This section describes how to use IAM to implement fine-grained permissions control for your TMS resources. With IAM, you can:
- Create IAM users for employees based on your organizational structure. Each IAM user has their own security credentials for accessing TMS resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or a cloud service to perform operations for your TMS resources.
If your account does not need individual IAM users, skip this section.
Figure 1 shows the process flow for granting permissions.
Prerequisites
Before granting permissions, learn about the TMS permissions and select the permissions as required. For details about the system-defined permissions supported by TMS, see TMS Permissions. To grant permissions for other services, you can see permissions.
Flowchart
- On the IAM console, create a user group and assigning permissions. Here, TMS ReadOnlyAccess permissions are used as an example.
- Log in and verify permissions.
The created user logs in to the console and verifies permissions as described below:
- Choose Service List > Tag Management Service. In the navigation pane on the left, click Predefined Tags. In the upper right corner of the displayed page, click Create Tag. If a message appears indicating that you have insufficient permissions to perform the operation, and if you can view existing predefined tags in the Predefined Tags page, the TMS ReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the TMS ReadOnlyAccess policy is in effect.