Best Practices - HUAWEI CLOUD · 2021. 1. 12. · Identity and Access Management Best Practices Issue 01 Date 2021-01-10 HUAWEI TECHNOLOGIES CO., LTD

Identity and Access Management

Best Practices

Issue 01

Date 2021-06-25

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 01 (2021-06-25) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Recommendations for Using IAM........................................................................................1

2 Assigning Permissions to O&M Personnel.........................................................................4

3 Cross-Account Access Delegation and Resource Management..................................13

4 Authorizing IAM Users to Manage Resources of an Account..................................... 16

5 Multi-project Management................................................................................................ 195.1 Scenario.................................................................................................................................................................................... 195.2 Procedure................................................................................................................................................................................. 21

Identity and Access ManagementBest Practices Contents

Issue 01 (2021-06-25) Copyright © Huawei Technologies Co., Ltd. ii

1 Recommendations for Using IAM

To establish secure access to your HUAWEI CLOUD resources, follow theserecommendations for the Identity and Access Management (IAM) service.

Do Not Create Access Keys for Your HUAWEI CLOUD AccountYour HUAWEI CLOUD account has all the permissions required to access resourcesand make payments for the usage of resources. The password and access keys(AKs/SKs) are identity credentials for your account. The password is required forlogging in to the console, and access keys are your secondary identity credentialsthat allow programmatic requests with development tools. Access keys aresupplementary to the password and are not a must. Access keys can be lost oraccidentally disclosed. To enhance account security, do not create access keys foryour account.

Do Not Write Access Keys into CodeIf you use APIs, CLI, or SDKs to access cloud services, do not write your access keysinto the code.

Create Individual IAM UsersIf someone needs to access resources in your account, do not share your passwordwith them. Instead, create an individual IAM user for them and grant requiredpermissions to the IAM user. You can also create an IAM user for yourself, grantthe IAM user administrator permissions, and perform routing management usingthe IAM user.

Set Appropriate Access TypeYou can set the access type of IAM users, including programmatic access andmanagement console access. Note the following when you set the user type:

● If the user accesses HUAWEI CLOUD services only by using the managementconsole, specify the access type as Management console access and thecredential type as Password.

● If the user accesses HUAWEI CLOUD services only through programmaticcalls, specify the access type as Programmatic access and the credential typeas Access key.

Identity and Access ManagementBest Practices 1 Recommendations for Using IAM

Issue 01 (2021-06-25) Copyright © Huawei Technologies Co., Ltd. 1

● If the user needs to use a password as the credential for programmatic accessto certain APIs, specify the access type as Programmatic access and thecredential type as Password.

● If the user needs to perform access key verification when using certainservices in the console, specify the access type as "Programmatic access +Management console access" and the credential type as "Access Key +Password". For example, the user needs to perform access key verificationwhen creating a data migration job in the Cloud Data Migration (CDM)console.

Grant Least PrivilegeIt is a standard security measure to grant users only permissions required toperform specific tasks. You can achieve this by using IAM's system-defined orcustom policies. The principle of least privilege helps you establish secure access toyour HUAWEI CLOUD resources.

For IAM users who access cloud services by using APIs, CLI, or SDKs, grant theusers permissions by using custom policies to prevent losses due to accidentalaccess key disclosure or loss.

Enable Virtual MFAMulti-factor authentication (MFA) adds an additional layer of security protectionon top of the identity credentials for an account. It is recommended that youenable MFA authentication for your HUAWEI CLOUD account and privileged userscreated using your account. To log in to the management console, users mustenter their username and password and a verification code generated by thebound virtual MFA device.

An MFA device can be based on hardware or software. Currently, HUAWEI CLOUDsupports software-based virtual MFA device. It is a program that runs on aportable device (such as a mobile phone) and generates a six-digit verificationcode for identity authentication.

