> For the complete documentation index, see [llms.txt](https://docs.vngcloud.vn/vng-cloud-document/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vngcloud.vn/vng-cloud-document/identity-and-access-management-iam/ung-dung-pho-bien/phan-quyen-truy-cap-theo-chuc-nang-cong-viec.md). # Access control by job function When decentralizing access to resources, companies will often decentralize permissions based on the job functions of members. There are two main types of job functions in an IT company: **System Administrator** and **Developer** . This manual will guide you on how to assign permissions to two functional groups to access vServer and vStorage products. First, the access rights of the above two groups of job functions will be defined as follows: * **System Administrator** : responsible for managing all resources on the Cloud, should be granted full vServer rights, vStorage will correspond to the managed policies already created by GreenNode: vServerFullAccess, vStorageFullAccess * **Developer** : only needs to view resources on the Cloud, so just grant read-only permission to vServer, vStorage will correspond to the managed policies already created by GreenNode: vServerReadOnlyAccess, vStorageReadOnlyAccess. To make it easier to manage decentralization for many members in the company, we will organize **2 more User Groups with the names: SystemAdmin and Developer** , with members with the same job function being attached. Corresponding User Groups to enjoy the rights granted to User Groups. Managing with User Groups will help you flexibly change permissions when necessary, or when members change job functions.tr With the above organization, we will have a detailed statistical table as follows: | **Job function** | **User Group** | **Permission** | **Describe** | | -------------------- | -------------- | --------------------------------------------------------- | --------------------------------------------- | | System Administrator | SystemAdmin |

vServerFullAccess

vStorageFullAccess

| Full rights on vServer, vStorage | | Developer | Developer |

vServerReadOnlyAccess

vStorageReadOnlyAccess

| Only view information on vServer and vStorage | Correspondingly, we will have an organizational model as below:
To set up IAM according to the above model, we will have the following steps: **Step 1** : Create User Groups (SystemAdmin, Developer) and attach corresponding managed policies **Step 2** : Create User Account (System1, System2, Developer1, Developer2) and attach to the corresponding User Groups **Step 3** : Log in to User Accounts to check permissions Detailed step-by-step instructions **Step 1: Create User Groups (SystemAdmin, Developer) and attach corresponding managed policies** Access the Group tab on the IAM management page here [,](https://iam.console.vngcloud.vn/user-groups) click " **Create a Group** " and fill in the group name information as SystemAdmin, click **Next step** to go to the step of attaching Policy
Search and attach 2 managed policies, vServerFullAccess and vStorageFullAccess, to the group: SystemAdmin, then click **Create Group** to create
Follow the same steps above when creating a group: Developer, select managed policy as vServerReadOnlyAccess and vStorageReadOnlyAccess
So you have completed creating 2 User Groups: SystemAdmin and Developer with full rights as defined
**Step 2: Create User Account (System1, System2, Developer1, Developer2) and attach to the corresponding User Groups** Proceed to create User Accounts by accessing the User Account tab on the IAM management page here [,](https://iam.console.vngcloud.vn/user-accounts) clicking **Create a User Account,** filling in Username and Password information, then clicking **Create User Account** (note for brief instructions in Here we create 4 user accounts with the same password. We recommend that you create separate user accounts with different passwords, or change passwords when using):
After successfully creating User Accounts, they will be listed on the User Account page as below
To add Users: System1, System2, Developer1, Developer2 to Group: SystemAdmin, Developer, you can do it in each User Account or Group, here we will guide you to add User Account in Group, go to Group tab and click on **the name. of Group** to enter the details of the Group, as here is Group: SystemAdmin
Select **the User tab**
Click Add **Users** , a popup will appear, select User: System1, System2 and click **Add:**
To add User: Developer1, Developer2 to Group: Developer, follow the same steps as above:
So you have completed creating User Accounts and adding them to the corresponding Group, at this point the User Accounts will fully inherit the rights that the Group has. **Step 3: Log in to User Accounts to check permissions** Now you can log in to User Accounts to check permissions. Here we will try to log in to 2 Users: System1, Developer1 to perform some operations on vServer to check permissions. Access vServer here [,](https://hcm-3.console.vngcloud.vn/vserver/v-server/cloud-server) without logging into any account you will be redirected to the sign-in page, select " **Sign-in With IAM User Account** "
Fill in the root user email account information where the IAM user was previously created, IAM username and password information, click **Sign-in with IAM User Account**
At this point you will see that User: System1 has full rights on vServer. You can create a new Server or change Server information to check permissions. For example, below is User: System1 successfully starting a Server.
Do the same steps above to log in to User: Developer1, now you will see that User: Developer1 only has the right to view vServer information, cannot interactively change the Server, for example below is User: Developer1 wanting to start 1 Server but refused execution
So you have completed assigning access rights according to job functions. Now to grant permissions to new members, you just need to create a User Account and add it to the Group. To change permissions, you just need to change the Policy. at Groups makes it easier to manage access to resources on GreenNode. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.vngcloud.vn/vng-cloud-document/identity-and-access-management-iam/ung-dung-pho-bien/phan-quyen-truy-cap-theo-chuc-nang-cong-viec.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.