vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0027.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

146 lines
23 KiB
HTML
Raw Blame History

<a name="obs_40_0027"></a><a name="obs_40_0027"></a>
<h1 class="topictitle1">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</h1>
<div id="body1596715709512"><div class="section" id="obs_40_0027__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0027__p122729624518">This topic describes how to grant IAM users the permissions to access OBS buckets and resources in them.</p>
<p id="obs_40_0027__p3431154410448">The following describes how to grant the permissions to upload and download objects in a bucket. If you need to configure other specified permissions, configure the corresponding permissions in the bucket policy and IAM permissions.</p>
</div>
<div class="section" id="obs_40_0027__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0027__p103657437515">To grant permissions to IAM users under an account, you need to configure both <strong id="obs_40_0027__b8256103404411">bucket policies</strong> and <strong id="obs_40_0027__b226414312454">IAM permissions</strong>.</p>
<p id="obs_40_0027__p1049215541032">For example, to allow IAM user <strong id="obs_40_0027__b18841626524">A</strong> of account <strong id="obs_40_0027__b172885321426">A</strong> to access bucket <strong id="obs_40_0027__b12475401211">B</strong> of account <strong id="obs_40_0027__b11263842126">B</strong>, you need to:</p>
<ol id="obs_40_0027__ol7853716103516"><li id="obs_40_0027__li685301693514">Configure a bucket policy that allows IAM user <strong id="obs_40_0027__b9474163319319">A</strong> to access bucket <strong id="obs_40_0027__b116647362033">B</strong>.</li><li id="obs_40_0027__li888244323516">Configure IAM permissions for account <strong id="obs_40_0027__b1045612463593">A</strong> to allow IAM user <strong id="obs_40_0027__b1426095015917">A</strong> to access bucket <strong id="obs_40_0027__b5574125115913">B</strong>.</li></ol>
</div>
<div class="section" id="obs_40_0027__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0027__p1997310195116">After configuration, the IAM user can upload and download objects through APIs. In addition, the user can upload and download objects by mounting external buckets on OBS Browser+. To add external buckets, the <strong id="obs_40_0027__b15782712313">ListBucket</strong> permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.</p>
</div>
<div class="section" id="obs_40_0027__section18368164564"><h4 class="sectiontitle">Procedure 1: The Bucket Owner Configures a Bucket Policy.</h4><p id="obs_40_0027__p35829813485"><strong id="obs_40_0027__b109301413115513">The bucket owner or a user who has the permission to configure bucket policies needs to configure a bucket policy that allows IAM users under an account to perform specified operations on the bucket.</strong></p>
<p id="obs_40_0027__p1294242910372">In this example, account <strong id="obs_40_0027__b445545655919">B</strong> (owner of bucket <strong id="obs_40_0027__b20701165812596">B</strong>) configures a bucket policy that allows IAM user <strong id="obs_40_0027__b98031917409">A</strong> of account <strong id="obs_40_0027__b351912259019">A</strong> to upload objects to and download objects from bucket <strong id="obs_40_0027__b862220391905">B</strong> of account <strong id="obs_40_0027__b1463512421016">B</strong>.</p>
<ol id="obs_40_0027__ol170633855216"><li id="obs_40_0027__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0027__b6458442125816">Object Storage</strong>.</span></li><li id="obs_40_0027__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0027__b110482805523831">Overview</strong> page.</span></li><li id="obs_40_0027__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0027__b10288738699054">Permissions</strong>.</span></li><li id="obs_40_0027__li1568715376490"><span>On the <strong id="obs_40_0027__b176410562414">Bucket Policies</strong> page, click <strong id="obs_40_0027__b876912565412">Create Bucket Policy</strong> under <strong id="obs_40_0027__b1776917561947">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0027__li1470617571214"><span>Configure a bucket policy that allows uploads and downloads.</span><p><div class="fignone" id="obs_40_0027__fig1839112575282"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy that allows uploads and downloads</span><br><span><img id="obs_40_0027__image15393165711286" src="en-us_image_0000001386341906.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0027__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0027__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.4.5.2.2.2.3.1.1"><p id="obs_40_0027__p1770714531211"><strong id="obs_40_0027__b112183559383133">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.4.5.2.2.2.3.1.2"><p id="obs_40_0027__p47078561217"><strong id="obs_40_0027__b31504489683133">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0027__row3707105161213"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p1270710541217">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.5.2.2.2.3.1.2 "><p id="obs_40_0027__p1070720571218">Select <strong id="obs_40_0027__b83271254983133">Customized</strong>.</p>
