IAM Workflow Introduction

IAM provides the platform for customer’s main account to grant permission to his IAM users.
This article describes how IAM works.

the workflow is:

1. Main account is granted with some system policies by default.
2. Main account create a new user (Now the user is not available, see nothing after login Console, the users need to be granted permission. Main account decide to grant existed system policy or custom policy to user according to his own choice. If you don’t know what policy is, please go to the chapter of “Basic Concept”)
3. Main account grant system policy to user.
4. Main account create custom policy, and pack the actions into the custom policy as needed
5. Main account grant custom policy to user.
6. Main account grant control group to user.(This step only is needed when main account wants to grant user the permission to access the resources of CDN and security products) Now, user have a whole permission to access and use Console.

Tip:

1. function means the some functional view or edit permission on Console.
2. for CDN and security products, Main account grant both “policy for function” and “control group” to users.
3. for the other products, Main account grant “Policy with expressions” to users, because policy with expressions includes both function and resources.