Basic Concept

Basic Terms of IAM

This article introduces the key terms and their definitions in IAM (Access Control) to help you quickly understand the basic concepts and usage of IAM.

Main Account

The main account is automatically created after a customer establishes a service relationship with CDNetworks. It is the entity to which purchased products, services, and resources belong, and is also responsible for the associated costs.

The main account has full management permissions for all resources under the account. It can log in to the console to centrally view, configure, and manage all activated products, services, and resources.

In IAM, the main account also serves as the administrator role and can be used for the following:

1. Creating and Managing IAM Users
2. Assigning Permissions to IAM Users
3. Managing Resources and Access Methods Under the Main Account
4. Unified Control Over Account Security and Scope of Use

It is generally recommended that only administrators or designated personnel within the organization use and maintain the main account.

IAM Users

IAM users are user accounts created by the main account in Access Control (IAM) to meet the requirements of multi-user collaboration and role-based management.

By default, newly created IAM users do not have any permissions. Only after authorization is granted by the main account can they access the specified products, resources, or features. IAM users themselves do not incur charges separately; all resource usage, service measurements, and billing for accounts under your organization are managed centrally by the main account.

Using IAM Users Helps You:

• Create Independent Accounts for Different Members
• Assign Permissions Based on Job Responsibilities
• Prevent Multiple People from Sharing the Main Account
• Enhance Account Security and Management Standardization

Relationship Between Main Account and IAM Users

A unified management relationship exists between the main account and IAM users.

1. The main account is responsible for creating, authorizing, and managing IAM users.
2. IAM users must obtain authorization before they can access the corresponding products, resources, and features.
3. Resource usage and operations by IAM users are always attributed to the main account.
4. All expenses incurred by IAM users are consolidated under the main account.

You can regard the main account as an organization-level administrator account, while IAM users are member accounts created and managed by the main account.

Identity Credentials

Identity credentials are used to verify user identities, primarily for logging into the console or invoking APIs.

Identity credentials are sensitive information. Please keep them properly to prevent security risks caused by potential leaks.

Common types of identity credentials in IAM include:

• Login Username and Password
• AccessKey

Login Username and Password

The login username and password are used to access the console. After logging in, users can access and manage relevant products, services, and resources according to their granted permissions.

AccessKey

AccessKey is used to access platform capabilities through API requests or SDK, and is applicable to product scenarios that support programmatic access.

If your operations require system integration, automated scripts, or application-based service calls, you can utilize AccessKey for identity authentication and API access.

It is recommended to regularly review and update your credentials, and to avoid storing or transmitting credential information in insecure environments.

Permission Policy

A permission policy is a set of rules in IAM used to define access permissions, and also serves as the basic unit for granting permissions.

By attaching permission policies to an IAM user, you can control which features and resources the user can access and what actions they are permitted to perform.

System Policies

System policies are permission policies that are predefined and maintained by CDNetworks.

These types of policies are typically designed for common authorization scenarios and have fixed content, which cannot be modified by customers. When you want to quickly complete standardized permission assignments, you can use system policies directly.

Custom Policies

A custom policy is a permission policy created and maintained by the customer based on their specific business requirements.

By using custom policies, you can more flexibly control the scope of IAM users’ access to specific features or resources, enabling finer-grained authorization.

When system policies cannot meet actual management scenarios, custom policies can be used as a supplement.

Feature Policy

A feature policy is used to control the range of console features accessible to IAM users, such as page functionality, configuration capabilities, or data viewing permissions.

For applicable products, assigning only feature policies is usually not sufficient for users to view specific resource content. Feature permissions will only take effect when users are also granted the corresponding resource scope.

If a specific type of product in the console requires you to configure both feature permissions and resource scope, please follow the actual authorization rules.

Expression Policy

An expression policy is a policy type defined based on IAM permission syntax. It is used to control IAM user access to specific resources through rule expressions.

With expression policies, you can specify in greater detail:

• Accessible Resource Scope
• Executable Operation Types
• Allowed or Denied Access Actions

Expression policies are applicable to scenarios requiring fine-grained authorization.

The specific supported scope may vary by product. Please refer to the actual capabilities displayed in the console.

Service Group Management

A service group refers to a group of acceleration domains and applies only to CDN and security-related products (such as Flood Shield and WAF). Resources for other products (such as Object Storage) are already included in the policy and are not assigned via service groups. Once a service group is assigned to a user, the user can manage the domains within that service group.

An acceleration domain can belong to multiple service groups, and a single user can also be assigned to multiple service groups.

Preset Service Group

Preset – Customer Service Group

When the contract is signed and the first user is created, the system automatically generates the Preset – Customer service group, which includes all acceleration domains under that customer’s account. The name of this service group cannot be modified.

Preset – Product Service Group

This service group automatically includes all domains associated with new contracts. With this group, customers can view the total traffic data under the contract and reconcile it with billing statements, making it easier to estimate traffic changes or plan for contract upgrades.

User-Defined Service Group

A custom service group allows you to select any combination of domains under contracts within the customer account. Once configured, assign it to an IAM user to grant management permissions for the domains included in the service group.