</td>
</tr>
<tr id="obs_40_0027__row0282443111316"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p1528214351316">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.5.2.2.2.3.1.2 "><p id="obs_40_0027__p628264361310">Select <strong id="obs_40_0027__b172872503783133">Allow</strong>.</p>
</td>
</tr>
<tr id="obs_40_0027__row27071453128"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p9707195171215">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.5.2.2.2.3.1.2 "><ul id="obs_40_0027__ul1770715511217"><li id="obs_40_0027__li1070775131213">Select <strong id="obs_40_0027__b200908649883133">Include</strong> &gt; <strong id="obs_40_0027__b25408026583133">Other account</strong>.</li><li id="obs_40_0027__li117071512129"><strong id="obs_40_0027__b0694232141212">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0027__b669413220123">My Credentials</strong> page of the account or the IAM user. The ID of account <strong id="obs_40_0027__b7446234161219">A</strong> is used as an example here.</li><li id="obs_40_0027__li4707175171214"><strong id="obs_40_0027__b162377141133">User ID</strong>: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the <strong id="obs_40_0027__b523719143131">My Credentials</strong> page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account. The ID of IAM user <strong id="obs_40_0027__b112451458151217">A</strong> under account <strong id="obs_40_0027__b10245135851218">A</strong> is used as an example here.</li></ul>
</td>
</tr>
<tr id="obs_40_0027__row187079581216"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p47071520126">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.5.2.2.2.3.1.2 "><ul id="obs_40_0027__ul15636626173616"><li id="obs_40_0027__li1963652623617">Choose <strong id="obs_40_0027__b122160060883133">Include</strong> &gt; <strong id="obs_40_0027__b30252475983133">Specific resources</strong>.</li><li id="obs_40_0027__li1338101719199"><strong id="obs_40_0027__b182981143141412">Resource Name</strong>: Enter the object or the set of objects that will be accessed.<ul id="obs_40_0027__ul1978916471414"><li id="obs_40_0027__li115011491614">For one object, enter <em id="obs_40_0027__i107552046171416">object name</em>.</li><li id="obs_40_0027__li465155117114">For a set of objects, enter <em id="obs_40_0027__i135731049171416">object name prefix + *, * + object name suffix, or *</em>.</li></ul>
<p id="obs_40_0027__p5778105217114">Set this parameter to <strong id="obs_40_0027__b1633219291219">*</strong> if all objects need to be downloaded.</p>
</li></ul>
</td>
</tr>
<tr id="obs_40_0027__row16898181610148"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p989841691413">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.5.2.2.2.3.1.2 "><ul id="obs_40_0027__ul48235222144"><li id="obs_40_0027__li1182312214143"><strong id="obs_40_0027__b93542087483133">Include</strong></li><li id="obs_40_0027__li04383583015"><strong id="obs_40_0027__b12790451158">Action Name</strong>:<ul id="obs_40_0027__ul7641371302"><li id="obs_40_0027__li169323914306">GetObject</li><li id="obs_40_0027__li18964256174912">GetObjectVersion</li><li id="obs_40_0027__li228323312115">PutObject</li><li id="obs_40_0027__li66314165016">(Optional) ListBucket: Select this operation if you need to use OBS Browser+ to add external buckets.</li></ul>
</li></ul>
<p id="obs_40_0027__p13633153815312">To configure other specified operation permissions on objects, select the corresponding actions. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0027__li1940154881411"><span>Click <strong id="obs_40_0027__b555404819224">OK</strong>.</span></li><li id="obs_40_0027__li542116451228"><span>(Optional) Click <strong id="obs_40_0027__b210415918228">Create Bucket Policy</strong> again to configure a bucket policy that allows objects in the bucket to be listed. (Perform this step when you need to use OBS Browser+ to add external buckets.)</span><p><div class="fignone" id="obs_40_0027__fig15856513153015"><span class="figcap"><b>Figure 2 </b>Configuring a bucket policy that allows objects to be listed in a bucket</span><br><span><img id="obs_40_0027__image1857121333016" src="en-us_image_0000001436302073.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0027__table21598471047" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0027__row616012476418"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.4.7.2.2.2.3.1.1"><p id="obs_40_0027__p18160847143"><strong id="obs_40_0027__b33723186483133">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.4.7.2.2.2.3.1.2"><p id="obs_40_0027__p1116017477415"><strong id="obs_40_0027__b193799783283133">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0027__row16160184712419"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.7.2.2.2.3.1.1 "><p id="obs_40_0027__p6160547946">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.7.2.2.2.3.1.2 "><p id="obs_40_0027__p181601247141">Select <strong id="obs_40_0027__b147830793583133">Customized</strong>.</p>