Set a Strong Password PolicyTo ensure that IAM users only use complex passwords and change themperiodically, set a password policy to define strong password requirements, such asminimum password length, and whether to allow consecutive identical charactersin a password, and whether to allow previously used passwords.

Enable Critical Operation ProtectionEnable critical operation protection to prevent misoperations. When you or userscreated using your account perform a critical operation, such as deleting aresource and generating an access key, you and users need to provide thepassword and a verification code to proceed with the operation.

Periodically Change Your Identity CredentialsPeriodically changing your password and access keys can prevent risks caused bytheir accidental disclosure or loss.



● Set a password validity period to require you and users created using youraccount to change passwords. IAM will start to display a prompt 15 daysbefore a password expires.

● You can create two access keys and use them interchangeably. For example,you can use access key 1 for a certain period, and then use access key 2 forthe next period. You can also delete access key 1 and generate another accesskey.

Delete Unnecessary Identity CredentialsFor users who only need to use the console, it is recommended that you do notcreate access keys for them, and delete any access keys that have already beencreated. If a user has not logged in for a long period, change the user's passwordand delete the user's access keys. In addition, set an account validity period toautomatically disable user accounts that have not been used for a long time.

Delegate Resource Access to Applications Running on ECSsApplications running on Elastic Cloud Servers (ECSs) can access other HUAWEICLOUD services only with a credential provided. To ensure that applications canprovide secure credentials, create an agency in IAM to grant required permissionsto the ECS where the applications run, and configure the agency for the ECS sothat the applications can obtain temporary access keys. The ECS applies for atemporary credential from IAM to securely access resources based on thepermissions granted through the agency. ECS automatically rotates temporarycredentials to ensure that they are secure and valid.

When you start an ECS, you can specify an agency for the ECS as a startupparameter. Applications running on the ECS can access HUAWEI CLOUD resourcesby providing the temporary access key obtained using the agency. The agencydetermines which applications can access specific resources.

Enabling CTSCloud Trace Service (CTS) is a log audit service provided by HUAWEI CLOUD. Itcollects, stores, and queries records of operations on IAM, facilitating securityanalysis, compliance audit, resource tracking, and fault locating. It isrecommended that you enable the CTS service to record key IAM operations, suchas creating and deleting IAM users.



2 Assigning Permissions to O&MPersonnel

Assume that company A has purchased different resources on HUAWEI CLOUD,and has multiple functional teams that need to use one or more types ofresources. Company A can use IAM to assign the permissions required for theO&M personnel to use resources.

Figure 2-1 Permissions management model

● Resource O&M team● Accounting management team● Resource monitoring team● Computing O&M team● Network O&M team● Database O&M team● Security O&M team

Assign required permissions to different functional teams in the companyaccording to Table 2-1. For details about permissions of all HUAWEI CLOUDservices, see System Permissions.

Identity and Access ManagementBest Practices 2 Assigning Permissions to O&M Personnel


https://support.huaweicloud.com/intl/en-us/usermanual-permissions/iam_01_0001.html

Table 2-1 System permissions

Functional Team Policy Permissions Description

Resource O&M team Tenant Administrator Full permissions for allcloud services, includingBilling Center, ResourceCenter, and My Account.The TenantAdministrator roleincludes the permissionsfor purchasing resources,managing renewals, andviewing bills. It does notinclude the permissionsfor the IAM service.

Accounting managementteam

BSS Administrator Full permissions forBilling Center, ResourceCenter, and My Account.The BSS Administratorrole includes thepermissions formanaging invoices,orders, contracts, andrenewals, and viewingbills. Users assignedonly this role cannotpurchase resourcesunless you grant themthe administratorpermissions of thecorresponding service.

Resource monitoringteam

Tenant Guest Read-only permissionsfor all cloud servicesexcept IAM and BillingCenter.

Computing O&M team ECS FullAccess Full permissions forElastic Cloud Server(ECS), includingpermissions forpurchasing ECSs. Usersassigned only the ECSFullAccess policy cannotview the usage of ECSsand other resourcesunless you assign themthe BSS Administratorrole.




