user guide - docs.otc.t-systems.com · and people, iam encrypts your personnel data before storing...

Identity and Access Management

User Guide

Date 2019-04-19

Contents

1 Product Introduction...............................................................................................................11.1 Identity and Access Management..................................................................................................................................... 11.2 IAM Features............................................................................................................................................................................. 11.3 Identity Management............................................................................................................................................................ 21.4 Permission Management...................................................................................................................................................... 41.5 Personal Data Protection Mechanism.............................................................................................................................. 6

2 Getting Started........................................................................................................................ 82.1 Quick Start with IAM............................................................................................................................................................. 82.2 Creating a Security Administrator..................................................................................................................................... 92.3 Creating and Authorizing a User Group....................................................................................................................... 112.4 Creating a User and Adding It to a User Group.........................................................................................................112.5 Logging In with an IAM User............................................................................................................................................14

3 User Guide...............................................................................................................................153.1 Audit.......................................................................................................................................................................................... 153.1.1 IAM Operations That Can Be Recorded by CTS...................................................................................................... 153.1.2 Viewing Audit Logs........................................................................................................................................................... 173.2 User and User Group Management............................................................................................................................... 193.2.1 Managing Users and Their Permissions.................................................................................................................... 193.2.2 Managing a Project...........................................................................................................................................................213.2.3 Creating a User Group..................................................................................................................................................... 223.2.4 Creating a User.................................................................................................................................................................. 233.2.5 Switching Projects or Regions....................................................................................................................................... 263.2.6 Viewing and Modifying User Information................................................................................................................ 263.2.7 Viewing and Modifying User Group Information...................................................................................................283.2.8 Changing User Permissions............................................................................................................................................293.3 Fine-grained Policy Management................................................................................................................................... 293.3.1 Fine-grained Policy............................................................................................................................................................293.3.2 Policy Language................................................................................................................................................................. 293.3.3 Creating Custom Policies................................................................................................................................................ 323.4 Setting Account Security Policies.....................................................................................................................................343.5 Agency Management.......................................................................................................................................................... 353.5.1 Delegating Other Accounts to Manage Resources................................................................................................ 35

Identity and Access ManagementUser Guide Contents

2019-04-19 ii

3.5.2 Creating an Agency (by a Delegating Party)...........................................................................................................373.5.3 Assigning Permissions (by a Delegated Party)........................................................................................................383.5.4 Switching Roles (by a Delegated Party).................................................................................................................... 403.6 Federated Identity Authentication.................................................................................................................................. 413.6.1 Advantages of Federated Identity Authentication................................................................................................. 413.6.2 Configuring Federated Identity Authentication...................................................................................................... 433.6.3 Establishing a Trust Relationship................................................................................................................................. 443.6.4 Creating an IdP...................................................................................................................................................................453.6.5 Configuring SSO.................................................................................................................................................................483.6.6 Using Rules to Control Federated User Access to the Cloud System.............................................................. 493.6.7 Identity Conversion Rule for Federated Users......................................................................................................... 513.6.8 SSO Process......................................................................................................................................................................... 57

4 FAQs..........................................................................................................................................594.1 How Do I Enable the Login Authentication Function?............................................................................................ 594.2 How Do I Bind a Virtual MFA Device?...........................................................................................................................604.3 How Do I Obtain MFA Authentication Codes?........................................................................................................... 614.4 How Do I Unbind a Virtual MFA Device?..................................................................................................................... 62

A Change History...................................................................................................................... 63

Identity and Access ManagementUser Guide Contents

2019-04-19 iii

1 Product Introduction

1.1 Identity and Access ManagementIdentity and Access Management (IAM) provides identity authentication,permissions management, and access control. With IAM, you can create users foremployees, systems, and applications in your enterprise and grant permissions tothese users to manage your resources. Each user has their own security credentialsand you do not need to share your password or access keys with them. Securitypolicies can be configured to ensure account security and eliminate informationsecurity risks.

IAM is free of charge, so you only need to pay for the resources in your domain.

1.2 IAM FeaturesIAM provides basic functions such as identity authentication and permissionmanagement.

● Refined permission managementYou can control user access permissions to different projects and grantdifferent permissions to users in the same project. For example, you can grantsome users the permissions to manage OBS, and grant other users the read-only permission on OBS.

Identity and Access ManagementUser Guide 1 Product Introduction

2019-04-19 1

Figure 1-1 Permission management model

● Convenient user authorizationYou can use IAM to authorize users in just two steps:

a. Plan user groups according to users' responsibilities and grant thecorresponding permissions to each user group.

b. Add a user to the user group that matches their responsibilities.● Federated identity authentication

With federated identity authentication, users in your identity authenticationsystem can access your resources directly through an SSO.

● Delegating other cloud services or third-party accounts to manage resourcesYou can delegate your operation permissions to another cloud service or athird-party account so that the cloud service or users using the account canhelp you manage resources under your account efficiently.

● Providing authentication and authorization to servicesUsers who have been authenticated by IAM can access other services (forexample, RDS, CTS, and OBS) in the cloud system based on the permissionsthey have been granted.

● Centralized security policy managementUsers can set policies for login verification and passwords, and configure anACL to improve the security of user information and system data.

1.3 Identity ManagementIAM allows you to manage users in your account and their security credentials. InIAM, federated identity authentication allows users from other systems to accessyour system through an SSO, simplifying user management.

AccountAn account is created automatically when user registration is successful. Anaccount has full access permissions for all the resources under the account.

As an account is a payment entity, you are advised to create a securityadministrator, who is granted the Security Administrator permission to managethe users and their permissions in your account.


2019-04-19 2

Figure 1-2 Account management module

IAM UserA user is created by the administrator in IAM. An IAM user uses cloud services andcorresponds to an employee, system, or application. IAM users have identitycredentials (passwords and access keys) and can log in to the managementconsole or access APIs.


2019-04-19 3

Figure 1-3 Relationship between the account and users

Federated UserFederated users are users who access the cloud system using federated identityauthentication.

With federated identity authentication, the users who have been authenticated bythe IdP can access the resources of the SP without being authenticated by the SP.

● An IdP is a system that provides identity authentication to users. The IdP infederated identity authentication of IAM is the identity authentication systemof an enterprise, for example, an enterprise management system.

● A service provider (SP) is a system that provides services to users.

Federated identity authentication allows IdP users to access the cloud system byusing the security credentials provided by the IdP. IAM does not need to generatenew security credentials for the users. This implements SSO.

1.4 Permission ManagementYou can use IAM to grant different users access to different resources.


2019-04-19 4

Granting Permissions to Users

Figure 1-4 Authorization model

1. Plan user groups and grant the permissions to each user group.

2. Add a user to the user group so that the user has the permissions of thegroup.

When personnel changes occur, you only need to change individual userpermissions by changing their user group. User groups make permissionmanagement efficient.

Granting Permissions to Other Accounts

You (account A) can create an agency on IAM to grant required permissions to thedelegated account (account B). The administrator of account B grants the AgentOperator permissions to the user of account B to enable the user to manageresources in your account (account A).

Granting Permissions to Federated Users

You can use IAM to create an IdP and create rules for federated users to convertthem into identities defined in IAM. This allows IAM to control their permissions toaccess cloud resources.

Figure 1-5 Principles of identity conversion for federated users


2019-04-19 5

1.5 Personal Data Protection MechanismTo ensure that your personal data, such as the username, password, and mobilephone number, will not be obtained by unauthorized and unauthenticated entitiesand people, IAM encrypts your personnel data before storing it to control accessto the data and generate logs for operations performed on the data, preventingdata leakage.

Personal Data to Be CollectedTable 1-1 lists the personal data collected or generated by IAM.

Table 1-1 Personal data

Type Data Collection Can BeModified

Mandatory

Username ● A username must be enteredwhen you create a user onthe management console.

● A username must be enteredwhen you make an API call.

No YesThe usernameis the identityof the user.

Password ● A password must be enteredwhen you create a user,modify user credentials, andreset the password on themanagement console.

● A password must be enteredwhen you make an API call.

Yes NoYou can useeither thepassword orAccess Key ID(AK) andSecret AccessKey (SK).

Emailaddress

An email address must beentered when you create a user,modify user credentials, andreset the password on themanagement console.

Yes No

Mobilephonenumber

A mobile phone number mustbe entered when you create auser, modify user credentials,and change the phone numberon the management console.

Yes No


2019-04-19 6

Type Data Collection Can BeModified

Mandatory

AK and SK The AK and SK can be createdon the My Credential page oron the page for you to setcredentials of a user.

NoThe AK and SKcannot bemodified. To usedifferent AKsand SKs, youcan deleteexisting onesand create newones.

NoThe AK andSK signrequestswhen an APIis called.

Storage ModesIAM uses encryption algorithms to encrypt users' sensitive data and storesencrypted data.

● Usernames and AKs are not sensitive data and stored in plaintext.● Passwords, email addresses, mobile phone numbers, and SKs are encrypted

and then stored.

Access ControlUser personal data is encrypted before being stored in the IAM database. Thewhitelist mechanism is used to control access to the database.

API Constraints● When you call an API to access the cloud system, the AK and SK are required

for authentication. You can obtain the AK and SK only at the time you createthem. If you lose or forget the AK and SK, you cannot retrieve them throughthe management console or API. Instead, you can create new AKs and SKs. Donot share your AKs and SKs with anyone to prevent data leakage.

● IAM does not provide the APIs for you to batch query and modify personaldata.

LogsIAM records logs for all operations, such as adding, editing, querying, and deleting,performed on personal data. The logs are uploaded to Cloud Trace Service (CTS).You can view only the logs generated for operations you performed.


2019-04-19 7

2 Getting Started

2.1 Quick Start with IAMAn account is a payment entity and has complete access to all services andresources in the account. To ensure account security, you are advised to create asecurity administrator to perform routine management tasks.

