iam_01_0016__li1116202310310"><span>On the IAM console, choose <span class="uicontrol" id="iam_01_0016__uicontrol133681436153116"><b>Policies</b></span> in the navigation pane, and click <span class="uicontrol" id="iam_01_0016__uicontrol337493673110"><b>Create Custom Policy</b></span>.</span></li><li id="iam_01_0016__li7625105616193"><span>Enter a policy name.</span></li><li id="iam_01_0016__li18626656161912"><span>Select a scope based on the type of services related to this policy.</span><p><ul id="iam_01_0016__ul1343810211968"><li id="iam_01_0016__li1987713580105"><strong id="iam_01_0016__b1491218450315">Global services</strong>: Select this option if the services to which the policy is related must be deployed in the Global region. When creating custom policies for globally deployed services, specify the scope as <strong id="iam_01_0016__b137261847183110">Global services</strong>. Custom policies of this scope must be attached to user groups for the global service project.</li><li id="iam_01_0016__li21871151191112"><strong id="iam_01_0016__b2165105493114">Project-level services</strong>: Select this option if the services to which the policy is related must be deployed in specific regions. When creating custom policies for regionally deployed services, specify the scope as <strong id="iam_01_0016__b1811805613317">Project-level services</strong>. Custom policies of this scope must be attached to user groups for specific projects except the global service project.</li></ul>
<p id="iam_01_0016__p1143812117615">For example, when creating a custom policy containing the action <strong id="iam_01_0016__b827087175512">evs:volumes:create</strong> for EVS, specify the scope as <strong id="iam_01_0016__b1427620710556">Project-level services</strong>.</p>
<div class="note" id="iam_01_0016__note64381521166"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0016__p14438721361">A custom policy can contain actions of multiple services that are globally accessible or accessible through region-specific projects. To define permissions required to access both global and project-level services, create two custom policies and specify the scope as <strong id="iam_01_0016__b5680145143217">Global services</strong> and <strong id="iam_01_0016__b14682857329">Project-level services</strong>.</p>
</div></div>
</p></li><li id="iam_01_0016__li1993914919215"><span>Select <strong id="iam_01_0016__b1766716616327">JSON</strong>.</span></li><li id="iam_01_0016__li1862615614192"><span>(Optional) Click <strong id="iam_01_0016__b845691218322">Select Existing Policy</strong>, and select a policy to use it as a template, such as <span class="parmvalue" id="iam_01_0016__parmvalue246331253211"><b>VPC Admin</b></span>.</span></li><li id="iam_01_0016__li462625651918"><span>Click <strong id="iam_01_0016__b1967120463323">OK</strong>.</span></li><li id="iam_01_0016__li12626556101911"><span>Modify the statement in the template.</span><p><ul id="iam_01_0016__ul1962675611912"><li id="iam_01_0016__li8626156181918"><strong id="iam_01_0016__b1321618355552">Effect</strong>: Set it to <strong id="iam_01_0016__b18222335185517">Allow</strong> or <strong id="iam_01_0016__b2222193517555">Deny</strong>.</li><li id="iam_01_0016__li15627156151917"><strong id="iam_01_0016__b728719582329">Action</strong>: Enter the actions provided in the API actions table of the EVS service, for example, <strong id="iam_01_0016__b12293958153214">evs:volumes:create</strong>.<div class="note" id="iam_01_0016__note46271956111920"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="iam_01_0016__ul14627185611910"><li id="iam_01_0016__li1862717561195">The version of each custom policy is fixed at <strong id="iam_01_0016__b19951318173319">1.1</strong>.</li></ul>
</div></div>
</li></ul>
</p></li><li id="iam_01_0016__li106271756131914"><span>(Optional) Enter a brief description for the policy.</span></li><li id="iam_01_0016__li1162725661910"><span>Click <strong id="iam_01_0016__b163841614349">OK</strong>. If the policy list is displayed, the policy is created successfully.</span></li><li id="iam_01_0016__li4291119181"><span>Attach the policy to a user group. Users in the group then inherit the permissions defined in the policy.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_01_0015.html">Fine-Grained Policy Management</a></div>
</div>
</div>