CCE FullAccess Full permissions forCloud Container Engine(CCE), includingpermissions forpurchasing CCEresources. Users assignedonly the CCE FullAccesspolicy cannot view theusage of CCE resourcesand other resourcesunless you assign themthe BSS Administratorrole.

AutoScaling FullAccess Full permissions for AutoScaling (AS), includingpurchasing AS resources.Users assigned only theAutoScaling FullAccesspolicy cannot view theusage of AS resourcesand other resourcesunless you assign themthe BSS Administratorrole.

Network O&M team VPC FullAccess Full permissions forVirtual Private Cloud(VPC), includingpurchasing VPCs. Usersassigned only the VPCFullAccess policy cannotview the usage of VPCresources and otherresources unless youassign them the BSSAdministrator role.

ELB FullAccess Full permissions forElastic Load Balance(ELB), includingpurchasing loadbalancers. Users assignedonly the ELB FullAccesspolicy cannot view theusage of ELB resourcesand other resourcesunless you assign themthe BSS Administratorrole.




Database O&M team RDS FullAccess Full permissions forRelational DatabaseService (RDS), includingpurchasing RDSresources. Users assignedonly the RDS FullAccesspolicy cannot view theusage of RDS resourcesand other resourcesunless you assign themthe BSS Administratorrole.

DDS FullAccess Full permissions forDocument DatabaseService (DDS), includingpurchasing DDSresources. Users assignedonly the DDS FullAccesspolicy cannot view theusage of DDS resourcesand other resourcesunless you assign themthe BSS Administratorrole.

DDM FullAccess Full permissions forDistributed DatabaseMiddleware (DDM).

Security O&M team Anti-DDoS Administrator Full permissions for Anti-DDoS.

CAD Administrator Full permissions forAdvanced Anti-DDoS(AAD).

KMS Administrator Full permissions for DataEncryption Workshop(DEW), includingpurchasing DEWresources. Users assignedonly the KMSAdministrator rolecannot view the usage ofDEW resources and otherresources unless youassign them the BSSAdministrator role.



Assigning Permissions to O&M Personnel

The following is an example procedure for specifying an employee of company Aas the network O&M owner for the AP-Hong Kong region. If you want to specifyan employee as any other O&M owner, grant the required permissions to theemployee according to Table 2-1.

Step 1: Create a User Group and Assign Permissions

Step 1 Log in to the HUAWEI CLOUD management console.

Step 2 On the management console, hover the mouse pointer over the username in theupper right corner and then choose Identity and Access Management.

Step 3 On the IAM console, choose User Groups in the navigation pane. Then clickCreate User Group.

Step 4 Enter the user group name Network_OM, and click OK.

Step 5 In the row containing the user group, click Manage Permissions.

Step 6 On the Permissions tab page, click Assign Permissions above the permission list.

Step 7 Specify the scope as Region-specific projects, and select AP-Hong Kong from thedrop-down list.

Step 8 Search for and select VPC FullAccess and ELB FullAccess, and click OK.



NO TE

● If users in the group need to view resource usage, attach the BSS Administrator role tothe group for the same project.

● When specifying an employee as the security O&M owner according to Table 2-1, youmust grant the employee other related permissions because the security domaininterworks with other cloud services. For more information, see Assigning DependentRoles.

----End

Step 2: Create an IAM User

Step 1 In the navigation pane of the IAM console, choose Users. Then click Create User.

Step 2 Specify the user information and access type. To create more users, click AddUser. A maximum of 10 users can be created at a time.

Figure 2-2 Configuring user information

NO TE

● Users can log in to HUAWEI CLOUD using the username, email address, or mobilenumber.

● If users forget their password, they can reset it through email address or mobile numberverification. If no email address or mobile number has been bound to users, users needto contact the administrator to reset their password.