If a user needs to access resources in your account, you can use the securityadministrator to create an IAM user and a user group with the minimumpermissions, and then add the user to the user group so that the user has thepermissions of the user group. The user can use the created IAM user account andtheir own security credentials (username/password) to access resources in youraccount based on their permissions, avoiding sharing your account and passwordwith other users and reducing security risks.

ExampleThe following is an example of how to use IAM.

An account includes three groups of users with different responsibilities. Eachresponsibility corresponds to a user group: security administrator group (admin),development personnel group, and test personnel group. Each group can containmultiple users, and a user can belong to multiple groups.

Identity and Access ManagementUser Guide 2 Getting Started

2019-04-19 8

Figure 2-1 User management model

1. Use your account to create a security administrator Bob and add Bob to thedefault user group admin.

2. Use Bob to create another security administrator named Alice, and add Aliceto the default admin user group.

3. Use a security administrator (Bob or Alice) to create the Developmentpersonnel and Test personnel user groups and grant the required minimumpermissions to each group.

4. Use a security administrator (Bob or Alice) to create development personnelusers named Job and Joy and add them to the Development personnel usergroup, and then to create test personnel users named Ray and Job and addthem to the Test personnel user group.

5. Users (Job, Joy, and Ray) log in to the system.

Security administrators and users are all IAM users and have different permissionsbased on the user groups to which they belong. They all have their own securitycredentials (username/password) to log in to the system.

2.2 Creating a Security AdministratorThis section explains how to create a security administrator to manage the usersin your account.


2019-04-19 9

Procedure

Step 1 Choose Management & Deployment > Identity and Access Management.

Step 2 In the navigation pane, choose Users.

Step 3 On the Users page, click Create User.

Step 4 On the Create User page, enter Username.

Step 5 Select Password for Credential Type.

● A password can be used to log in to the management console and enable developmenttools (such as APIs, the CLI, and SDK) that can access cloud services through passwordauthentication. This is the recommended option because the security administratormanages users.

● Access keys are used to enable development tools (such as APIs, the CLI, and SDK) thatcan access cloud services through key authentication.

Step 6 In the User Groups area, select admin from the drop-down list.

Step 7 Click Next.

Step 8 Select Set manually for Password Type.

A security administrator can log in to the management console and use IAM to manageusers. You are advised to select Set manually for Password Type when you create asecurity administrator for your account. If you create a security administrator for anotheruser, you are advised to select Set at first login for Password Type instead so that the usercan set their own password.

Step 9 Enter the email address, mobile number, password, and confirm password.

● You are advised to enter an email address or mobile number for the securityadministrator. These will be used as the security administrator's credentials.

● The password must meet the following requirements:

It must be 6 to 32 characters long.

It must contain at least two of the following character types: uppercase letters,lowercase letters, digits, and special characters (!"#$%&'()*+,-./:;<=>?@[]^`{_|}~ andspaces).

It cannot be the username or the username spelled backwards. For example, if theusername is A12345, the password cannot be A12345, a12345, 54321A or 54321a.

Step 10 Select Require Password Reset to ensure that the security administrator is forcedto change the password the first time the administrator logs in. The RequirePassword Reset option is selected by default. It is recommended that you retainthe default setting to ensure that the security administrator account password isset by the security administrator, preventing password leakage.

Step 11 Click OK.

----End


2019-04-19 10

2.3 Creating and Authorizing a User GroupYou can plan user groups based on users' responsibilities. Access IAM with asecurity administrator to create user groups and grant specific permissions tothem.

Procedure


Step 2 In the navigation pane, choose User Groups.

Step 3 On the User Groups page, click Create User Group.

Step 4 Enter a user group name.

Step 5 (Optional) Set Description.

It is recommended that you set Description for a user group. For example, if you grant theSecurity Administrator permission to a user group, you can add a description to enableusers to directly view their permissions and permission details. You can add a customdescription or the following description to the Description text box: SecurityAdministrator: has the rights to create, delete, and modify users as well as grantpermissions to users. For details about the permissions, see Permission Description.

Step 6 Click OK.

The user group list is displayed, including the newly created user group.

Step 7 Click Modify in the Operation column of the row that contains the newly createduser group.

Step 8 In the User Group Permissions area, click Modify in the Operation column of therow that contains the target project.

The permissions granted to the user group only take effect for the current project. If youneed to grant the permissions for multiple projects to the user group, you must grantpermissions for each project individually by clicking Modify in the row that contains thecorresponding project.

Step 9 Configure policies for the user group.

You can enter a keyword to quickly find the target policy.

Step 10 Click OK.

----End

2.4 Creating a User and Adding It to a User GroupUse a security administrator to create a user, and add the user to a user group.The user inherits all of the permissions of the user group.


2019-04-19 11

https://docs.otc.t-systems.com/permissions/index.html

Procedure





Step 5 Specify Credential Type.

CredentialType

Application Scenario

Password ● Used to log in to the management console● Used to enable development tools (such as APIs, the CLI, and

SDK) that can access cloud services through passwordauthentication

Access key Used to enable development tools (such as APIs, the CLI, andSDK) that can access cloud services through key authentication

Step 6 Select a user group which you want to add the user from the drop-down list boxin the User Groups area.

● You can also enter a keyword to quickly find the target user group.● A user can be added to multiple user groups.

Perform one of the following based on the credential type you selected in Step 5.

CredentialType

Follow-up Operation

Password Go to Step 8.

Access key Click OK. Download the generated key. User creation is complete.NOTE

Access keys are credentials for identity authentication in IAM. You can onlyobtain an access key by downloading it. If the user needs to use an accesskey for authentication in IAM but it has not been downloaded, you mustgenerate a new access key.

Step 7 Click Next.

Step 8 Specify Password Type.


2019-04-19 12

Password Type Description Follow-up Operation

Set at first login The system will sendyou a one-time loginlink through email.You need to use thislink to set a passwordbefore you can log into the managementconsole.

1. Set Email for receiving the loginlink.

2. (Optional) Set Mobile Number.

Automaticallygenerated

The system randomlygenerates a 10-character password.This option enablesdevelopment tools(such as APIs, the CLI,and SDK) that canaccess cloud servicesthrough passwordauthentication.

1. (Optional) Set Email.2. (Optional) Set Mobile Number.

Set manually Users set their ownpasswords.

1. (Optional) Set Email.2. (Optional) Set Mobile Number.3. Set New Password and Confirm

Password.NOTE

The password must meet thefollowing requirements:– It must be 6 to 32 characters

long.– It must contain at least two of

the following character types:uppercase letters, lowercaseletters, digits, and specialcharacters (!"#$%&'()*+,-./:;<=>?@[]^`{_|}~ and spaces).

– It cannot be the username orthe username spelledbackwards. For example, if theusername is A12345, thepassword cannot be A12345,a12345, 54321A or 54321a.

– It cannot contain the user'smobile number or emailaddress.

Step 9 Select Require Password Reset to ensure that users are forced to change theirpassword the first time they log in. The Require Password Reset option isselected by default. It is recommended that you retain the default setting toensure that your password is set by yourself, preventing password leakage.

Step 10 Click OK.


2019-04-19 13

The user is created successfully.

----End

2.5 Logging In with an IAM UserUse an IAM user to log in to the system and access cloud services according togranted permissions.

Context● After a successful login, you need to click OK on the Login Verification page

to access the management console if any of the following conditions hasbeen met:– The function of displaying last login information upon a successful login

has been enabled on the Login Authentication Policies page.– Custom verification information has been configured on the Login

Authentication Policies page for successful login.– Login authentication has been enabled on the My Credentials page.

Procedure

Step 1 On the Multitenant Login page, enter Domain Name, Username/Emailaddress/Mobile number, and Password, and click Log In.

● Domain Name is the same as the username created in MyWorkplace and is in thefollowing format: ICU userid Contract instance number.

● If this is your first login, you must change your initial password on the First-time loginpage. To ensure account security, you are advised to change your password periodically.

● You must enter a verification code on the Login Verification page if the loginverification function is enabled.

Step 2 On the Login Verification page, click OK.

The management console page is displayed.

----End


2019-04-19 14

3 User Guide

3.1 Audit

3.1.1 IAM Operations That Can Be Recorded by CTSTable 3-1 lists IAM operations that can be recorded by CTS.

Table 3-1 IAM operations that can be recorded by CTS

Operation Resource Type Event Name

Obtain token token createTokenByPwd

Obtain token token createTokenByHwAccessKey

Obtain token token createTokenByToken

Obtain token token createTokenByAssumeRole

Obtain token token createTokenByHwRenewToken

Log in user login

Log out user logout

Change user password user changePassword

Create user user createUser

Modify user information user updateUser

Delete user user deleteUser

Change user password user updateUserPwd

Create AK/SK user addCredential

Delete AK/SK user deleteCredential

Change email address user modifyUserEmail

Identity and Access ManagementUser Guide 3 User Guide

2019-04-19 15


Change mobile number user modifyUserMobile

Change password user modifyUserPassword

Enable two-factorauthentication

user modifySMVerify

Upload avatar user modifyUserPicture

Administrator sets userpassword

user setPasswordByAdmin

Create user group userGroup createGroup

Update user group userGroup updateGroup

Delete user group userGroup deleteGroup

Add user to user group userGroup addUserToGroup

Delete user from usergroup

userGroup removeUserFromGroup

Create project project createProject

Modify project project updateProject

Delete project project deleteProject

Update project status project updateProjectStatus

Cancel project deletion project cancelProjectDeletion

Create agency agency createAgency

Modify agency agency updateAgency

Delete agency agency deleteAgency

Switch role user switchRole

Register IdP identityProvider createIdentityProvider

Update IdP identityProvider updateIdentityProvider

Delete IdP identityProvider deleteIdentityProvider

Update IdP metadata identityProvider updateMetaConfigure

Update preset IdPmetadata

identityProvider updateSystemMetaConfigure

Register mapping mapping createMapping

Update mapping mapping updateMapping

Delete mapping mapping deleteMapping

Register protocol protocol createProtocol


2019-04-19 16


Update protocol protocol updateProtocol

Delete protocol protocol deleteProtocol

Grant permissions to anagency based on accountinformation

roleAgencyDomain

assignRoleToAgencyOnDomain

Delete permissions of anagency based on accountinformation

roleAgencyDomain

unassignRoleToAgencyOnDo-main

Grant permissions to anagency based on projectinformation

roleAgencyProject

assignRoleToAgencyOnProject

Delete permissions of anagency based on projectinformation

roleAgencyProject

unassignRoleToAgencyOnPro-ject

Grant permissions to auser group under anaccount

roleGroupDomain

assignRoleToGroupOnDomain

Delete permissions of auser group under anaccount

roleGroupDomain

unassignRoleToGroupOnDo-main

Grant permissions to auser group correspondingto a project

roleGroupProject assignRoleToGroupOnProject

Delete permissions of auser group correspondingto a project

roleGroupProject unassignRoleToGroupOnProject

Update account loginpolicy

domain updateSecurityPolicies

Update password policy domain updatePasswordPolicies

Update ACL domain updateACLPolicies

3.1.2 Viewing Audit LogsAfter you enable CTS, the system starts recording operations on IAM. Operationrecords for the last 7 days are stored on the CTS console.