</td>
</tr>
<tr id="obs_40_0027__row1160147646"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.7.2.2.2.3.1.1 "><p id="obs_40_0027__p131601747141">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.7.2.2.2.3.1.2 "><p id="obs_40_0027__p181601947341">Select <strong id="obs_40_0027__b161986717583133">Allow</strong>.</p>
</td>
</tr>
<tr id="obs_40_0027__row16160164712410"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.7.2.2.2.3.1.1 "><p id="obs_40_0027__p191604477414">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.7.2.2.2.3.1.2 "><ul id="obs_40_0027__ul181601471649"><li id="obs_40_0027__li1160114718412">Select <strong id="obs_40_0027__b192440240683133">Include</strong> &gt; <strong id="obs_40_0027__b152342617883133">Other account</strong>.</li><li id="obs_40_0027__li2160174716415"><strong id="obs_40_0027__b061915551419">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0027__b166198541416">My Credentials</strong> page of the account or the IAM user. The ID of account <strong id="obs_40_0027__b7272171014141">A</strong> is used as an example here.</li><li id="obs_40_0027__li61600471347"><strong id="obs_40_0027__b4285102016147">User ID</strong>: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the <strong id="obs_40_0027__b2285102031415">My Credentials</strong> page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account. The ID of IAM user <strong id="obs_40_0027__b36593224147">A</strong> under account <strong id="obs_40_0027__b16659322121410">A</strong> is used as an example here.</li></ul>
</td>
</tr>
<tr id="obs_40_0027__row10160204710411"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.7.2.2.2.3.1.1 "><p id="obs_40_0027__p1016044713420">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.7.2.2.2.3.1.2 "><p id="obs_40_0027__p469991819814">Select <strong id="obs_40_0027__b9861802783133">Include</strong> &gt; <strong id="obs_40_0027__b80210064283133">Entire bucket</strong>.</p>
</td>
</tr>
<tr id="obs_40_0027__row111601647047"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.4.7.2.2.2.3.1.1 "><p id="obs_40_0027__p51602471046">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.4.7.2.2.2.3.1.2 "><ul id="obs_40_0027__ul1416015471445"><li id="obs_40_0027__li71606471349"><strong id="obs_40_0027__b147829789083133">Include</strong></li><li id="obs_40_0027__li1716013477410"><strong id="obs_40_0027__b9985102018170">Action Name</strong>: ListBucket</li></ul>
<p id="obs_40_0027__p416010472415">To configure other specified permissions on buckets, select the corresponding actions. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0027__li8587936895"><span>Click <strong id="obs_40_0027__b10834667302">OK</strong>.</span></li></ol>
</div>
<div class="section" id="obs_40_0027__section162831454172820"><h4 class="sectiontitle">Procedure 2: The Account Grants Permissions to IAM Users Under It.</h4><p id="obs_40_0027__p66814918151"><strong id="obs_40_0027__b1569216472268">The account (not the bucket owner) needs to grant permissions to its IAM users to perform specified operations on the bucket. (The allowed operations must be the same as those allowed in the bucket policy.)</strong></p>
<p id="obs_40_0027__p1014617590515">In this example, account <strong id="obs_40_0027__b1264811420293">A</strong> needs to grant IAM user <strong id="obs_40_0027__b38544718308">A</strong> the permissions to upload objects to and download objects from bucket <strong id="obs_40_0027__b1916194433418">B</strong> of account <strong id="obs_40_0027__b16562184513345">B</strong>.</p>