25
docs/iam/umn/iam_01_0017.html
View File

@ -2,7 +2,7 @@
<h1 class="topictitle1">Policy Syntax</h1>
<div id="body1521875590642"><div class="section" id="iam_01_0017__section106463610252"><h4 class="sectiontitle">Policy Content</h4><p id="iam_01_0017__p12888110445">A fine-grained policy consists of the policy version (the <strong id="iam_01_0017__b1853255718165">Version</strong> field) and statement (the <strong id="iam_01_0017__b35331157111611">Statement</strong> field).</p>
<p id="iam_01_0017__p194704573259"><span><img id="iam_01_0017__image16884194718491" src="en-us_image_0000001369235158.png"></span></p>
<p id="iam_01_0017__p194704573259"><span><img id="iam_01_0017__image16884194718491" src="en-us_image_0000001180570109.png" height="337.298108" width="497.42" title="Click to enlarge" class="imgResize"></span></p>
<ul id="iam_01_0017__ul57930886173354"><li id="iam_01_0017__li15836462154039"><strong id="iam_01_0017__b1810485317174">Version</strong>: Distinguishes between role-based access control (RBAC) and fine-grained policies.<ul id="iam_01_0017__ul2002846815829"><li id="iam_01_0017__li2458727515829"><strong id="iam_01_0017__b1877711723519">1.0</strong>: RBAC policies, which are preset in the system and used to grant permissions for each service as a whole. After such a policy is granted to a user, the user has all permissions of the corresponding service.</li><li id="iam_01_0017__li13966918555"><strong id="iam_01_0017__b128615125312">1.1</strong>: Fine-grained policies, which enable more refined authorization based on service APIs. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system-defined and custom policies.<ul id="iam_01_0017__ul2011870181019"><li id="iam_01_0017__li61184016102">System-defined policies: read-only and administrator permissions for different services.</li><li id="iam_01_0017__li1211813015108">Custom policies: created and managed by users to supplement system-defined policies. For example, you can create a custom policy to allow users only to modify ECS specifications.</li></ul>
</li></ul>
</li></ul>
@ -25,21 +25,21 @@
</th>
</tr>
</thead>
<tbody><tr id="iam_01_0017__row1981833993110"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p59903284566"><span style="color:#252B3A;">g:CurrentTime</span></p>
<tbody><tr id="iam_01_0017__row1981833993110"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p59903284566">g:CurrentTime</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p1181853903116">Time</p>
</td>
<td class="cellrowborder" valign="top" width="57.11571157115712%" headers="mcps1.3.2.1.4.4.5.2.4.1.3 "><p id="iam_01_0017__p88191139183117">Time when an authentication request is received. The time is expressed in the format defined by ISO 8601, for example, <strong id="iam_01_0017__b67791934124914">2012-11-11T23:59:59Z</strong>.</p>
</td>
</tr>
<tr id="iam_01_0017__row14174174353113"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p11751143153118"><span style="color:#252B3A;">g:DomainName</span></p>
<tr id="iam_01_0017__row14174174353113"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p11751143153118">g:DomainName</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p4175184319318">Character string</p>
</td>
<td class="cellrowborder" valign="top" width="57.11571157115712%" headers="mcps1.3.2.1.4.4.5.2.4.1.3 "><p id="iam_01_0017__p12175943133118">Domain name</p>
</td>
</tr>
<tr id="iam_01_0017__row781833923113"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p9818193903118"><span style="color:#252B3A;">g:MFAPresen</span>t</p>
<tr id="iam_01_0017__row781833923113"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p9818193903118">g:MFAPresent</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p481883918319">Boolean</p>
</td>
@ -53,14 +53,14 @@
<td class="cellrowborder" valign="top" width="57.11571157115712%" headers="mcps1.3.2.1.4.4.5.2.4.1.3 "><p id="iam_01_0017__p187851657182415">Validity period of a token obtained through MFA authentication. This condition must be used together with <strong id="iam_01_0017__b1612310578505">g:MFAPresent</strong>.</p>
</td>
</tr>
<tr id="iam_01_0017__row8818739103110"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p02819137575"><span style="color:#252B3A;">g:ProjectName</span></p>