Viewing IAM Audit Logs

Step 1 Log in to the management console.


2019-04-19 17

Step 2 Click Service List in the upper part of the page and select Cloud Trace Serviceunder Management & Deployment.

Step 3 Choose Trace List in the navigation pane on the left.

Step 4 Click Filter in the upper right corner of the event list to set the operation eventconditions.

The following four filters are available:● Trace Source, Resource Type, and Search By

– Select the filter from the drop-down list. Select IAM for Trace Sourcefrom the drop-down list box.

– When you select Trace name for Search By, you also need to select aspecific trace name.

– When you select Resource ID for Search By, you also need to select orenter a specific resource ID.

– When you select Resource name for Search By, you also need to selector enter a specific resource name.

● Operator: Select a specific operator (a user rather than tenant).● Trace Status: Available options include All trace statuses, normal, warning,

and incident. You can only select one of them.● You can specify start time and end time query traces during a time period.

Step 5 Click Query to view the corresponding operation event.

Step 6 Expand the details, as shown in Figure 3-1.

Figure 3-1 Expanding trace details

Step 7 Click View Trace in the Operation column. On the displayed View Trace dialogbox shown in Figure 3-2, the trace structure details are displayed.


2019-04-19 18

Figure 3-2 Viewing events

----End

3.2 User and User Group Management

3.2.1 Managing Users and Their PermissionsYou can grant permissions to a user group and add users to it. Any user you addto the user group has all the permissions of the user group in the cloud system.

Step 1 The security administrator creates projects in a region and the projects are isolatedfrom each other.

Figure 3-3 Project isolation model

Step 2 The security administrator plans user groups according to users' responsibilitiesand grants the corresponding permissions to different user groups.


2019-04-19 19

Figure 3-4 User group authorization model

Step 3 The security administrator creates users and adds users to user groups varying bytheir responsibilities.

Figure 3-5 User authorization model

Step 4 Users can access resources in the cloud system based on their permissions.

----End


2019-04-19 20

3.2.2 Managing a ProjectProjects are used to group and isolate OpenStack resources, including computing,storage, and network resources. Resources in your account must be mountedunder projects. A project can be a department or a project team. Access IAM witha security administrator to create projects in a region and perform isolatedmanagement of resources.

Procedure

Step 1 In the navigation pane, choose Projects.

Step 2 On the Projects page, click Create Project.

Step 3 On the Create Project page, select a region from the Region drop-down list.

Step 4 Set Project Name.

● The project name format is Region Name_Project Name. Region Name cannot bemodified.

● Only letters, digits, underscores (_), and hyphens (-) are allowed in the project name.The maximum length of Region Name_Project Name is 64 characters.


Step 6 Click OK.

Return to the project list. Check that Status of the newly created project isdisplayed as Normal.

----End

Follow-up Procedure

Authorizing projects

In the User Group Permissions area on the Modify User Group page, locate therow that contains the target project, and click Modify. In the displayed dialog box,select the required permission sets for the project. For details, see section Creatinga User Group.

Related Operations● Viewing project details

a. View the projects in the corresponding region in the project list.b. Click View in the Operation column of the row that contains the target

project.View project details and the users bound to the project.

After the permissions on a project are granted to a user group and a user isadded to the user group, the user has the permissions of the user group and isbound to the project. The user can switch projects to access different resources.


2019-04-19 21

c. Click View in the Operation column in the user permission list.View the permissions of the users bound to the project.

● Modifying project data

a. In the project list, expand the region where the target project resides.b. Click Modify in the Operation column of the row that contains the

target project. In the displayed Modify Project dialog box, modify ProjectName and Description.

The project name format is Region Name_Project Name. Region Name cannot bemodified.

● Deleting a project

NO TICE

After a project is deleted successfully, the resources in the project are alsodeleted.

a. Click Delete on the right of the project to be deleted.

Only the projects created in a region can be deleted. The project named after theregion name cannot be deleted.

b. Enter Login Password and Verification Code.c. Click OK.

Return to the project list. Check that Status of the project to be deleted isdisplayed as Deleting.

After the resources in a project are deleted, the project is deleted completely.

● For details about how to switch between projects, see section SwitchingProjects or Regions.

3.2.3 Creating a User GroupYou can plan user groups based on users' responsibilities and grant them thecorresponding permissions. Users in a user group have all of its permissions. Usergroups help improve the efficiency of permission management.

Procedure


Step 2 On the User Groups page, click Create User Group.

Step 3 Enter a user group name.



2019-04-19 22

It is recommended that you set Description for a user group. For example, if you grant theSecurity Administrator permission to a user group, you can add a description to enableusers to directly view their permissions and permission details. You can add a customdescription or the following description to the Description text box: SecurityAdministrator: has the rights to create, delete, and modify users as well as grantpermissions to users. For details about the permissions, see Permission Description.

Step 5 Click OK.

The user group list is displayed, including the newly created user group.

Step 6 Click Modify in the Operation column of the row that contains the newly createduser group.

Step 7 In the User Group Permissions area, click Modify in the Operation column of therow that contains the target project.

The permissions granted to the user group only take effect for the current project. If youneed to grant the permissions for multiple projects to the user group, you must grantpermissions for each project individually by clicking Modify in the row that contains thecorresponding project.

Step 8 Configure policies for the user group.

You can enter a keyword to quickly find the target policy.

Step 9 Click OK.

----End

3.2.4 Creating a UserYou can create users by using the console or by calling an API, and set securitycredentials and permissions that allow the users to access resources under youraccount. The users can access the cloud system through the management consoleor by calling APIs.

Procedure




Step 4 Specify Credential Type.


2019-04-19 23


CredentialType

Application Scenario

Password ● Used to log in to the management console● Used to enable development tools (such as APIs, the CLI, and

SDK) that can access cloud services through passwordauthentication

Access Key Used to enable development tools (such as APIs, the CLI, andSDK) that can access cloud services through key authentication

Step 5 Select a user group which you want to add the user from the drop-down list boxin the User Groups area.

● You can also enter a keyword to quickly find the target user group.● A user can be added to multiple user groups.

Perform one of the following based on the credential type you selected in Step 4.

CredentialType

Follow-up Operation

Password Go to Step 6.

Access Key Click OK. Download the generated key. User creation is complete.NOTE

Access keys are credentials for identity authentication in IAM. You can onlyobtain an access key by downloading it. If the user needs to use an accesskey for authentication in IAM but it has not been downloaded, you mustgenerate a new access key.

Step 6 Click Next.

Step 7 Specify Password Type.


Set at first login The system will sendyou a one-time loginlink through email.You need to use thislink to set a passwordbefore you can log into the managementconsole.

1. Set Email for receiving the loginlink.

2. (Optional) Set Mobile Number.3. Click OK.


2019-04-19 24



The system randomlygenerates a 10-character password.This option enablesdevelopment tools(such as APIs, the CLI,and SDK) that canaccess cloud servicesthrough passwordauthentication.

1. (Optional) Set Email.2. (Optional) Set Mobile Number.3. Click OK.4. Download the password file.

Set manually Users set their ownpasswords.

1. (Optional) Set Email.2. (Optional) Set Mobile Number.3. Set New Password and Confirm

Password.NOTE

The password must meet thefollowing requirements:– It must be 6 to 32 characters

long.– It must contain at least two of

the following character types:uppercase letters, lowercaseletters, digits, and specialcharacters (!"#$%&'()*+,-./:;<=>?@[]^`{_|}~ and spaces).

– It cannot be the username orthe username spelledbackwards. For example, if theusername is A12345, thepassword cannot be A12345,a12345, 54321A or 54321a.

– It cannot contain the user'smobile number or emailaddress.

4. Click OK.

● The SMS-based login verification function can be enabled only when a user is boundwith an email address and a mobile number.

● You can log in to the system with your username, mobile number, or email address.

● If you forget your password, you can reset it using the email address or mobile numberthat was bound to your account.

Step 8 If you select Automatically generated or Set manually, choose whether torequire password reset at the next login. This function is enabled by default toensure account security.

Step 9 Click OK.


2019-04-19 25

The user is created successfully.

----End

Related Operations● View and modify information about the user, including the user status, bound

email address, bound mobile number, user group, and logs.● Delete a user. In the user list, click Delete in the row that contains the target

user.

3.2.5 Switching Projects or RegionsResources in different projects or regions are isolated. You can only access theresources in authorized projects or regions. If you do not have permissions for thecurrent project or region, you must first switch to an authorized project or region.

Procedure

Step 1 At the upper left of the main menu bar, click Console.

Step 2 In the upper left corner, select the project or region to be accessed from the drop-down list.

After you have switched to the target project or region successfully, you can accessits resources.

----End

3.2.6 Viewing and Modifying User InformationAdministrators can view and modify the basic information of a user, belonged usergroups, and logs generated for the user. They can change the group of a user afterthe user's responsibilities change, or modify the login credentials of a user if theuser's password or access key was forgotten or lost.