<ol id="obs_40_0027__ol1236856151519"><li id="obs_40_0027__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0027__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0027__b1691062512585">Service List</strong> &gt; <strong id="obs_40_0027__b69105251589">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0027__b16910122516588">Identity and Access Management</strong>.</span></li><li id="obs_40_0027__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0027__b1512132945610">Permissions</strong>.</span></li><li id="obs_40_0027__li1388483016366"><span>Click <strong id="obs_40_0027__b418324575815">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0027__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0027__fig2687192003913"><span class="figcap"><b>Figure 3 </b>Configuring a custom policy</span><br><span><img id="obs_40_0027__image66888207395" src="en-us_image_0000001436303585.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0027__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0027__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0027__p23757272286"><strong id="obs_40_0027__b28417750883133">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="74.75%" id="mcps1.3.5.4.5.2.2.2.3.1.2"><p id="obs_40_0027__p63751027152820"><strong id="obs_40_0027__b26899984083133">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0027__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0027__p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0027__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0027__p17375102714285">Select one based on your own habits. <strong id="obs_40_0027__b49561628698">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0027__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><ul id="obs_40_0027__ul127691549205313"><li id="obs_40_0027__li167691496533">Select <strong id="obs_40_0027__b116855133283133">Allow</strong>.</li><li id="obs_40_0027__li1676910494536">Select <strong id="obs_40_0027__b184236017183133">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0027__li7820139488">Select the actions to be authorized.<ul id="obs_40_0027__ul69955399229"><li id="obs_40_0027__li1872516591235">ReadOnly &gt; <strong id="obs_40_0027__b22871531133614">obs:bucket:ListBucketVersions</strong> and <strong id="obs_40_0027__b59451934163610">obs:object:GetObjectVersion</strong></li><li id="obs_40_0027__li1665116356242">ReadWrite &gt; <strong id="obs_40_0027__b173271339143610">obs:object:PutObject</strong></li><li id="obs_40_0027__li17906197258">ListOnly &gt; <strong id="obs_40_0027__b1872521911510">obs:bucket:ListBucket</strong> (Select this operation if you need to use OBS Browser+ to add external buckets.)</li></ul>
</li><li id="obs_40_0027__li68704665514">Choose <strong id="obs_40_0027__b15151242173911">Specific</strong> &gt; <strong id="obs_40_0027__b15807455392">object</strong> to specify an object resource. The specified object or object set must be consistent with the bucket policy.<ul id="obs_40_0027__ul7227154714396"><li id="obs_40_0027__li12453134313914">Select <strong id="obs_40_0027__b4466525204020">Any</strong> if the resource set in the bucket policy is <strong id="obs_40_0027__b14180185523910">*</strong>.</li><li id="obs_40_0027__li3741544114020">If the resource specified in the bucket policy is a specified object or a set of objects, you need to specify the object or the set of objects the same as that in the bucket policy through the resource path.<p id="obs_40_0027__p1074114410400"><a name="obs_40_0027__li3741544114020"></a><a name="li3741544114020"></a>[Format]</p>
<p id="obs_40_0027__p187411344194016">obs:*:*:object:<em id="obs_40_0027__i77808511383133">bucket name/object name</em></p>
</li></ul>
<p id="obs_40_0027__p91229174218">Select <strong id="obs_40_0027__b319612254320">Any</strong> as the bucket policy in this example is set to <strong id="obs_40_0027__b5796140204315">*</strong>.</p>
</li><li id="obs_40_0027__li77691949175310">Choose <strong id="obs_40_0027__b5104552134718">Specific</strong> &gt; <strong id="obs_40_0027__b21741257194719">bucket</strong> &gt; <strong id="obs_40_0027__b17643171344818">Specify resource path</strong> to specify bucket resources.<p id="obs_40_0027__p10101021193215">Click <strong id="obs_40_0027__b41028378487">Add Resource Path</strong> and enter the name of the authorized bucket in the <strong id="obs_40_0027__b268910862517">Path</strong> text box, for example, <strong id="obs_40_0027__b56121432132516">example-bucket</strong>.</p>
<p id="obs_40_0027__p1655413113338">The complete path of the resource is as follows: <strong id="obs_40_0027__b9748123234910">OBS:*:*:bucket:example-bucket</strong>.</p>
</li></ul>
</td>
</tr>
<tr id="obs_40_0027__row148651211115420"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0027__p108861114155415">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0027__p1188611417541">The default value is <strong id="obs_40_0027__b139641917764">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0027__li1293324623719"><span>Click <strong id="obs_40_0027__b15454772583133">OK</strong>.</span></li><li id="obs_40_0027__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0027__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0027__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0027__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0027__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0024.html">Granting Permissions to Other Accounts</a></div>
</div>
</div>
View Git Blame Copy Permalink