Back
IAM
CDNetworks Documentation IAM User Guide Permissions Overview

Permissions Overview

Last update:2026-03-25 15:09:41

CDNetworks uses permissions to describe the ability of identities (such as users, user groups, roles) to access specific resources. Permission refers to allowing or denying certain operations on certain resources under certain conditions, and a permission policy is a set of access permissions.

Permissions

The main account (resource owner) controls all permissions.

  • Each resource has only one owner. The owner must be the primary user and have full control over the resources.
  • The owner of a resource may not necessarily be the creator of the resource. For example, an IAM user is granted the permission to create resources, and the resources created by the user belong to the primary user, who is the resource creator but not the resource owner.
  • IAM users (operators) have no default permissions
  • IAM users represent operators, and all their operations require explicit authorization.
  • New IAM users do not have any operation permissions by default, and can only operate resources through the console and API after being authorized.
  • The resource creator (IAM user) does not automatically have any permissions for the created resources
  • If IAM users are granted the permission to create resources, they will be able to create resources.
  • However, IAM users do not automatically have any permissions for the created resources unless the resource owner has explicit authorization for them.

Permission Policy

A permission policy (Policy) is a set of permissions described using a specific grammar, which can accurately specify the set of authorized objects, operations, and authorization conditions. By attaching a permission Policy to a user or user group, all users in the user or user group can obtain the access rights specified in the permission Policy. When there are both allow and deny authorization statements in the permission Policy, Follow the principle of deny priority.
In IAM, a permission policy is a object entity, and users can create, update, delete, and view permission Policy. IAM supports the following two permission policy:

  • System Policy: System policy is a set of common permission Policy provided by IAM, mainly for read-only permissions or all permissions for different Product. IAM will automatically update the system policy, and users cannot modify it.
  • Custom Policy : Since the authorization data granularity of the system policy is relatively coarse, if this data granularity permission policy cannot meet your needs, you can create a custom Policy. For example, if you want to control the operations authority of a specific ECS instance, or you require that the object operations request of the visitor must come from a specified IP address, you must use a customn policy to meet this data granularity requirement.

Authorize the IAM principal

Authorizing an IAM subject refers to binding one or more permission Policy to a user, user group, or role. The bound permission policy can be a system policy or a custom policy. If the bound permission policy is updated, the updated permission Policy will take effect automatically, and there is no need to re-bind the permission policy.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!

CDNetworks Inc., © 2025. 1840 Enterprise Way, Monrovia, CA 91016 – All rights reserved.