Viewing User InformationIn the user list, expand a user to view the detailed user information, includingBasic Information, User Groups, and User Logs.

Modifying User InformationClick Modify in the Operation column of the row that contains the target user.

● Status: A user is enabled by default after being created. You can change thestatus of a user to Disabled if you do not use it again.

● Login authentication method– Virtual MFA: Change the login authentication mode of a user to virtual

MFA only if the user has been bound to an MFA device. After the change,the user must enter virtual MFA verification codes when logging in.

– SMS: Change the login authentication mode of a user to SMS only if theuser has been bound to a mobile number. After the change, the usermust enter a mobile verification code when logging in.


2019-04-19 26

– Email: Change the login authentication mode of a user to SMS only if theuser has been bound to an email address. After the change, the usermust enter an email verification code when logging in.

● Email, Mobile Number, and Description● Virtual MFA Device: Bind an MFA device to or unbind an MFA device from a

user.● User Groups: Add a user to or remove it from target user groups.

Enter a keyword to quickly find the target user group.

Setting User CredentialsIn the user list, click Set Credentials in the Operation column of the row thatcontains the target user to change its password or manage its access keys.

CredentialType

GenerationMethod

Description Application Scenario

Password Using email The system will sendyou a one-time loginlink through email.You can click this linkto log in to themanagement consoleand set the password.

Used to reset the APIpasswords of userswho have emailaddresses bound totheir accounts. Theuser needs to use thepassword to log in tothe managementconsole.


The system randomlygenerates a 10-character APIpassword.NOTE

Click OK to downloadthe automaticallygenerated password file.

Used to reset thepassword of a userwho is using adevelopment tool(such as APIs, the CLI,and SDK) that canaccess the cloudsystem throughpasswordauthentication.

Set manually Users set their own APIpasswords.

Used to reset anyuser's password.

Access key Created by auser or asecurityadministrator

Users can add ordelete access keys inthe Access Keys area.NOTE

Each user can create amaximum of two accesskeys, which are validwithin 360 days. Toensure account security,keep them securely.

Users can access thecloud system by usingaccess keys.


2019-04-19 27

● Require Password Reset: If you select Automatically generated or Setmanually, you can choose whether to require password reset at the nextlogin. This function is enabled by default to ensure account security.

3.2.7 Viewing and Modifying User Group InformationSecurity administrators can view and modify a user group's basic information,permissions, and users. You can change users' permissions by changing theirgroup.

Procedure


Step 2 In the user group list, view or modify user group information.

● Viewing user group information

In the user group list, view user group details. The detailed informationincludes Basic Information, User Group Permissions, and Group Members.

● Modifying user group information

Click Modify in the Operation column of the row that contains the targetuser group to go to the Modify User Group page.

– You can modify users in the default user groups but you cannot modify the basicinformation or permissions of those user groups.

– A user group is a credential associated with federated authentication and its namecannot be changed.

Informationto BeModified

Method

User grouppermissions

1. Click Modify in the Operation column of the row thatcontains the project to be authorized for the usergroup.

2. On the displayed Modify Policy page, select requiredpolicies.

3. Click OK.

Users in theuser group

– Adding a userIn the Group Members area, select a user to be addedfrom the drop-down list.NOTE

You can enter a keyword to quickly find the target user.

– Deleting a userIn the Group Members area, delete a user from theuser group.

----End


2019-04-19 28

3.2.8 Changing User PermissionsYou can use the following methods to change user permissions:

● Change the user group of a user on the Modify User page. This method isused when the permissions of a single user have changed. For details, seeViewing and Modifying User Information.

● Change the permissions of a user group or change the users included in theuser group. This method is used when adding or deleting multiple users froma user group. For details, see Viewing and Modifying User GroupInformation.

3.3 Fine-grained Policy Management

3.3.1 Fine-grained PolicyA fine-grained policy is a set of permissions defining which operations on whichcloud services can be performed. Each policy can define multiple permission sets.After a policy is granted to a user group, users in the user group obtain thepermissions of the policy. IAM implements fine-grained permission managementbased on the permissions defined by policies.

IAM supports two types of policies:

● Default policies: define the common permissions preset in the system, whichare typically read-only or management permission for different cloud servicessuch as ECS. Default policies can be used only for authorization and cannot beedited or modified.

● Custom policies: define the permissions created and managed by users andare the extension and supplement of default policies.

3.3.2 Policy Language

Policy Content

A fine-grained authorization policy consists of the policy version (the Versionfield) and authorization statement (the Statement field).

● Version: Used to identify role-based access control (RBAC) policies and fine-grained policies.– 1.0: RBAC policies, which are preset in the system and used to grant

permissions of each service as a whole. After such a policy is granted to auser, the user has all permissions of the corresponding service.

– 1.1: Fine-grained policies, which enable more refined authorization basedon service APIs. After such a policy is granted to a user, the user can onlyperform specific operations on the corresponding service. Fine-grainedpolicies are classified into default and custom policies.

▪ Default policies: Preset common permission sets to control read andadministrator permissions of different services.


2019-04-19 29

▪ Custom policies: Permission sets created and managed by users as anextension and supplement of default policies. For example: A custompolicy can be created to allow users only to modify ECSspecifications.

● Statement: Detailed information about a policy, containing the Effect andAction elements.– Effect

Valid values for Effect include Allow and Deny. In a custom policy thatcontains both Allow and Deny statements, the Deny statements take theprecedence.

– ActionThe value can be one or more resource authorization items.The value format is Service name:Resource type:Action, for example,vpc:ports:create.

● Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercaseletters are allowed.

● Resource type and Action: The values are case-insensitive, and the wildcard (*) areallowed. A wildcard (*) can represent all or part of information about resourcetypes and actions for the specific service.

Example Policies● A policy can define a single permission, such as the permission to query ECS

details.{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:servers:list", "ecs:servers:get", "ecs:serverVolumes:use", "ecs:diskConfigs:use", "ecs:securityGroups:use", "ecs:serverKeypairs:get", "vpc:securityGroups:list", "vpc:securityGroups:get", "vpc:securityGroupRules:get", "vpc:networks:get", "vpc:subnets:get", "vpc:ports:get", "vpc:routers:get" ] } ]}

● A policy can define multiple permissions, such as the permissions to lock ECSsand create EVS disks.{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:servers:lock",


2019-04-19 30

"evs:volumes:create" ] } ]}

● The following example shows how to use the wildcard (*) to define allpermissions on Image Management Service (IMS) resources.{ "Version": "1.1", "Statement": [ { "Action": [ "ims:*:*", "ecs:*:list", "ecs:*:get", "evs:*:get" ], "Effect": "Allow" } ]}

●

Authentication LogicIAM authenticates users according to the permissions that have been granted tothem. The authentication logic is as follows:

Figure 3-6 Authentication logic


2019-04-19 31

The actions in each policy bear the OR relationship.

1. A user accesses the system and initiates an operation request.2. IAM evaluates all the access policies that have been granted to the user.3. In these policies, IAM looks for explicit deny instructions. If IAM finds an

explicit deny that applies, it returns a decision of Deny, and the authenticationends.

4. If no explicit deny is found, IAM looks for Allow instructions that would applyto the request. If IAM finds an explicit permit that applies, it returns a decisionof Allow, and the authentication ends.

5. If no explicit permit is found, IAM returns a decision of Deny, and theauthentication ends.

3.3.3 Creating Custom PoliciesIf the default policies cannot meet the requirements on fine-grained accesscontrol, you can create custom policies and assign the policies to the user group.

Procedure

Step 1 In the navigation pane, choose Policies.

Step 2 On the Policies page, click Create Custom Policy.

Step 3 Enter Policy Name.

Step 4 Set Scope.

Specify the scope in which the custom policy will take effect. Cloud services areclassified into global-level and project-level services based on the locations theyare deployed.● Global-level service: Deployed globally without differentiating physical areas.

When creating custom policies for globally deployed services, specify thescope as Global-level service. Custom policies of this scope must be grantedto user groups in the Global project.

● Project-level service: Deployed in one or more regions. When creatingcustom policies for regionally deployed services, specify the scope as Project-level service. Custom policies of this scope must be granted to user groups inthe project (eu-de) or subproject corresponding to the deployment region.

For example, when creating a fine-grained policy ("evs:volumes:create") for ElasticVolume Service (EVS), which is a project-level service, set Scope to Project-levelservice. If the policy will take effect for multiple projects, authorization is requiredfor each of the projects.

Step 5 (Optional) Enter Description.

Step 6 In the Policy Information area, click Select Template. For example, select VPCAdmin as the template.

Step 7 Click OK.

Step 8 Modify Effect and Action values in the Statement field in the template. Fordetails, see section Policy Language.


2019-04-19 32

● Effect: The value can be Allow and Deny. If both Allow and Deny are foundin statements, the policy evaluation starts with Deny.

● Action: Fill the Action field with the permissions in the API permissions table(see the following figure) of the specific service, for example,evs:volumes:create. IAM then implements fine-grained authorization bycalling the corresponding APIs in the table.

Figure 3-7 API permission

– The Version value of a custom policy must be 1.1.– A custom policy can contain statements of multiple services that are all global or

project-based.– Policies support only API-level authorization. You need to fill the Action field with

the permissions in the API permissions table of the specific service. IAM thenimplements fine-grained authorization by calling the corresponding APIs in thetable. If the scope of all permissions in a custom policy includes Project andEnterprise Project, the custom policy can be granted on IAM. For details, see: .Section API Permissions in the Elastic Cloud Server API ReferenceSection API Permissions in the Virtual Private Cloud API ReferenceSection API Permissions in the Elastic Volume Service API Reference

Step 9 Click OK.

If a message is displayed indicating that the syntax is incorrect, modify policy informationaccording to the policy syntax.

The custom policy is created successfully. You can select a custom policy from theuser group to implement fine-grained authorization.

