Scenarios

Manage users and grant different permissions to users

Scenario

Enterprise A has purchased multiple Kingsoft Cloud resources to deploy a project on Kingsoft Cloud. Employees or applications of Enterprise A need to use the resources. They have different responsibilities and therefore require different permissions. To reduce information security risks, Administrator A does not want to share the password or AccessKey of the Kingsoft Cloud account to all the employees, which is equivalent to granting all permissions to the employees. Enterprise A has the following requirements:

• A subaccount with the minimum permissions necessary for the work is assigned to each employee.
• Permissions can be granted to a subaccount and revoked.
• A subaccount can be disabled or deleted at any time.

Solution

With the user management feature of IAM, Enterprise A can create IAM users for the employees or applications, and attach the minimum system policies necessary for the work to the IAM users. An IAM user can access Kingsoft Cloud resources in one of the following ways:

• Log in to the Kingsoft Cloud console by using its username and password.
• Call related API operations by using its AccessKey.

Group resources and grant access permissions

Scenario

Enterprise A has deployed multiple projects on Kingsoft Cloud, and multiple resources are used for each project. Enterprise A has only one Kingsoft Cloud account, which contains hundreds of instances. Enterprise A intends to enable each project administrator to separately manage project members and their access permissions.

Solution

With the access control and project management features of IAM, Enterprise A can perform the following operations:

1. Create multiple projects for the applications and add resources to the corresponding projects.

2. Create IAM users and add them to the corresponding projects.

3. Attach the system policies necessary for the work to the IAM users so that the IAM users can manage only the resources of the projects they have joined.

   
   

Access resources and grant resource permissions across accounts

Scenario

Enterprise A has purchased multiple Kingsoft Cloud resources for its business, such as KEC instances, Kingsoft Cloud Relational Database Service (KRDS) instances, Server Load Balancing (SLB) instances, and Kingsoft Cloud Standard Storage Service (KS3) buckets. Enterprise A intends to grant some business permissions to Enterprise B. Enterprise A has the following requirements:

• Enterprise A can focus on its business and acts only as the resource owner. Enterprise A can authorize Enterprise B to perform some business-related operations, such as cloud resource O&M, monitoring, and management.
• Enterprise A does not need to change any permissions when employees of Enterprise B join or leave Enterprise B. Enterprise B can grant access permissions on the resources of Enterprise A to its IAM users (employees or applications), and control their access to and operation permissions on the resources in a fine-grained manner.
• If the contract is terminated, Enterprise A can revoke the permissions granted to Enterprise B at any time.

Solution

With the role management feature of IAM, Enterprise A can create an IAM role for the Kingsoft Cloud account of Enterprise B to access the Kingsoft Cloud console.

1. Enterprise A creates an IAM role under its Kingsoft Cloud account, grants appropriate permissions to the IAM role, and authorizes the Kingsoft Cloud account of Enterprise B to assume the IAM role.
2. Enterprise B creates an IAM user under its Kingsoft Cloud account, and grants the IAM user permissions to assume and switch between IAM roles.
3. Employees of Enterprise B can log in to the Kingsoft Cloud console as the IAM user, and switch between IAM roles to access the authorized resources of Enterprise A.
4. If the contract is terminated, Enterprise A only needs to revoke the permission to use the IAM role from the Kingsoft Cloud account of Enterprise B. After the permission is revoked, all IAM users under the Kingsoft Cloud account of Enterprise B no longer have the permissions of the IAM role.