Table 2-2 User information

Parameter

Description

Username

Username that will be used to log in to HUAWEI CLOUD, for example,James and Alice. This field is required.

EmailAddress

Email address of the IAM user that can be used as a login credential. IAMusers can bind an email address after they are created. This field isrequired if you have specified Set by user as the access type.

MobileNumber

Mobile phone number of the IAM user that can be used as a logincredential. IAM users can bind a mobile number after they are created.This field is optional.



https://support.huaweicloud.com/intl/en-us/usermanual-iam/iam_01_0657.html


Parameter

Description

Description

Additional information about the IAM user. This field is optional.

Figure 2-3 Setting the access type

● Programmatic access: Select this option to allow the user to access HUAWEICLOUD services using development tools, such as APIs, CLI, and SDKs. You cangenerate an access key or set a password for the user.

● Management console access: Select this option to allow the user to accessHUAWEI CLOUD services using the management console. You can set orgenerate a password for the user or request the user to set a password at firstlogin.

NO TE

– If the user accesses cloud services only by using the management console,specify the access type as Management console access and the credential type asPassword.

– If the user accesses cloud services only through programmatic calls, specify theaccess type as Programmatic access and the credential type as Access key.

– If the user needs to use a password as the credential for programmatic accessto certain APIs, specify the access type as Programmatic access and the credentialtype as Password.

– If the user needs to perform access key verification when using certain services inthe console, specify the access type as "Programmatic access + Managementconsole access" and the credential type as "Access Key + Password". For example,the user needs to perform access key verification when creating a data migrationjob in the Cloud Data Migration (CDM) console.



Table 2-3 Setting the credential type and login protection

Credential Typeand LoginProtection

Description

Access key After users are created, you can download the accesskeys (AK/SK) generated for these users.Each user can have a maximum of two access keys.

Password

Set now Select this option if you are the user. Then, set apassword for login. You can choose whether to resetyour password at first login.

Automaticallygenerated

The system automatically generates a login passwordfor the user. After the user is created, you can downloadthe EXCEL password file and provide the password tothe user.This option is available only when you create asingle user.

Set byuser

If you are the administrator setting the password forthe user, select this option and enter an email addressand a mobile number. The user can then set a passwordby clicking on the one-time login URL sent over email.

LoginProtection

Enable(Recommended)

If login protection is enabled, the user will need toenter a verification code in addition to the usernameand password during login. Enable this function foraccount security.You can select SMS, email, or virtual MFA device forverification during login.

Disable If login protection is disabled, you can enable it later byfollowing the instructions provided in Modifying IAMUser Information.

Step 3 (Optional) Click Next to add the users to user groups.● The users will inherit the permissions assigned to the user groups to which

they belong.● You can also create new groups as required.

NO TE

● If the user will be an administrator, add the user to the default group admin.● Each user can be added to multiple user groups.

Step 4 Click Next. If you have specified the access type as Programmatic access in Step2, download the access key on the Finish page.



https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html

https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html



Figure 2-4 Users created successfully

----End

Step 3: Log In as an IAM User and Verify PermissionsAn IAM user can log in using different methods. The following describes how tolog in through the login page. For more login methods, see Logging In toHUAWEI CLOUD.

Step 1 On the HUAWEI CLOUD login page, click IAM User.

Step 2 On the IAM User Login page, enter the account name, username, and passwordof the created user.● Account name: Name of the account used to create the IAM user● Username and password: The username and password specified for the IAM

user.

Step 3 On the management console, switch to the AP-Hong Kong region.

Step 4 Choose Service List > Virtual Private Cloud, Elastic Load Balance, and DomainName Service, and perform operations on each service console to verify that thepermissions have been successfully assigned.

Step 5 Choose a service other than VPC, ELB, and DNS from the Service List to ensurethat the service cannot be accessed.

Step 6 On the management console, switch to a region other than AP-Hong Kong andensure that the VPC, ELB, and DNS consoles cannot be accessed.