----End

Follow-up Operation● Modifying custom policies

You can modify custom policies if user permissions have changed.On the Policies page, click Modify in the Operation column of the targetpolicy, and modify the name, description, and policy information.

● Deleting custom policiesYou can delete custom policies if they are no longer needed.On the Policies page, click Delete in the Operation column of the targetpolicy to delete it.

● Attaching a custom policy to a user group (The users in the group have all thepermissions defined by the policy.)


2019-04-19 33

https://docs.otc.t-systems.com/en-us/api/ecs/en-us_topic_0103071509.html

https://docs.otc.t-systems.com/en-us/api/vpc/vpc_permission_0000.html

https://docs.otc.t-systems.com/en-us/api/evs/evs_04_0045.html

a. Click Modify in the Operation column of the row that contains thetarget user group.

b. In the User Group Permissions area, click Modify in the Operationcolumn of the row that contains the target project.

c. In the Available Policies area on the Modify Policy page, select a newlycreated custom policy.

3.4 Setting Account Security PoliciesUsers with the Security Administrator permission can set a login authenticationpolicy, password policy, ACL, and operation security protection to improve userinformation and system security.

ProcedureStep 1 Set login verification policies.

1. In the navigation pane, choose Account Settings > Login AuthenticationPolicies.

2. In the Account Disabling Policy area, select If an account is not usedwithin the validity period, it will be disabled. Then set Account Expiration.If the user does not access the cloud system through the managementconsole or API within the set Account Expiration, the account will bedisabled.Account Disabling Policy is set to protect the account. After the account isdisabled, resources in the account are not affected. You can contact theadministrator to enable the account again.

3. In the Session Timeout Policy area, set Session Timeout Duration. Thedefault value is 15 minutes. You can set the session timeout duration from 15minutes to 24 hours. If the user does not perform any operation within thespecified duration, the user needs to log in again.

4. In the Recent Login Information area, select Display last login informationupon a successful login.Users can view login information, such as the time of their last login, on theLogin Verification page.

5. In the Login Verification Information area, customize the verificationinformation, which is displayed upon a successful login.Users can view this customized information on the Login Verification page.

6. Click OK.

Step 2 Set an ACL.

1. In the navigation pane, choose Account Settings > ACLs.

ACL validation conditions:– Accessing cloud services by using the management console: An ACL takes effect for

the users in the account but not for the account itself.– Accessing cloud services by calling APIs: An ACL takes effect for the account itself

and the users in the account. When an ACL is modified, it takes effect two hourslater.


2019-04-19 34

2. On the ACLs page, enter the allowed IP addresses or network segments.– Allowed IP Address Range: only allows users to access the system using

specified IP addresses.– Allowed IP Addresses or Network Segments: only allows users to

access the system using specified IP addresses or network segments.For example: 10.10.10.10/32.

– You can click Restore Defaults to restore the allowed IP address range to thedefault value, 0.0.0.0-255.255.255.255, and to clear Allowed IP Addresses orNetwork Segments.

– If both Allowed IP Address Range and Allowed IP Addresses or NetworkSegments are set, users are allowed to access the system if their IP address meetsthe conditions specified by either of the two parameters.

3. Click Apply.

Step 3 Set operation security protection. If this function is enabled, authentication isrequired for high-risk operations. For example, a user needs to enter theverification code when deleting an access key.

1. In the navigation pane, choose Account Settings > Operation Security.2. Enable operation security protection.

– Operation security protection is disabled by default.– High-risk operations are defined by each service.– When a user performs a high-risk operation, the Operation Security page is

displayed. Select a verification mode, email verification or phone verification.

▪ If users have bound only mobile numbers to their accounts, only phoneverification can be selected.

▪ If users have bound only email addresses to their accounts, only emailverification can be selected.

▪ If users have bound both mobile numbers and email addresses to theiraccounts, phone verification is selected by default. Users can manually changethe verification mode to email verification.

▪ If users have not bound mobile numbers or email addresses to their accounts,operation security verification does not take effect. The operation is allowedby default.

----End

3.5 Agency Management

3.5.1 Delegating Other Accounts to Manage ResourcesYou can grant your operation permissions to more professional, efficient accountsor cloud services to manage your resources.

This section uses account A and account B as an example to describe how todelegate another account to manage resources under an account.


2019-04-19 35

Step 1 Account A creates an agency.

Figure 3-8 Agency creation model

Step 2 Account B grants user B permissions for managing account A's resources.

1. Create a user group (for example, Agency), and grant resource managementpermissions to the user group.

2. Add user Job to user group Agency.

Figure 3-9 Permission granting model

Step 3 User Job of account B manages the resources in account A.

1. Job logs in to the cloud system and switches the role to account A.2. Job switches to project A.3. Job manages the resources in account A based on permissions.


2019-04-19 36

Figure 3-10 Agency management model

----End

3.5.2 Creating an Agency (by a Delegating Party)By creating an agency, you can share your resources with other accounts, ordelegate more professional personnel or teams to manage your resources. Thedelegated account can log in to the cloud system and switch to your account tomanage your resources. You do not need to share security credentials (such aspasswords and access keys) with other accounts, ensuring the security of youraccount.

Procedure

Step 1 In the navigation pane, choose Agencies.

Step 2 On the Agencies page, click Create Agency.

Step 3 Specify Agency Name and Agency Type.

Table 3-2 Agency types

Agency Type Description

Commonaccount

Common accounts in the cloud system. This agency type isused to share resources with other accounts or delegate otheraccounts to manage the resources in your account.

Cloud service Services in the cloud system. This agency type is used toauthorize cloud services to access or maintain user data. Forexample, after an agency with ECS is created, ECS can obtainusers' access keys to call APIs, facilitating O&M andmonitoring.

● If you set Agency Type to Common account, enter the domain name of acommon account for which the trust relationship is to be established inDelegated Account.

● If you set Agency Type to Cloud service, click Select and set the cloudservice.

Step 4 Set Validity Period and enter Description.


2019-04-19 37

Step 5 In the Permissions area, locate the row that contains the target region and projectand click Modify in the Operation column, and select policies for the delegatingenterprise.

For details about the permissions, see Permission Description.

Step 6 Click OK.

The newly created agency is displayed in the agency list. The delegated accountcan manage resources in the delegating account by switching the role.

----End

Follow-up OperationIn the agency list, you can click Modify in the row that contains the newly createdagency to modify the basic information about the agency, such as the permissionsand validity period of the agency.

Cloud service agencies cannot be modified.

3.5.3 Assigning Permissions (by a Delegated Party)When an account establishes a trust relationship between itself and your account,you become a delegated party. You can authorize a user to manage resources ofthe delegating party. After an account establishes multiple trust relationshipsbetween itself and your account, you can authorize different users to manageresources of the delegating party. However, each user can switch to only thedelegated agencies. You can create custom policies to grant specified permissionsto users.

Prerequisites● An account has created the trust relationship with you.● You have obtained the name of the delegating account and the name and ID

of the created agency.

Procedure

Step 1 Create a custom policy.

● To delegate a specific agency to a user, perform the following steps.● To delegate all agencies to a user, go to Step 2.

1. In the navigation pane, choose Policies.2. On the Policies page, click Create Custom Policy.3. Enter a policy name.4. Select Global-level service for Scope.5. In the Policy Information area, enter the following content:


2019-04-19 38


{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..." ] }, "Effect": "Allow" } ]}

– Copy and paste all the content, and replace b36b1258b5dc41a4aa8255508xxx...with the ID of the agency to be granted.

– This procedure provides only required operations for fine-grained authorization. Formore information about fine-grained policies, see Fine-grained PolicyManagement.

6. Click OK.

Step 2 Create a user group and grant permissions to it.

1. In the navigation pane, choose User Groups.2. On the User Groups page, click Create User Group.3. Enter a user group name.4. Click OK.

The user group list is displayed, including the newly created user group.5. Click Modify in the Operation column of the row that contains the newly

created user group.6. Click Configure Permission in the Operation column of the row that

contains the newly created user group.7. In the User Group Permissions area, click Modify in the Operation column

of the row that contains the Global project.8. On the User Group Permissions tab page, click Configure Policy in the

Operation column of the row that contains the Global project.9. Select the policy created in Step 1 or the Agent Operator permission.

– Custom policy: Allows a user to access only a specified agency.

– Agent Operator permission: Allows a user to access all agencies.

10. Click OK.

Step 3 Create a user and add it to the user group.

1. In the navigation pane, choose Users.2. On the Users page, click Create User.3. On the Create User page, enter Username.4. Select Password for Credential Type.


2019-04-19 39

5. Select the user group created in Step 2 from the drop-down list box in theUser Groups area.

6. Click Next.7. Select Set at first login for Password Type.8. Enter an email address.9. Click OK.

Step 4 Switch your roles.

1. Log in to the system as the user created in Step 3.2. Click the logged-in account in the upper right corner of the page and choose

Switch Role.3. On the Switch Role page, enter the name of the delegating account.

The system automatically matches the account to an agency. If the matched agencyhas not been delegated, you have no permissions to access the account. However, youcan remove the agency and select an authorized one from the drop-down list box.

4. Click OK to switch to the delegating account.

----End

Follow-up Operation

Click the delegating account in the upper right corner of the page and chooseSwitch Role to switch back to your account.

3.5.4 Switching Roles (by a Delegated Party)When an account establishes a trust relationship between itself and your account,you become a delegated party. You and all the users you have authorized canswitch to the delegating account and manage resources under the delegatedpermissions.

Prerequisites● A trust relationship has been established between another account and your

account.● You have obtained the names of the delegating account and created agency.

Procedure

Step 1 Log in to the system as the user created in Step 3.

The user created in Step 3 can switch roles to manage resources for the delegating party.

Step 2 Click the logged-in account in the upper right corner of the page and chooseSwitch Role.

Step 3 On the Switch Role page, enter the name of the delegating account.


2019-04-19 40

The system automatically matches the account to an agency. If the matched agency hasnot been delegated, you have no permissions to access the account. However, you canremove the agency and select an authorized one from the drop-down list box.

