Basic Concept
更新时间:2022-06-09 12:17:14
This article describes the terminology that is used in IAM.
Main Account
The main account is created automatically when customer sign contract with CDNetworks, main account is owner who charge for the purchased services.
Main account is the resource owner of customer, customer manage his resource by login Console using main account. Main account is the administrator of customer.
Main account is also the only identity for api calling.
IAM User (Simplified as User)
IAM allows customer to create multiple users according to their own business management requirements. Users are created by main account without any permission by default, a user won’t be charged for any services. CDNetworks only charge main account.
The relationship between the main account and user
Main account and IAM user is a parent-child relationship.
Identity credential
Identity credential is used to login console. It refers to the login password or AccessKey. Identity credentials are secret information, and users need to keep password confidential.
- Login name and Password: Customer use the login name and password to login Console to check resources.
- AccessKey: Customer use access key to send an API request (or use the cloud service SDK) to manipulate resources.
Currently AK/SK is only applicable to some certain products such as Object Storage, API could be called through AccessKey for these products.
Policy(Permission)
Policy is a aggregation of multiple functional resource. Policy is also the smallest permission granting granularity.
Two policies divided by different policy owner:
- System policies: Created and managed by CDNetwork, cannot be modified by customers.
- Custom policies: Created and managed by customers according to their own business requirements.
Two policies based on different creation method:
- Function policy: packs the Console’s functional features such as traffic report, configuration items. the packing action is operated on IAM directly. Function policy must be granted together with control group as whole permission. the user won’t be able to see anything on Console if he is only granted function policy. Supported for CDN and security products.
- Expression policy: Supports to use of expressions to assign specific operation permissions for specific resources base on IAM structure and syntax. CDN and security products don’t support expression policy.
Control Group(Resource)
Control Groups are sets of accelerated domains. Control Group is only for CDN and security products(such as Flood shield, WAF etc). the other products such as Object Storage, their resources are ontained in Policy already.
after the Control Groups are assigned to users, then they have access to manage the domains.
An accelerated domain can be part of multiple Control Groups, and a single user can be assigned to multiple Control Groups as well.
1 “Predefined – Customer” Control Group
A Control Group that is automatically created when a contract and first user is created is the “Predefined – Customer” Control Group, which includes all domains associated with the customer account. The name of this Control Group cannot be modified.
** “Predefined – Product” Control Group**
Another automatically generated Control Group is the “Predefined – Product” Control Group, which includes all the domains associated with a new contract. The value of such a group is in being able to view total traffic under the contract and reconcile that with billing statements and do planning for anticipated traffic changes or contract upgrades.
Unlike the more global “Predefined – Customer” Control Group, this Control Group’s name can be customized by a Master Account.
** User-Customized Control Group**
All other Control Groups are created by and customized by a Master Account and can include any combination of domains across whatever contracts are associated with the customer account, giving access to any users associated with the customer account.