<tr id="iam_01_0017__row8818739103110"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p02819137575">g:ProjectName</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p3818839143117">Character string</p>
</td>
<td class="cellrowborder" valign="top" width="57.11571157115712%" headers="mcps1.3.2.1.4.4.5.2.4.1.3 "><p id="iam_01_0017__p1081853913114">Project name</p>
</td>
</tr>
<tr id="iam_01_0017__row1381916391316"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p18819103920314"><span style="color:#252B3A;">g:ServiceName</span></p>
<tr id="iam_01_0017__row1381916391316"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p18819103920314">g:ServiceName</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p78191039163115">Character string</p>
</td>
@ -74,7 +74,7 @@
<td class="cellrowborder" valign="top" width="57.11571157115712%" headers="mcps1.3.2.1.4.4.5.2.4.1.3 "><p id="iam_01_0017__p1182333923110">User ID</p>
</td>
</tr>
<tr id="iam_01_0017__row1082310393314"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p382363983112"><span style="color:#252B3A;">g:UserName</span></p>
<tr id="iam_01_0017__row1082310393314"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.4.5.2.4.1.1 "><p id="iam_01_0017__p382363983112">g:UserName</p>
</td>
<td class="cellrowborder" valign="top" width="9.550955095509552%" headers="mcps1.3.2.1.4.4.5.2.4.1.2 "><p id="iam_01_0017__p1882323923114">Character string</p>
</td>
@ -141,10 +141,10 @@
</li></ul>
</div>
<div class="section" id="iam_01_0017__section565017773111"><h4 class="sectiontitle">Authentication Process</h4><p id="iam_01_0017__p113850961512">IAM authenticates users according to the permissions granted to the users. The following diagram shows the authentication process.</p>
<div class="fignone" id="iam_01_0017__fig4148178111014"><span class="figcap"><b>Figure 1 </b>Authentication process</span><br><span><img class="vsd" id="iam_01_0017__image7541541101416" src="en-us_image_0000001369554814.png"></span></div>
<div class="fignone" id="iam_01_0017__fig4148178111014"><span class="figcap"><b>Figure 1 </b>Authentication process</span><br><span><img class="imgResize" id="iam_01_0017__image7541541101416" src="en-us_image_0274187277.png" width="312.21750000000003" height="380.23303500000003" title="Click to enlarge"></span></div>
<div class="note" id="iam_01_0017__note1469502165619"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_01_0017__p1169518295612">The actions in each policy bear the OR relationship.</p>
</div></div>
<ol id="iam_01_0017__ol173684558404"><li id="iam_01_0017__li1126012426413">A user accesses the system and initiates an operation request.</li><li id="iam_01_0017__li9861041152420">The system evaluates all the permissions policies assigned to the user.</li><li id="iam_01_0017__li24996913162311">The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.</li><li id="iam_01_0017__li953633414512">If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.</li><li id="iam_01_0017__li977251615286"><span style="color:#000000;">If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.</span></li></ol>
<ol id="iam_01_0017__ol173684558404"><li id="iam_01_0017__li1126012426413">A user accesses the system and initiates an operation request.</li><li id="iam_01_0017__li9861041152420">The system evaluates all the permissions policies assigned to the user.</li><li id="iam_01_0017__li24996913162311">The system looks for explicit Deny permissions in these policies. If the system finds an explicit Deny that applies, it returns a decision of Deny, and the authentication ends.</li><li id="iam_01_0017__li953633414512">If no explicit Deny is found, the system looks for Allow permissions that would apply to the request. If the system finds an explicit Allow permission that applies, it returns a decision of Allow, and the authentication ends.</li><li id="iam_01_0017__li977251615286">If no explicit Allow permission is found, the system returns a decision of Deny, and the authentication ends.</li></ol>
</div>
</div>
<div>
@ -153,3 +153,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