Step 4 Click OK to switch to the delegating account.

----End

3.6 Federated Identity Authentication

3.6.1 Advantages of Federated Identity AuthenticationIf you have an identity authentication system, you do not need to recreate users inthe SP system and can configure federated identity authentication to allow usersin your system to access cloud resources directly through SSO.

Federated identity authentication is required for browser-based WebSSO or non-browser-based API calling access to the cloud system.

● WebSSO: A browser is used as a communication media and can be used bycommon users to access the cloud system.

● API calling: A development tool or an application is used as a communicationmedia, for example, OpenStackClient, which is applicable to enterprises orusers who use development tools to call APIs to access the cloud system.API calling has the SP-initiated and IdP-initiated federated identityauthentication modes. Users can select a mode supported by the enterpriseIdP system.

Without Federated Identity Authentication● Enterprise IdP users cannot log in to the cloud system through SSO.

The enterprise IdP is the IdP system of an enterprise management system.Users authenticated by their enterprise IdP cannot access the cloud systemdirectly.

Figure 3-11 User authentication model (1)

● User management is complex.The enterprise administrator has to create accounts separately in theenterprise management system and the cloud system.


2019-04-19 41

● User operations are complex.

Users have to use different accounts to log in to the enterprise managementsystem and cloud system.

Figure 3-12 User login model (1)

With Federated Identity Authentication● IdP users can log in to the cloud system through SSO.

Any user authenticated by the enterprise IdP can access the cloud systemdirectly. The enterprise administrator does not need to create separate usersin the cloud system.

Figure 3-13 User authentication model (2)

● User management is more convenient.

The enterprise administrator does not need to create separate users in thecloud system, reducing the cost of personnel management.

● User operations are simplified.

Users can access both the enterprise management system and the cloudsystem simply by logging in to the enterprise management system.


2019-04-19 42

Figure 3-14 User login model (2)

3.6.2 Configuring Federated Identity AuthenticationFederated identity authentication allows enterprise users to access the cloudsystem after being authenticated by the enterprise IdP.

NO TICE

The enterprise IdP server and the cloud system must use the same Universal TimeCoordinated (UTC) time. Any time inconsistency will cause federated identityauthentication failure.

Step 1 Establish a trust relationship between the cloud system and the enterprise IdP. Fordetails, see section Establishing a Trust Relationship.

Figure 3-15 Metadata file exchange model

Step 2 On the IAM console, create an IdP. For details, see section Creating an IdP.

Step 3 On the IAM console, specify permissions for the enterprise IdP users to access thecloud system. For details, see section Using Rules to Control Federated UserAccess to the Cloud System.


2019-04-19 43

Figure 3-16 User conversion model

Step 4 Configure a login link for the cloud system in the enterprise management systemto achieve SSO. For details, see section Configuring SSO.

Figure 3-17 SSO configuration model

After logging in to the enterprise management system, enterprise IdP users canclick the login link to access the resources in the cloud system.

Step 5 Configure the client or development tool to call APIs to access the cloud system.

----End

3.6.3 Establishing a Trust RelationshipEstablish a trust relationship between the two systems by exchanging metadatafiles.

Step 1 Download the metadata file of the cloud system. If a user needs to use both WebSingle Sign-On (WebSSO) and API calling functions, the user has to download themetadata files of both the WebSSO and the API.


2019-04-19 44

● WebSSO: Visit https://auth.otc.t-systems.com/authui/saml/metadata.xml.Right-click, choose Save As, and set a file name, for example, websso-metadata.xml.

● API calling: Visit https://Endpoint address of a region/v3-ext/auth/OS-FEDERATION/SSO/metadata, right-click on the page and choose Save As, andset a file name, for example, api-metadata-region.xml.The cloud system provides API gateways depending on the region for users tocall APIs. To access multiple regions, a user needs to download metadata filesof the corresponding regions.

Step 2 Obtain the metadata file of the enterprise IdP. For details about how to obtain thisfile, contact the administrator of the enterprise management system.

Step 3 Upload the metadata file of the cloud system to the enterprise IdP server. Fordetails about how to upload the file, contact the administrator of the enterprisemanagement system.

Step 4 Upload the metadata file of the enterprise IdP to the IAM server. For details, seesection Creating an IdP.

----End

3.6.4 Creating an IdPAfter an IdP is created on IAM and the metadata file of the IdP is configured,users authenticated by the enterprise IdP can access the cloud system directly.

ContextIn IAM, federated identity authentication only supports the SAML 2.0 protocol, sothe enterprise IdP must support SAML 2.0 to use federated identity authentication.

Security Assertion Markup Language (SAML) is an XML-based open standard forexchanging authentication and authorization data between security domains.

PrerequisitesA trust relationship has been established between the two systems. For details, seesection Establishing a Trust Relationship.

Procedure

Step 1 In the navigation pane, choose Identity Providers.

Step 2 On the Identity Providers page, click Create Identity Provider.

Step 3 Set Name, Status, and Description for the IdP.

Currently, only the SAML protocol is supported.

Step 4 Click OK.

If the information shown in Figure 3-18 is displayed, the IdP has been createdsuccessfully.


2019-04-19 45

https://auth.otc.t-systems.com/authui/saml/metadata.xml

Figure 3-18 IdP created successfully

Step 5 Configure IdP information by clicking the Modify Identity Provider link before theIdP list page is displayed. Alternatively, click Modify in the Operation column ofthe row that contains the target IdP after the IdP list page is displayed.

Step 6 In the Metadata Configuration area on the Modify Identity Provider page,configure the metadata using either of the following method:● Use preconfigured metadata

Only the members of the eduGAIN and ELIXIR organizations can use thepreconfigured metadata. If metadata is updated subsequently, thepreconfigured metadata can be automatically updated. You do not need tomodify metadata.

a. Click Select, and select the target IdP.b. Click OK.

● Upload metadataThe system supports uploading and manual configuration of metadata. If themetadata file size exceeds 500 KB, you can click the manually configure linkto configure it. If metadata is updated subsequently, you need to upload oredit metadata. Otherwise, federated users cannot log in to the cloud system.– Upload metadata.

i. Upload the metadata file of the enterprise IdP.ii. Click Upload.

A dialog box is displayed, showing the metadata extracted by thesystem.

iii. Click OK.○ If "The uploaded file contains multiple IdPs. Select an IdP as

needed." is displayed, select the desired IdP from the Entity IDdrop-down list box.

○ If a message is displayed indicating that Entity ID in themetadata file is empty or that the signature certificate hasexpired, check whether the metadata file is correct. Then, uploadthe file again or configure the metadata manually.

iv. Click OK.– Manually configure metadata.

i. Click manually configure.ii. On the displayed Manually Configure Metadata page, enter Entity

ID, Signature Certificates, SingleSignOnService, and otherparameters.


2019-04-19 46

Parameter Description

Entity ID An entity ID uniquely identifies an enterpriseIdP. A metadata file can contain multiple IdPs.You need to select your desired IdP.

SupportedProtocols

The SAML protocol is used for federationidentity authentication between theenterprise IdP and the SP. IAM only supportsSAML 2.0.

SupportedNameIdFormat

Supported NameIdFormat defines the nameidentifier formats supported by the IdP. Nameidentifiers can be used for communicationbetween the IdP and the federated users.

SignatureCertificates

A signature certificate is used to verify thesignatures and contains a public key. Forsecurity purposes, a 2048-bit public key isrecommended. During federated identityauthentication, the system checks thecredibility and integrity of an assertion basedon the signature certificate in the metadatafile.

SingleSignOnSer-vice

This is how SAML requests are sent duringthe SSO process. SingleSignOnService mustsupport HTTP Redirect or HTTP POST.

SingleLogoutSer-vice

The SP provides the session logout function.After a federated user logs out of a sessionfrom IAM, the user is redirected to theaddress that was bound to its account.SingleLogoutService must support HTTPRedirect or HTTP POST.

iii. Click OK.

Step 7 Click OK to save the settings.

----End

Verification

Step 1 Click View in the row that contains the target IdP.

Step 2 Click Copy to the right of Login link to copy the address in Login link, and thenopen it using a browser.

Step 3 Check whether the login page provided by the enterprise IdP server is displayed.

If the redirection fails, check whether the obtained enterprise metadata file and theenterprise IdP server are configured correctly.


2019-04-19 47

Step 4 Enter a username and and check whether you can log in to the cloud system.

----End

Follow-up Procedure● In the Identity Conversion Rule area, create an identity conversion rule. For

details about identity conversion rules, see Using Rules to Control FederatedUser Access to the Cloud System.

● Configure SSO in the enterprise management system. For details, seeConfiguring SSO.

Related Operations● Viewing IdP information

In the IdP list, click View to query basic information, metadata details, andidentity conversion rules for the corresponding IdP.

You can click Modify Identity Provider on the View Identity Provider Informationpage to enter the Modify Identity Provider page.

● Modifying IdP information

In the IdP list, click Modify to enter the Modify Identity Provider page. Youcan set Status (Enabled or Disabled), Description, Metadata File, andIdentity Conversion Rule.

● Deleting an IdP

In the IdP list, click Delete in the row that contains the target IdP to delete it.

3.6.5 Configuring SSOConfiguring an IdP login link on the enterprise management system allowsenterprise users to access the cloud system after being authenticated by theenterprise IdP.

Prerequisites

An IdP has been created, and its login link is available.

Procedure


Step 2 Click View in the row that contains the target IdP.

Step 3 Click Copy to the right of Login link.

Step 4 On the web page of the enterprise management system, press F12 and configurethe following information:<a href="<Login link>"> Cloud system entry </a>


2019-04-19 48

Figure 3-19 Entry model

After logging in to the enterprise management system, enterprise users can clickthe system entry link on the enterprise management system to access the cloudsystem.

----End

3.6.6 Using Rules to Control Federated User Access to theCloud System

The enterprise administrator uses the enterprise IdP to manage the identities andpermissions of federated users. An identity conversion rule is used to map theidentities and permissions of federated users to those in the cloud system. Thecloud system uses the rule to control which operations federated users canperform and which resources they can access.