----End





3 Cross-Account Access Delegation andResource Management

Company A and company B have registered HUAWEI CLOUD account A andaccount B, respectively. If account A wants to authorize account B to manage itsresources, account A can create an agency in IAM to establish a trust relationshipbetween the two accounts.

Requirements● Account A has purchased different types of resources on HUAWEI CLOUD.

Account A wants to authorize account B to manage its VPC resources in theAP-Hong Kong region.

● Account B can authorize one or more employees (IAM users) of company B tomanage account A's resources.

● Account A can modify or cancel the authorization provided to account B atany time.

Solution● Account A creates an agency on the IAM console to authorize account B to

manage its resources.● Account B assigns permissions to its IAM users to manage account A's

resources specified in the agency.● Account A can modify or delete the agency at any time. Deleting the agency

will automatically cancel the permissions assigned to account B and its IAMusers for managing account A's resources.

Identity and Access ManagementBest Practices

3 Cross-Account Access Delegation and ResourceManagement


Figure 3-1 Cross-account authorization model

Delegating an Account to Manage Resources

Account A performs the following procedure to delegate account B to manage itsVPC resources in the AP-Hong Kong region.

Step 1 Log in to HUAWEI CLOUD using account A. On the IAM console, choose Agenciesin the navigation pane.

Step 2 Click Create Agency, and enter an agency name, for example, VPC ResourcesO&M.

Step 3 Select the Account agency type, and enter the account name of company B, forexample, B-Company.

Step 4 Set Validity Period to Unlimited.

Step 5 Click Assign Permissions, search for and select the VPC FullAccess policy, andthen select AP-Hong Kong.

Step 6 Click OK.

The agency is displayed in the agency list.

NO TE

Account A can delete the created agency at any time to cancel the assigned permissions.

----End

Managing Resources of an Account

After the agency is created, account B can switch roles to account A to manageaccount A's resources. To do this, account B needs to have obtained account A'saccount name and the agency name.

Step 1 Log in to the HUAWEI CLOUD management console using account B.

Step 2 Click the username in the upper right corner, and choose Switch Role.




Step 3 Enter the account name of account A. The agency created by account A isdisplayed automatically.

Step 4 Click OK to switch to account A.

----End




4 Authorizing IAM Users to ManageResources of an Account

Company B is a professional O&M company. It becomes a delegated party afterbeing authorized by company A. Company B assigns permissions to one or moreof its IAM users to manage company A's resources.

Requirements● Company B wants to authorize its employees (IAM users) to manage the

delegated resources of company A.● If company A creates multiple agencies for company B, company B can

allocate the agencies to different employees. This will allow each employee toonly manage resources of specific agencies.

Solution● Account B creates users on the IAM console, and grants the permissions

(including Agent Operator) required for managing delegated resources to theusers.

● Account B creates a custom policy with only the permissions required tomanage the delegated resources of an agency. Then, account B attaches thepolicy to the group to which a user belongs, so that the user can only managethe resources of the agency.

ProcedureAccount B performs the following procedure to authorize IAM users to manageresources of specific agencies. After authorization, the IAM users of account B canswitch their roles to account A to manage account A's resources. To do this,account B needs to have obtained the HUAWEI CLOUD account name, agencyname, and agency ID of the delegating party.

Step 1 Create a custom policy.


4 Authorizing IAM Users to Manage Resources of anAccount


NO TE

● To authorize a user to manage only the resources of a specific agency, perform thefollowing steps.

● To authorize a user to manage the resources of all agencies, go to Step 2.

1. Log in to the HUAWEI CLOUD management console using account B.2. On the IAM console, choose Permissions in the navigation pane, and click

Create Custom Policy.3. Enter the policy name, for example, Agency 1 Management for Company A.4. Select Global services for Scope.5. Select JSON.6. In the Policy Content area, enter the following content:

{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..." ] }, "Effect": "Allow" } ]}

NO TE

Replace b36b1258b5dc41a4aa8255508xxx... with an agency ID.