11
docs/iam/umn/iam_01_0023.html
View File

@ -4,10 +4,10 @@
<div id="body1503913294037"><p id="iam_01_0023__p427028131810">You can manage users in your account and their security credentials. In addition, you can configure federated identity authentication so that users in other systems can access the cloud system through SSO.</p>
<div class="section" id="iam_01_0023__section1475194083513"><h4 class="sectiontitle">Domain</h4><p id="iam_01_0023__p26559307143857">A domain, also called an "account", is created upon successful registration with the cloud system. The domain has full access permissions for its cloud services and resources.</p>
<p id="iam_01_0023__p1214512437357">For security purposes, create a security administrator and grant them <strong id="iam_01_0023__b842352706194711">Security Administrator</strong> permissions to manage users and their permissions in your account.</p>
<div class="fignone" id="iam_01_0023__fig10960172283211"><span class="figcap"><b>Figure 1 </b>Account management module</span><br><span><img id="iam_01_0023__image131616505186" src="en-us_image_0000001369235146.png"></span></div>
<div class="fignone" id="iam_01_0023__fig10960172283211"><span class="figcap"><b>Figure 1 </b>Account management module</span><br><span><img id="iam_01_0023__image131616505186" src="en-us_image_0274187193.png"></span></div>
</div>
<div class="section" id="iam_01_0023__section201417411614"><h4 class="sectiontitle">User</h4><p id="iam_01_0023__p49102262144454">You or other administrators can create users for employees, systems, or applications in IAM. The users can log in to the console or access APIs using their own identity credentials (passwords and access keys).</p>
<div class="fignone" id="iam_01_0023__fig133971733114"><span class="figcap"><b>Figure 2 </b>Relationship between the account and users</span><br><span><img id="iam_01_0023__image683623184719" src="en-us_image_0000001369714790.png"></span></div>
<div class="fignone" id="iam_01_0023__fig133971733114"><span class="figcap"><b>Figure 2 </b>Relationship between the account and users</span><br><span><img id="iam_01_0023__image683623184719" src="en-us_image_0274186863.png" width="222.44250000000002" height="332.1675" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="iam_01_0023__section126697618197"><h4 class="sectiontitle">Federated User</h4><p id="iam_01_0023__p9511624145917">Federated users access the cloud system through federated identity authentication.</p>
<p id="iam_01_0023__p19985118212">After being authenticated by an identity provider (IdP), users can access resources in a service provider (SP) without needing re-authentication.</p>
@ -21,3 +21,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