Modifications to identity conversion rules will take effect only after federated users log in tothe cloud system again.

Prerequisites● An IdP has been created, and its login link is available.● You have a preliminary understanding of the SAML 2.0 protocol and are

familiar with metadata files.● You have learned the assertion structure displayed after successful SAML 2.0

authentication.

Procedure


Step 2 In the identity provider list, click Modify in the row that contains the IdP you havecreated.

The Modify Identity Provider page is displayed.

Step 3 In the Identity Conversion Rule area, click Create Rule to add an identityconversion rule.


2019-04-19 49

After an IdP is created successfully, the cloud system will preconfigure a default rule. Thisrule converts the usernames of federated users to FederationUser, which is displayed in thecloud system. This rule only allows the federated users in the current IdP to access certainresources. If this default rule does not meet your requirements, you can click Edit Rule tomodify it.

● Username: indicates the username displayed in the cloud system after afederated user logs in. You are advised to enter a username that starts withFederationUser_ to differentiate between users in the cloud system andfederated users. You can also enter a simple expression, such asFederationUser_{email}. After this rule is created successfully, the systemautomatically replaces {email} with the email address of the federated user.The username displayed in the cloud system is FederationUser_XXX@XXX,where XXX@XXX indicates the email address of the federated user. This ruleonly takes effect if the assertion contains an email address.

NO TICE

The federated user name must be unique in the same domain. Identicalusernames under one or multiple identity providers will be identified as thesame user.

● User Group: indicates the user group to which the federated user belongsafter logging in to the cloud system. The user's permissions are determined bytheir user group.

● Conditions for Validating This Rule: indicates the conditions under whichthe federated user has the permissions of the selected user groups. Whenthese conditions are met, the federated user has the permissions of their usergroup. If these conditions are not met, the rule does not take effect, and userswho do not meet these conditions are not allowed to access the cloud system.For example, set a rule for an enterprise system administrator:


2019-04-19 50

– Username: FederationUser_admin_{email}– User Group: admin– Conditions for Validating This Rule (Attribute: _NAMEID_; Condition:

any_one_of; Value: ID1;ID2;ID3): The rule takes effect only for the usersof the specified IDs. Only the users whose user IDs are ID1, ID2, or ID3have the permissions of the admin user group in the cloud system. Theother users of this IdP do not have these permissions.

▪ Multiple effective conditions can be set for a rule. The rule will take effect aslong as any of these conditions is met.

▪ Multiple rules can be created for an IdP. These rules take effect at the sametime. If none of the created rules take effect for a federated user, the user isnot allowed to access the cloud system.

Step 4 In the Create Rule area, click OK.

Step 5 On the Modify Identity Providers page, click OK for the settings to take effect.

----End

Related Operations● Viewing rules: In the Identity Conversion Rule area, click View Rule. The

newly created identity conversion rule is displayed in a JSON file. For detailsabout its content, see section Identity Conversion Rule for Federated Users.

● Editing rules: In the Identity Conversion Rule area, click Edit Rule. Thisfunction provides flexible syntax for editing rules to meet the federatedidentity authentication requirements. For examples of rules, see sectionIdentity Conversion Rule for Federated Users.

After the rules are edited, you can click Verify Rule in the lower left corner of thepage to verify that they are correct.

3.6.7 Identity Conversion Rule for Federated UsersThe identity conversion rule for federated users is displayed in a JSON file. You canmodify it by modifying the JSON file. The JSON format is as follows:[ { "remote": [ { "<condition>" } ], "local": [ { "<user> or <group> or <groups>" } ] } ]

● remote: indicates the information about a federated user in the IdP. Thisexpression is a combination of assertion attributes and operators. The value ofremote is determined based on the assertion.


2019-04-19 51

● condition: indicates the identity conversion rule that maps federated users tothe cloud system. The following three conditions are supported:– empty: unlimited. The condition is always valid and the returned value is

the input attribute value. This value is used to replace the placeholder inthe local block.

– any_one_of: The condition is valid only if the input attributes include anyspecified value, and a Boolean value is returned. The returned valuecannot be used to replace the placeholder in the local block.

– not_any_of: The condition is valid only if the input attributes do notinclude any specified value, and a Boolean value is returned. The returnedvalue cannot be used to replace the placeholder in the local block.

● local: indicates the information about a federated user in the cloud system.This value can be a placeholder {0..n}. {0} indicates the first attribute of theuser information in remote. {1} indicates the second attribute of the userinformation in remote.

Examples of Identity Conversion Rule ConditionsThe following examples illustrate how to use the conditions (empty, any_one_of,and not_any_of) in an identity conversion rule.

● The empty condition indicates that a character string value can be returned.This value is used to replace the placeholder {0..n} in the local block. Theexample is as follows:[ { "local": [ { "user": { "name": "{0} {1}" } }, { "group": { "name": "{2}" } } ], "remote": [ { "type": "FirstName" }, { "type": "LastName" }, { "type": "Group" } ] } ]

The username of the federated user in the cloud system is "first attributevalue of remote+space+second attribute value of remote", or FirstNameLastName. The belonged user group is the third attribute value of remote,that is Group. The Group attribute can have only one value.Assume that the cloud system receives the following assertion (this exampleuses a simplified assertion structure). The username of the federated user inthe cloud system is John Smith. John Smith in the cloud system is attached tothe admin user group.


2019-04-19 52

{FirstName: John} {LastName: Smith} {Groups: admin}

If a federated user needs to belong to multiple user groups in the cloudsystem, the identity conversion rules are as follows:[ { "local": [ { "user": { "name": "{0} {1}" } }, { "groups": "{2}" } ], "remote": [ { "type": "FirstName" }, { "type": "LastName" }, { "type": "Groups" } ] } ]

The username of the federated user in the cloud system is "first attributevalue of remote+space+second attribute value of remote", or FirstNameLastName. The user group of the federated user is the third attribute value ofremote, that is Groups.Assume that the cloud system receives the following assertion, the usernameof the federated user in the cloud system is John Smith. John Smith belongs tothe admin and manager user groups.{FirstName: John} {LastName: Smith} {Groups: [admin, manager]}

● Unlike the empty condition, the returned values of the any one of and notany of conditions are Boolean values. These values cannot be used to replacethe placeholder in the local block. In the following example, only theplaceholder {0} exists and is replaced by the returned value of empty in theremote block. The value of group must be admin.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" },


2019-04-19 53

{ "type": "Groups", "any_one_of": [ "idp_admin" ] } ] } ]

The username of the federated user in the cloud system is the first attributevalue of remote, that is UserName. The user group of the federated user isadmin. This rule takes effect only for the users in the idp_admin user groupin the IdP.If a federated user needs to belong to multiple user groups in the cloudsystem, the identity conversion rules are as follows:[ { "local": [ { "user": { "name": "{0}" } }, { "groups": "[\"admin\",\"manager\"]" } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ "idp_admin" ] } ] } ]

The username of the federated user in the cloud system is the first attributevalue of remote, that is UserName. The user groups of the federated user areadmin and manager. This rule takes effect only for the users in theidp_admin user group in the IdP.– Assume that the cloud system receives the following assertion. John

Smith belongs to the idp_admin user group and can therefore access thecloud system.{UserName: John Smith} {Groups: [idp_user, idp_admin, idp_agency]}

– Assume that the cloud system receives the following assertion. JohnSmith does not belong to the idp_admin user group, so this rule does nottake effect for John Smith, and John Smith cannot access the cloudsystem.{UserName: John Smith} {Groups: [idp_user, idp_agency]}

● Condition including a regular expression: You can specify "regex": true inconditions to indicate that the system is calculating the result using a regularexpression.[ { "local": [


2019-04-19 54

{ "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ ".*@mail.com$" ], "regex": true } ] } ]

This rule takes effect for any user whose username starts with any value andends with @mail.com. The username in the cloud system is UserName, andthe user group is admin.

● Condition combination: Multiple conditions are combined using the logicalAND.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user" ] }, { "type": "Groups", "not_any_of": [ "idp_agent" ] } ] } ]

This rule takes effect only for the federated users who do not belong to theidp_user or idp_agent user group in the IdP. The username of those users in


2019-04-19 55

the cloud system is UserName, and their user group is admin. The precedingrule is equivalent to the following:[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user", "idp_agent" ] } ] } ]

● Multiple rulesIf multiple rules are combined, the methods for generating usernames anduser groups are different.The username in the first valid rule is used as UserName. At least one username rule among all of the rules must take effect, or the user will not beallowed to log in. The collection of the user group names in all valid rules isused as Groups.Separating the configuration of usernames and user groups using multi-ruleconfiguration makes it easier to read.[ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "UserName" } ] }, { "local": [ { "group": { "name": "admin" } } ], "remote": [ {


2019-04-19 56

"type": "Groups", "any_one_of": [ "idp_admin" ] } ] }]

This rule combination takes effect for the users in the idp_admin user group.The username in the cloud system is UserName, and the user group isadmin.Assume that the cloud system receives the following assertion. John Smithbelongs to the idp_admin user group, so this rule takes effect for John Smith.The username of the federated user in the cloud system is John Smith, andits user group is admin.{UserName: John Smith} {Groups: [idp_user, idp_admin, idp_agency]}

3.6.8 SSO ProcessAfter federated identity authentication is configured, federated users can accessthe cloud system directly and manage resources in the system by logging in to theenterprise IdP. This section describes how IAM authenticates a federated user afterthe user is authenticated by the IdP.

Figure 3-20 Login process model


2019-04-19 57

Description

To view the interactive requests and assertion information more easily, you are advised touse the Google Chrome web browser and install the SAML Message Decoder plug-in.

1. Open the login link generated after an IdP is created in a web browser. Theweb browser initiates SSO.

2. IAM finds the metadata file of the enterprise IdP based on the account andIdP carried in the link and constructs a SAML Request to respond to the webbrowser.

