Creating a User Group and Assigning Permissions

As an administrator, you can create user groups and grant them permissions using policies or roles. Users added to the user groups inherit permissions from the user groups. IAM users can assign permissions to themselves. IAM provides general permissions (such as administrator or read-only permissions) for each cloud service, which you can assign to user groups. Users in the groups can then use cloud services based on the assigned permissions. For details, see Assigning Permissions to an IAM User. To learn about system-defined permissions of all cloud services, see System-defined Permissions.

Prerequisites

Before creating a user group, learn about the following:

Basic concepts of permissions
System-defined permissions provided by IAM

Creating a User Group

Log in to the IAM console as the administrator.
Choose User Groups from the navigation pane, and click Create User Group in the upper right corner.

Figure 1 Creating a user group
On the displayed page, enter a user group name.
Click OK.

You can create a maximum of 20 user groups. To create more user groups, increase the quota by referring to How Do I Increase My Quota?

Assigning Permissions to a User Group

To assign permissions to a user group, perform the operations below. To revoke permissions of a user group, see Managing Permissions of a User Group.

In the user group list, locate the created user group click Authorize in the Operation column.

Figure 2 Going to the user group authorization page
On the Authorize User Group page, select the permissions to be assigned to the user group and click Next.

If the system-defined policies do not meet your requirements, click Create Policy in the upper right corner to create custom policies. You can use them to supplement system-defined policies for refined permissions control. For details, see Creating a Custom Policy.
Figure 3 Selecting permissions

Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.

**Table 1** Authorization scopes
Scope	Description
All resources	IAM users will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.
Enterprise projects	IAM users can use the resources in the enterprise projects you select based on the assigned permissions. This option is available only when Enterprise Project is enabled. For details about enterprise projects, see What Is Enterprise Project Management Service?. To enable Enterprise Project, see Enabling the Enterprise Project Function.
Region-specific projects	IAM users can use the resources in the region-specific projects you select based on the assigned permissions. If you select global service permissions, the permissions will be applied to all resources by default. If you select project-level service permissions, the permissions will be applied to the region-specific projects you select. NOTE: The region-specific projects for Dedicated Cloud cannot be selected.
Global services	IAM users can use global services based on the assigned permissions. Global services are deployed for all physical regions. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN). If you select project-level service permissions, the permissions will be applied to all resources by default. If you select global service permissions, the permissions will be applied to the global services.

Click OK.

Table 2 lists the common permissions. For all service-specific permissions, see System-defined Permissions.

If you add an IAM user to multiple groups, the user will inherit all the permissions from these groups.

For more information about permissions management, see Assigning Permissions to O&M Personnel, Assigning Dependency Roles, and Custom Policy Examples.
In the enterprise project authorization, if OBS permissions are assigned, they will be applied about 15 to 30 minutes after the authorization is complete.

**Table 2** Common permissions
Category	Policy/Role Name	Description	Authorization Scope
General administration	FullAccess	Full permissions for services supporting policy-based access control.	All resources
Resource management	Tenant Administrator	Administrator permissions for all services except IAM.	All resources
Viewing resources	Tenant Guest	Read-only permissions for all resources.	All resources
IAM user management	Security Administrator	Administrator permissions for IAM.	Global services
Accounting management	BSS Administrator	Administrator permissions for Billing Center, including managing invoices, orders, contracts, and renewals, and viewing bills. NOTE: The BSS Administrator permissions need to be assigned for all regions.	Region-specific projects
Computing O&M	ECS FullAccess	Administrator permissions for Elastic Cloud Server (ECS).	Region-specific projects
	CCE FullAccess	Administrator permissions for Cloud Container Engine (CCE).	Region-specific projects
	CCI FullAccess	Administrator permissions for Cloud Container Instance (CCI).	Region-specific projects
	BMS FullAccess	Administrator permissions for Bare Metal Server (BMS).	Region-specific projects
	IMS FullAccess	Administrator permissions for Image Management Service (IMS).	Region-specific projects
	AutoScaling FullAccess	Administrator permissions for Auto Scaling (AS).	Region-specific projects
Network O&M	VPC FullAccess	Administrator permissions for Virtual Private Cloud (VPC).	Region-specific projects
Network O&M	ELB FullAccess	Administrator permissions for Elastic Load Balance (ELB).	Region-specific projects
Database O&M	RDS FullAccess	Administrator permissions for Relational Database Service (RDS).	Region-specific projects
	DDS FullAccess	Administrator permissions for Document Database Service (DDS).	Region-specific projects
	DDM FullAccess	Administrator permissions for Distributed Database Middleware (DDM).	Region-specific projects
Security O&M	Anti-DDoS Administrator	Administrator permissions for Anti-DDoS.	Region-specific projects
	AAD Administrator	Administrator permissions for Advanced Anti-DDoS (AAD).	Region-specific projects
	WAF Administrator	Administrator permissions for Web Application Firewall (WAF).	Region-specific projects
	VSS Administrator	Administrator permissions for Vulnerability Scan Service (VSS).	Region-specific projects
	CGS Administrator	Administrator permissions for Container Guard Service (CGS).	Region-specific projects
	KMS Administrator	Administrator permissions for Key Management Service (KMS), which has been renamed Data Encryption Workshop (DEW).	Region-specific projects
	DBSS System Administrator	Administrator permissions for Database Security Service (DBSS).	Region-specific projects
	SES Administrator	Administrator permissions for Security Expert Service (SES).	Region-specific projects
	SC Administrator	Administrator permissions for SSL Certificate Manager (SCM).	Region-specific projects

Related Operations

Huawei Cloud services interwork with each other, and some cloud services are dependent on other services. Roles of these services take effect only if they are assigned along with the dependency roles. Policies, however, do not require dependencies.

Log in to the IAM console as the administrator.
In the user group list, click Authorize in the row that contains the created user group.
On the displayed page, search for a role in the search box in the upper right corner.
Select the target role. The system automatically selects the dependency roles.

Figure 4 Selecting a role
Click in front of the role to view the dependencies.

Figure 5 Viewing dependencies

For example, the DNS Administrator role contains the Depends parameter which specifies the dependency roles. When you assign the DNS Administrator role to a user group, you also need to assign the Tenant Guest and VPC Administrator roles to the group for the same project.
Click OK.