7. Click OK.

Step 2 Create a user group and grant permissions to it.

1. In the navigation pane, choose User Groups.2. On the User Groups page, click Create User Group.3. Enter the user group name, for example, Agency Management.4. Click OK.

The user group is displayed in the user group list.5. Click Manage Permissions in the row containing the user group, click Assign

Permissions, and then select an authorization scope.6. Select the Agency 1 Management for Company A agency created in 1 or the

Agent Operator role.

NO TE

– The custom policy allows the user only to manage resources of a specific agencyID.

– The Agent Operator role allows the user to manage the resources of all agencies.

7. Click OK.

Step 3 Create a user and add the user to the user group.




1. In the navigation pane, choose Users.2. On the Users page, click Create User.3. On the Create User page, enter a username and email address.4. For the access type, select Management console access and Set by user.5. Enable login protection, select a verification mode, and click Next.6. Select the Agency Management group created in Step 2, and click Next.7. Click OK.

Step 4 Switch the role.

1. Log in to HUAWEI CLOUD as the user created in Step 3. For moreinformation, see Logging In as an IAM User.

2. Click the username in the upper right corner, and choose Switch Role.3. Enter the account name of the delegating party. The agency created by the

delegating party is displayed automatically.

NO TE

If an agency other than the agencies created by the delegating party is displayed, amessage is displayed indicating that you do not have access permissions. Select thecorrect agency in the Agency Name drop-down list box.

4. Click OK to switch to the delegating account.

----End





5 Multi-project Management

5.1 ScenarioCompany A is an enterprise user of HUAWEI CLOUD, and it has multiple projectteams that require different resources and personnel. This section presents thebest practice for multi-project management to address company A's requirements.

Requirements● Requirement 1: Company A can purchase multiple types of resources in CN

North-Beijing4 and CN East-Shanghai1 for two project teams. Resources ofthe two project teams need to be isolated from each other.

● Requirement 2: Each member of the project teams can access only theresources of the project team to which the member belongs, and only has thepermissions required to complete tasks.

● Requirement 3: Each project team makes payments only for the resourcesused by its members, and the project expenditures are clear.

Solution● Solution to requirement 1: Enterprise Management (EPS) and Identity and

Access Management (IAM) are two cloud services of HUAWEI CLOUD thatcan isolate resources between projects. However, the implementation logicand functions of the two services are different.– Enterprise Management: You can create enterprise projects to group

and manage resources across regions. Resources in enterprise projects arelogically isolated from each other. Each enterprise project can containresources of multiple regions.

– IAM: IAM projects group and physically isolate resources in a region, andeach IAM project can only contain resources in the same region.

In conclusion, Enterprise Management provides more flexible cross-region resourceisolation between projects than IAM. Therefore, it is recommended that companyA use Enterprise Management to manage project resources. The solutions to thefollowing requirements are proposed using the Enterprise Management service.For details about the two services, see What Are the Differences Between IAMand Enterprise Management?

Identity and Access ManagementBest Practices 5 Multi-project Management


https://support.huaweicloud.com/intl/en-us/usermanual-em/em-topic_02.html

https://support.huaweicloud.com/intl/en-us/productdesc-iam/iam_01_0026.html

https://support.huaweicloud.com/intl/en-us/iam_faq/iam_01_0101.html

https://support.huaweicloud.com/intl/en-us/iam_faq/iam_01_0101.html

● Solution to requirement 2: In IAM, company A creates IAM users foremployees and adds the IAM users to different groups. In EnterpriseManagement, company A adds the user groups to the enterprise projectscreated to address Requirement 1 and assigns required resource accesspermissions (see Table 5-1) to each user group.