3. The web browser responds and forwards the SAML Request to the enterpriseIdP.

4. Users enter a username and password on the IdP server for identityauthentication.

5. The IdP server constructs an assertion in a SAML Response to respond to theweb browser.

6. The web browser responds and forwards the SAML Response to IAM.7. IAM extracts the assertion from the SAML Response and parses the assertion.

Based on the configured rules, IAM generates a token to implement the login.

The assertion must carry a signature or the login will fail.


2019-04-19 58

4 FAQs

4.1 How Do I Enable the Login AuthenticationFunction?

To ensure your account security, you are advised to enable the loginauthentication function. After this function is enabled, you need to enter anauthentication code from a virtual MFA device, an SMS verification code, or anemail verification code on the Login Verification page when logging in to thecloud system.

PrerequisitesA user can enable the SMS-based or email-based login authentication functiononly when a mobile number or email address is bound to the user account. A usercan enable the virtual MFA-based login authentication function only when avirtual MFA device is bound to the user account.

Procedure● Enabling login authentication on the Modify User page on the IAM console


Step 2 Click Modify in the Operation column of the row that contains the target user.

Step 3 On the Modify User page, select a login authentication method, and enter thecorresponding code.

Step 4 Click OK.

----End

● Enabling login authentication on the My Credential page

Step 1 Click the username in the upper right corner and select My Credential from thedrop-down list.

Step 2 On the My Credential page, click Change following the Login AuthenticationMethod field.

Identity and Access ManagementUser Guide 4 FAQs

2019-04-19 59

Step 3 On the Modify Login Protection page, select a login authentication method, andenter the corresponding code.

Step 4 Click OK.

----End

4.2 How Do I Bind a Virtual MFA Device?Multi-Factor Authentication (MFA) is a simple best practice that adds an extralayer of protection on top of your username and password. With MFA enabled,when a user logs in to the cloud system, they will be prompted for their usernameand password (the first factor), as well as for an authentication code from theirMFA device (the second factor). Taken together, these multiple factors provideincreased security for your account settings and resources.

There are hardware and virtual MFA devices. Currently, the cloud system supportsonly virtual MFA devices.

A virtual MFA device is an application that can generate 6-digit authenticationcodes. The codes comply with the Time-based One-time Password Algorithm(TOTP). Such applications can run on mobile devices (including smartphones) andare easy to use.

Prerequisites

You have installed a virtual MFA application (for example, Google Authenticator)on your smartphone.

Procedure

Step 1 On the console page, click the username in the upper right corner and select MyCredential from the drop-down list.

Step 2 On the My Credential page, click Bind following the Virtual MFA Device field.

Step 3 Go to the Login Authentication Policies page.

Figure 4-1 Login authentication policies


2019-04-19 60

A secret key is the credential for obtaining the MFA authentication code. The key willbecome invalid after being used once. To ensure your account security, do not share this keywith anyone.

Step 4 Add a user to your MFA application.

● Scanning a QR code

Open the MFA application smartphone, tap + in the lower right corner, andselect Scan a barcode to scan the QR code on the Login AuthenticationPolicies page. After the scan is successful, the system automatically adds auser to the application. Your account and secret key are displayed on theapplication.

● Manually entering a secret key

Open the MFA application on your smartphone, tap + in the lower rightcorner, and select Enter a provided key to enter the secret key on the LoginAuthentication Policies page.

If you add a user by manually entering a secret key, the mobile device and the cloudsystem must both use Greenwich Mean Time (GMT) and the time on the mobiledevice and that in the cloud system must be the same. It is recommended that youconfigure the mobile device to enable it to automatically set the time, therebyensuring time consistency.

Step 5 After the user is added, return to the homepage of the MFA application, and viewthe authentication codes generated by the application.

The authentication codes are automatically updated every 30 seconds.

Step 6 On the Login Authentication Policies page, enter two consecutive authenticationcodes and click OK to bind the virtual MFA device.

----End

4.3 How Do I Obtain MFA Authentication Codes?When MFA is enabled, you need to enter an authentication code generated byyour MFA application in addition to the username and password when logging into the console.

Figure 4-2 MFA authentication code

You need to open you MFA application and view the authentication code for theaccount bound to the application on the homepage of the application.


2019-04-19 61

4.4 How Do I Unbind a Virtual MFA Device?You can unbind a virtual MFA device on your smartphone as long as the virtualMFA application is installed on your phone.

1. At the upper left of the main menu bar, click Console.2. Click the username in the upper right corner and select My Credential from

the drop-down list.3. Click Unbind to the right of Virtual MFA Device.

Figure 4-3 Unbinding virtual MFA device

4. Enter the authentication code obtained from the virtual MFA device.5. Click OK.

After the code is verified, the virtual MFA device is unbound successfully.


2019-04-19 62

A Change History

Table A-1 Change history

Released On What's New

2019-04-19 This release incorporates the following change:Added descriptions about the scope of custom policiesin Creating Custom Policies.

2019-04-18 This release incorporates the following change:Accepted in OTC-4.0/Agile-05.2019

2019-04-11 This release incorporates the following change:Added descriptions about the differences betweenRBAC and fine-grained policies in section PolicyLanguage.

2019-04-02 This release incorporates the following change:Added descriptions about operation security protectionin section Setting Account Security Policies.

2019-03-12 This release incorporates the following changes:● Modified descriptions in sections Fine-grained

Policy and Creating Custom Policies.● Added a screenshot and modified descriptions in

section Policy Language.

2019-02-26 This release incorporates the following change:Added section Assigning Permissions (by a DelegatedParty).

Identity and Access ManagementUser Guide A Change History

2019-04-19 63


2018-11-22 This release incorporates the following changes:● Added section How Do I Bind a Virtual MFA

Device?● Added section How Do I Obtain MFA

Authentication Codes?● Added section How Do I Unbind a Virtual MFA

Device?

2018-10-05 This release incorporates the following change:Added the description that the name of a user groupcannot be changed in section Viewing and ModifyingUser Group Information.

2018-09-18 This release incorporates the following change:Accepted in Open Telekom Cloud 3.2.

2018-08-30 This release incorporates the following changes:Added the description about Session Timeout Policy inSetting Account Security Policies.

2018-08-10 This release incorporates the following changes:● Added section Personal Data Protection

Mechanism.● Added section Audit.

2018-07-30 This release incorporates the following changes:Added section Fine-grained Policy Management.

2018-06-29 This release incorporates the following changes:Added description about the Require Password Resetoption in sections Creating a Security Administrator,Creating a User and Adding It to a User Group,Creating a User, and Viewing and Modifying UserInformation.

2018-05-10 This release incorporates the following changes:Accepted in Open Telekom Cloud 3.1.

2018-03-30 This release incorporates the following changes:Added the description for ACL validation conditions inSetting Account Security Policies.

2018-01-30 This release incorporates the following changes:● Added the immediate project deletion function in

Managing a Project.● Added a note for the "Refined permission

management" table in IAM Features.


2019-04-19 64


2018-01-18 This release incorporates the following changes:● Modified the "Refined permission management"

table in IAM Features.● Added a table that describes agency types in

Creating an Agency (by a Delegating Party).

2017-10-27 This release incorporates the following changes:Adjusted the document content structure. Addedchapters Product Introduction and Getting Started.

2017-10-15 This release incorporates the following changes:Deleted chapter "Permission Description." For details,see Permission Description.

2017-09-15 This release incorporates the following changes:● Added the following content in Managing a Project:

– Relationship between users and projects– Method of enabling Cloud Trace Service (CTS)– A notice that the resources in a project will also

be deleted if the project is deleted– Naming conventions of a project name

● Modified the description in Managing a Project forentering Login Password and Verification Codeduring project deletion.

2017-08-29 This release incorporates the following changes:Made the following changes in Managing a Project:● Changed the number of projects that can be created

in a region by default from 2 to 10.● Deleted the description for the method of creating a

project.

2017-08-22 This release incorporates the following changes:Added the following content in Managing a Project:● Method of applying for a higher quota● Authorizing projects● A note that a project cannot be deleted once it is

created

2017-07-27 This release incorporates the following changes:● Added the description for the CTS Administrator

permission.● Added the description for automatically extracting

metadata and manually configuring metadata inCreating an IdP.


2019-04-19 65

https://docs.otc.t-systems.com/en-us/permissions/index.html


2017-05-26 This release incorporates the following changes:● Added section Establishing a Trust Relationship.● Added section SSO Process.

2017-05-05 This release incorporates the following changes:Changed the position of Creating a User.

2017-04-27 This release incorporates the following changes:● Added section Creating an Agency (by a

Delegating Party).● Added section Assigning Permissions (by a

Delegated Party).

2017-03-30 This release incorporates the following changes:● Modified the descriptions in section Creating a User

according to the changes in the Create User page.● Added the description for the DCS Administrator

permission.

2017-02-22 This release incorporates the following changes:● Added the description for the Agent Operator

permission.● Added the description for the CCE Administrator

permission.● Added the description for the DMS Administrator

permission.

2017-01-25 This release incorporates the following changes:Modified the description for the Server Administratorpermission.

2017-01-20 This release incorporates the following changes:● Added the description for the MRS Administrator

permission.● Modified the description for the Server

Administrator permission.● Modified the description for the RDS Administrator

permission.

2016-12-30 This release incorporates the following changes:● Added the description for the Workspace

Administrator permission.● Added the description for the KMS Administrator

permission.


2019-04-19 66


2016-10-29 This release incorporates the following changes:● Modified the description for the RDS Administrator

permission.● Deleted the description for the te_user permission.

2016-09-30 This release incorporates the following changes:● Added the following sections:

– Permission Description– Creating a User– Creating an IdP– Using Rules to Control Federated User Access

to the Cloud System● Deleted the API key description.

2016-08-25 This release incorporates the following changes:Added section Setting Account Security Policies.

2016-03-14 This issue is the first official release.


2019-04-19 67

user guide - docs.otc.t-systems.com · and people, iam encrypts your personnel data before storing...

Documents