11
docs/iam/umn/iam_01_0024.html
View File

@ -2,7 +2,7 @@
<h1 class="topictitle1">Permissions Management</h1>
<div id="body1503913294037"><p id="iam_01_0024__p4319505414714">You can grant users permissions to access different resources.</p>
<div class="section" id="iam_01_0024__section114145422598"><h4 class="sectiontitle">Granting Permissions to Users</h4><div class="fignone" id="iam_01_0024__fig105571112712"><span class="figcap"><b>Figure 1 </b>Authorization model</span><br><span><img id="iam_01_0024__image85573112717" src="en-us_image_0000001369714802.png"></span></div>
<div class="section" id="iam_01_0024__section114145422598"><h4 class="sectiontitle">Granting Permissions to Users</h4><div class="fignone" id="iam_01_0024__fig105571112712"><span class="figcap"><b>Figure 1 </b>Authorization model</span><br><span><img id="iam_01_0024__image85573112717" src="en-us_image_0274187188.png"></span></div>
<p id="iam_01_0024__p48486291141028"></p>
</div>
<ol id="iam_01_0024__ol10109183618397"><li id="iam_01_0024__li1344811417393">Plan user groups and grant permissions to each user group.</li><li id="iam_01_0024__li14954428289">Add a user to a specific user group so that the user can inherit the permissions of the group.</li></ol>
@ -10,7 +10,7 @@
<div class="section" id="iam_01_0024__section20199181713619"><h4 class="sectiontitle">Granting Permissions to Other Accounts</h4><p id="iam_01_0024__p27134311363">You (account A) can grant permissions to another account (account B) by creating an agency. Account B can then grant the <strong id="iam_01_0024__b015815239292">Agent Operator</strong> permissions to a user so that the user can manage resources in your account (account A).</p>
</div>
<div class="section" id="iam_01_0024__section219852720165"><h4 class="sectiontitle">Granting Permissions to Federated Users</h4><p id="iam_01_0024__p7752162911169">You can federate external users to IAM and grant permissions to the users to access cloud resources by creating an identity provider and identity conversion rules.</p>
<div class="fignone" id="iam_01_0024__fig644812451338"><span class="figcap"><b>Figure 2 </b>Identity conversion of federated users</span><br><span><img id="iam_01_0024__image13601359454" src="en-us_image_0000001420274845.png"></span></div>
<div class="fignone" id="iam_01_0024__fig644812451338"><span class="figcap"><b>Figure 2 </b>Identity conversion of federated users</span><br><span><img id="iam_01_0024__image13601359454" src="en-us_image_0274186856.png" width="331.66875000000005" height="116.70750000000001" title="Click to enlarge" class="imgResize"></span></div>
</div>
</div>
<div>
@ -19,3 +19,10 @@
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>

2
docs/iam/umn/iam_01_0029.html
View File

@ -47,7 +47,7 @@
</td>
<td class="cellrowborder" valign="top" width="12.248775122487752%" headers="mcps1.3.2.2.5.2.1.1.5.1.2 "><p id="iam_01_0029__p711317509214">Set by user</p>
</td>
<td class="cellrowborder" valign="top" width="59.86401359864014%" headers="mcps1.3.2.2.5.2.1.1.5.1.3 "><p id="iam_01_0029__p027123518241">If you are the administrator setting the password for user <strong id="iam_01_0029__b1563123210551">Franklin</strong>, select this option and enter an email address and a mobile number. User <strong id="iam_01_0029__b135632325555">Franklin</strong> can then set a password by clicking on the one-time login URL sent over email.</p>
<td class="cellrowborder" valign="top" width="59.86401359864014%" headers="mcps1.3.2.2.5.2.1.1.5.1.3 "><p id="iam_01_0029__p027123518241">If you are the administrator setting the password for user <strong id="iam_01_0029__b1563123210551">Franklin</strong>, select this option and enter an email address and a mobile number. User <strong id="iam_01_0029__b135632325555">Franklin</strong> can then set a password by clicking the one-time login URL sent over email.</p>
</td>
</tr>
<tr id="iam_01_0029__row11113195042120"><td class="cellrowborder" valign="top" headers="mcps1.3.2.2.5.2.1.1.5.1.1 "><p id="iam_01_0029__p711375015214">Automatically generated</p>

