IAM Workflow Introduction
Last update:2022-06-09 12:17:15
CDNetworks IAM(Identity and Access Management) enables you to manage access to CDNetworks products/services and your service resources securely when you use Main Account.
This topic is described that IAM Work Overview before you get started using IAM to create your Sub Accounts and grant the permissions to allow and deny their access to your service resources.
The overall workflow is here.
- Main Account gets the system policies that consist of default permissions and actions to perform functional operations of CDN products that you have contracted with CDNetworks.
- Main Account can create a new user at the User Management in the CDNetworks Console.
(When Main Account creates only a new Sub Account, there is no permission to access any functions and products.
Main Account can decide to grant existed system policy or custom policy to the Sub Accounts by Main Account-self
. If you don’t have any information on what policy is, please go to the article “Basic Concept”) - Main Account can grant system policy to subaccount to delegate the role to end-user.
- Main Account can create a custom policy, and combine the actions into the custom policy as you need
- Main Account can grant custom policy to Sub Account to delegate the role to end-user.
- Main Account can assign Control Group to Sub Account to manage the acceleration domains by an end-user. (This step is available for manage CDN and security products)
In the diagram above, you can give each role of the persons and you want which functions are allowed to end-user A, which functions are not allowed to end-user A and other end-users are the same cases.
For your efficient IAM way, your Main Account is granted with all system policies for your products by default. Sub Accounts don’t have a policy by default, Main Account should grant policy to Sub Accounts so that Sub Accounts will have a custom policy. in the CDNetworks Console, we provide flexible IAM functions - user management, policy management, permission management, and Control Group management.
| No | Function | Entrance | Description | Remarks |
|---|---|---|---|---|
| 1 | User Management | IAM → Identities → Users | Create Users: create Sub Accounts for end-users Delete Users: delete Sub Accounts Modify Basic Information: change the Display name and email address Modify Login Settings: Reset Password, turn on/off Console Login Add Permissions: Add/Update Policies to use functions. |
|
| 2 | Permission Management | IAM → Permissions → Grants | Assign/Revoke Permissions to Sub Account(s) for aligning policy to Sub Accounts. | |
| 3 | Control Group Management | IAM → Permissions → Control Group MGMT | Create / Manage User-Customized Control Group Assign Sub Accounts to use CDN domains(acceleration domains) |
Main Account should use for CDN/Cloud Security Product Not available for Cloud Storage, UC (User management component) |
| 4 | Policy Management | IAM → Permissions → Policies | Create / Delete policy to add allow/deny to actions Set actions to allow or refuse(deny)for CDN/Cloud Security Products, Main Account should use “Policy for functions” for CDN/Cloud Security Product. Main Account should use “Policy with expression” for Object storage/UC. |
As above tables, CDNetworks IAM has many functions to support your user-account management efficiently.
Tip:
- Action means the element to perform some functional operations of products - e.g. view traffic charts or edit domain configuration on Console.
- For CDN and security products, Main Account should grant both “policy for function” and should assign corresponding acceleration domains with users by “Control Group”
- For the Other products (Object Storage, UC), Main Account should grant “Policy with expressions” to users, because “policy with expressions” includes both function and resources.