Figure 5-1 Personnel management model of company A

Table 5-1 User group permissions in company A

UserGroup

Responsibility

Permissions Description

Accountingteam

Projectexpendituremanagement

EnterpriseProject BSSFullAccess

Permissions for accountingmanagement of enterpriseprojects

Developmentteam

Projectdevelopment

ECS FullAccess Full permissions for Elastic CloudServer (ECS)

OBS FullAccess Full permissions for ObjectStorage Service (OBS)

ELB FullAccess Full permissions for Elastic LoadBalance (ELB)

Securitymaintenanceteam

Security O&Mof the project

ECSCommonOperations

Permissions for basic ECSoperations

CADAdministrator

Full permissions for AdvancedAnti-DDoS (AAD)



UserGroup

Responsibility

Permissions Description

Operationsteam

Overalloperations ofthe project

EPS FullAccess Full permissions for EnterpriseManagement, includingmodifying, enabling, disabling,and viewing enterprise projects

NO TE

For details about permissions of all HUAWEI CLOUD services, see System Permissions.

● Solution to requirement 3: Company A uses Enterprise Management tomanage renewals, orders, accounting, unsubscriptions, changes, and quotas ofeach enterprise project. For details, see Managing Financial Information ofEnterprise Projects.

5.2 ProcedureThe following figure illustrates the process of enterprise project management foraddressing company A's requirements.

Figure 5-2 Enterprise project management process

Step 1: Enable the Enterprise Management service and create enterprise projectson the Enterprise Management console.

Step 2: On the IAM console, create a user group for each functional team, createIAM users for employees, and add the users to different user groups.



https://support.huaweicloud.com/intl/en-us/usermanual-permissions/iam_01_0001.html

https://support.huaweicloud.com/intl/en-us/usermanual-em/en-us_topic_0124061016.html


Step 3: On the Enterprise Management console, assign the required permissionsto each user group, and add the user group to the corresponding enterpriseproject. Users in the group automatically inherit its permissions.

Step 4: Purchase resources on other cloud service consoles and associate theresources with the corresponding enterprise projects.

Follow-Up Operation: Enterprise Project Management: Perform personnel,resource, and accounting management on the Enterprise Management console.

Enabling Enterprise Management and Creating Enterprise Projects

Perform the following procedure to create two enterprise projects (A and B) onthe Enterprise Management console.

Step 1 Use a HUAWEI CLOUD account to log in to the HUAWEI CLOUD console. Thenpoint to the account name in the upper right corner and choose BasicInformation.

Step 2 On the Basic Information page, click Enable Enterprise Project Function.

NO TE

If you have not completed real-name authentication for your account, perform enterprisereal-name authentication first.

Step 3 Read and agree to the HUAWEI CLOUD Enterprise Management Agreement, andclick Apply Now.

Step 4 On the HUAWEI CLOUD management console, choose Enterprise > ProjectManagement.

Figure 5-3 Accessing the Enterprise Project Management page

Step 5 On the Enterprise Project Management page, click Create Enterprise Project.

Figure 5-4 Creating an enterprise project

Step 6 Enter Enterprise_Project_A for Name and click OK.

Step 7 Repeat 5 to 6 to create Enterprise_Project_B.

The two enterprise projects are displayed on the Enterprise Project Managementpage.

----End



https://support.huaweicloud.com/intl/en-us/usermanual-account/en-us_topic_0119621536.html

https://support.huaweicloud.com/intl/en-us/usermanual-account/en-us_topic_0119621536.html

Creating IAM Users and User GroupsThe following is an example procedure for creating a user group (EnterpriseProject A_Accounting) and user (Murphy) and adding the user to the user group.

Step 1 Create a user group.

1. On the HUAWEI CLOUD management console, point to the account name inthe upper right corner and choose Identity and Access Management.

2. On the IAM console, choose User Groups in the navigation pane. Then clickCreate User Group.

Figure 5-5 Creating a user group

3. Set the user group name to Enterprise Project A_Accounting and click OK.4. Repeat steps 2 to 3 to create the accounting, development, security

maintenance, and operation teams for the two enterprise projects.

The user groups are displayed in the user group list.