10
docs/iam/umn/iam_01_0031.html
View File

@ -45,9 +45,9 @@
</td>
<td class="cellrowborder" valign="top" width="11.848815118488151%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p7779181822310">--</p>
</td>
<td class="cellrowborder" valign="top" width="12.078792120787922%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p15779121852314">--</p>
<td class="cellrowborder" valign="top" width="12.248775122487752%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p15779121852314">--</p>
</td>
<td class="cellrowborder" valign="top" width="60.03399660033997%" headers="mcps1.3.2.2.4.2.1.1.5.1.3 "><p id="iam_01_0031__p6812103102416">If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.</p>
<td class="cellrowborder" valign="top" width="59.86401359864014%" headers="mcps1.3.2.2.4.2.1.1.5.1.3 "><p id="iam_01_0031__p6812103102416">If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.</p>
</td>
</tr>
<tr id="iam_01_0031__row952694019209"><td class="cellrowborder" rowspan="5" valign="top" width="16.03839616038396%" headers="mcps1.3.2.2.4.2.1.1.5.1.1 "><p id="iam_01_0031__p043251517216">Management console access</p>
@ -56,9 +56,9 @@
<td class="cellrowborder" rowspan="3" valign="top" width="11.848815118488151%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p159041850172111">Console Password</p>
<p id="iam_01_0031__p17904350162118"></p>
</td>
<td class="cellrowborder" valign="top" width="12.078792120787922%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p235110595212">Set by user</p>
<td class="cellrowborder" valign="top" width="12.248775122487752%" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p235110595212">Set by user</p>
</td>
<td class="cellrowborder" valign="top" width="60.03399660033997%" headers="mcps1.3.2.2.4.2.1.1.5.1.3 "><p id="iam_01_0031__p235165913218">If you are the administrator setting the password for the user, select this option and enter an email address and a mobile number. The user can set a password by clicking on the one-time login URL sent over email.</p>
<td class="cellrowborder" valign="top" width="59.86401359864014%" headers="mcps1.3.2.2.4.2.1.1.5.1.3 "><p id="iam_01_0031__p235165913218">If you are the administrator setting the password for the user, select this option and enter an email address and a mobile number. The user can set a password by clicking on the one-time login URL sent over email.</p>
</td>
</tr>
<tr id="iam_01_0031__row1088319122116"><td class="cellrowborder" valign="top" headers="mcps1.3.2.2.4.2.1.1.5.1.1 "><p id="iam_01_0031__p18351135914212">Automatically generated</p>
@ -69,7 +69,7 @@
<tr id="iam_01_0031__row12985998218"><td class="cellrowborder" valign="top" headers="mcps1.3.2.2.4.2.1.1.5.1.1 "><p id="iam_01_0031__p153512593212">Set now</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.2.2.4.2.1.1.5.1.2 "><p id="iam_01_0031__p143511559112117">Select this option if you are the user. Then, set a password for login.</p>
<div class="note" id="iam_01_0031__note141801323115819"><span class="notetitle"> NOTE: </span><div class="notebody"><div class="p" id="iam_01_0031__p171061824165819">The password must meet the following requirements:<ul id="iam_01_0031__ul11061624195819"><li id="iam_01_0031__li13106124155816">Must contain 6 to 32 characters.</li><li id="iam_01_0031__li18275121519367">Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and spaces or other special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\=).</li><li id="iam_01_0031__li11106152475820">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="iam_01_0031__b9150141320428">A12345</strong>, the password cannot be <strong id="iam_01_0031__b191561113164216">A12345</strong>, <strong id="iam_01_0031__b41566133424">a12345</strong>, <strong id="iam_01_0031__b4156313194214">54321A</strong>, or <strong id="iam_01_0031__b1815715132427">54321a</strong>.</li><li id="iam_01_0031__li1410652425813">Cannot contain the user's mobile number or email address.</li></ul>
<div class="note" id="iam_01_0031__note141801323115819"><span class="notetitle"> NOTE: </span><div class="notebody"><div class="p" id="iam_01_0031__p171061824165819">The password must meet the following requirements:<ul id="iam_01_0031__ul11061624195819"><li id="iam_01_0031__li13106124155816">Must contain 6 to 32 characters.</li><li id="iam_01_0031__li18275121519367">Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/&lt;&gt;@#$%^&amp;*+|\= and spaces).</li><li id="iam_01_0031__li11106152475820">Cannot be the username or the username spelled backwards. For example, if the username is <strong id="iam_01_0031__b9150141320428">A12345</strong>, the password cannot be <strong id="iam_01_0031__b191561113164216">A12345</strong>, <strong id="iam_01_0031__b41566133424">a12345</strong>, <strong id="iam_01_0031__b4156313194214">54321A</strong>, or <strong id="iam_01_0031__b1815715132427">54321a</strong>.</li><li id="iam_01_0031__li1410652425813">Cannot contain the user's mobile number or email address.</li></ul>
</div>
</div></div>
</td>

Some files were not shown because too many files have changed in this diff Show More