Basic Concept

Last update:2022-06-09 12:17:14

We introduce the Basic Concept of CDNetworks IAM (identity and access management). this documentation is useful when you act as the administrator of your services to use our CDN products that have contracted. CDNetworks IAM provides you as administrators with many IAM functions to manage roles - grant the permission and access privileges of individual service resources.

User Account Types

There are two types of user accounts offered by CDNetworks Console - Main Account and Sub Account.

If you want to check your account type, please refer to Basic Information that has the entrance as “Account Management → Basic Information”

  • Main Account (same as “Primary Account”) :

    • If you have the main account of products in the CDNetworks Console, you can have the privilege to manage all user accounts and grant the permissions - which account can use functions of products or not.

    • CDNetworks offers only one Main Account when you have contracted and the Main Account is the administrator to manage your services to use our CDN products that have contracted.

    • IAM lets you create multiple sub-accounts of end-users corresponding to their own business management requirements by yourselves when you use Main Account

  • Sub Account :

    • Sub Accounts are end-users ’ login accounts that you can access the product and services that the main account gives the role to grant the permission to use specified functions of CDNetworks products.
image2021528_15843.png

Identity credential

  • Identity credential is used to identify you when you log in on CDNetworks Console. It refers to the login password or AccessKey.

    • Login name and Password:

      • You can use the login name and password to log on CDNetworks Console to manage your products and your service resources.
    • AccessKey

      • You can use the access key to send an API request (or use the cloud service SDK) to manipulate resources.

      • Currently, AK/SK is only available for some products such as Object Storage

      • Object Storage API could be called and available to use through AccessKey authentication.

  • Identity credentials are secret information, and you should keep password confidentially

Policy (Permission and Action )

  • Policy

    • It is a collection of which actions are allowed and which actions are denied (refused).

    • When you attempt a request of product/services, CDNetworks Console performs your request as following steps

    • For example, user account A try the request of “get traffic report” of CDN domains #1.

    • After authenticating and authorizing the request, CDNetworks platform asks IAM whether not the request approves the action - “get traffic report”.

    • IAM checks it is allowed the permission of action (Get traffic report) of CDN domain #1.

    • IAM checks whether user account A can access CDN domain #1 on control-group management or not.

    • If the two above conditions are ok, user account A can get the results of the request - “get traffic report” of CDN domain #1.

  • There are two types by different policy owner:

    • System Policy

      • System policies are created and managed by CDNetworks, you cannot change any system policies
    • Custom Policy

      • Custom policies are created and managed by customers according to their own business requirements.
  • Two policies based on different creation method:

    • Function policy

      • It is available for CDN product / Cloud Security Product and allows/deny functions of CDN product & Cloud Security Product

      • You should set which user account can access CDN domains that are managed by control-group management.
        ( For example, user account A have the permission to change origin configuration that set CDN domain lists by control-group management) and get traffic report on Console)

    • Expression policy

      • It is available for Object Storage product, not available for CDN product & Cloud Securit Product
      • You can use the expressions to assign specific operation permissions for specific resources base on IAM structure and syntax.
      • If you get more details, you refer to expression policy articles.

Control Group (contracts and service resources)

  • Control Group is a set of accelerations domains that are being run through CDNetworks) and can be assigned users, who have access to monitoring traffic, billing, and service configurations for the accelerations domains included in the control-group.
  • Control Groups are supported in the CDN/cloud security products(such as CA, DWA, MA, Flood shield, WAF, etc).
  • You have contracted with CDNetworks, you want to manage your services by contracts in the same product, for example, when you have multiple contracts of CA product with CDNetworks, you manage our CDN domains by each contract, control-group help your business needs as you want by dividing CDN domains corresponding to your contracts.
    • After the Control Groups are assigned to user accounts, then they have access to manage the domains.
    • An accelerated domain can be part of multiple Control Groups, and a single user can be assigned to multiple Control Groups as well.
  • in control-group function, we have three types of contract-group
    • “Predefined – Customer” Control Group
      • A Control Group that is automatically created when a contract and first user is created is the “Predefined – Customer” Control Group, which includes all domains associated with the customer account. The name of this Control Group cannot be modified.
    • “Predefined – Product” Control Group
      • Another automatically generated Control Group is the “Predefined – Product” Control Group, which includes all the domains associated with a new contract. The value of such a group is in being able to view total traffic under the contract and reconcile that with billing statements and do planning for anticipated traffic changes or contract upgrades.
      • Unlike the more global “Predefined – Customer” Control Group, this Control Group’s name can be customized by Main Account.
    • User-Customized Control Group
      • All other Control Groups are created by and customized by the Main Account and can include any combination of domains across whatever contracts are associated with the customer account, giving access to any users associated with the customer account.
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!