Step 2 Create an IAM user and add the user to a user group.

1. In the navigation pane of the IAM console, choose Users. Then click CreateUser.

Figure 5-6 Users page

2. Specify the user information, select an access type (see Figure 5-7), and clickNext.

Figure 5-7 Creating an IAM user



https://support.huaweicloud.com/intl/en-us/usermanual-iam/iam_02_0001.html#iam_02_0001__en-us_topic_0170090650_table1777851811233

3. Add user Murphy to the user group Enterprise Project A_Accounting andclick Create.

Figure 5-8 Adding the user to a user group

4. Repeat steps 1 to 3 to create users for all employees and add the users tocorresponding user groups.

The user is displayed in the user list. You can view the IAM users of each usergroup on the Users tab page.

----End

Associating User Groups with Enterprise Projects

The following is an example procedure for associating user group EnterpriseProject A_Accounting with enterprise project A and assigning the user group theEnterprise Project BSS FullAccess policy. Then users in the user group canperform accounting management of enterprise project A.

Step 1 On the HUAWEI CLOUD management console, choose Enterprise > ProjectManagement.

Step 2 On the Enterprise Project Management page, choose More > View User Groupin the row that contains enterprise project A.

Figure 5-9 Accessing the enterprise project details page

Step 3 On the details page of enterprise project A, choose Permissions > User Groupsand click Assign Permissions.

Step 4 On the Assign Permissions page, select Enterprise Project A_Accounting andclick Next.



Figure 5-10 Adding user groups

Step 5 Select Enterprise Project BSS FullAccess and click OK to grant accountingmanagement permissions to the user group Enterprise Project A_Accounting.



Figure 5-11 Assigning permissions to the user group

NO TE

You can create custom policies to supplement system-defined policies for fine-grainedpermissions management. For details, see Creating a Custom Policy.

To view or modify user group permissions of an enterprise project, go to theenterprise project details page, click the Permissions tab, click Attach Policy inthe row that contains the target user group, and view or modify the permissionsof the user group.

----End

Purchasing Resources and Associating Them with Enterprise Projects

The following is an example procedure for purchasing an ECS and associating itwith enterprise project A.

Step 1 Log in to the HUAWEI CLOUD management console, click in the upper leftcorner, and choose Compute > Elastic Cloud Server.




Step 2 Click Buy ECS in the upper right corner.

Figure 5-12 Buying an ECS

Step 3 Specify the ECS information and select Enterprise_Project_A from theEnterprise Project drop-down list.

Figure 5-13 Selecting an enterprise project

Step 4 Click Next in the lower right corner to view the resource details and submit theorder.

Step 5 Repeat Step 1 to Step 4 to purchase required resources for the two enterpriseprojects.

To view the purchased resources, go to the Enterprise Management console andclick View Resource in the row that contains enterprise project A or B.

NO TE

● Currently, Enterprise Management only supports specific HUAWEI CLOUD services.

● If you have already purchased required resources, you can directly associate them withthe two enterprise projects. For details, see Adding Resources to an Enterprise Project.

----End

Follow-Up Operation: Enterprise Project Management

After completing the preceding steps, you can manage your enterprise projects onthe Enterprise > Project Management > Enterprise Project Management page.

● Resource management: Click View Resource to view the existing resourcesof an enterprise project and add more resources to the enterprise project.

● Personnel management: Choose More > View User Group to view the usersand user groups associated with an enterprise project, and modify theirpermissions for the enterprise project.

● Accounting management: Click View Expenditures to view the orders andbills and manage renewals of an enterprise project. For details, see ManagingFinancial Information of Enterprise Projects.



https://support.huaweicloud.com/intl/en-us/qs-ecs/ecs_02_0009.html






Documents

Best Practices - HUAWEI CLOUD · 2021. 1. 12. · Identity and Access Management Best Practices Issue 01 Date 2021-01-10 HUAWEI TECHNOLOGIES CO., LTD