Access control by job function
When decentralizing access to resources, companies will often decentralize permissions based on the job functions of members. There are two main types of job functions in an IT company: System Administrator and Developer . This manual will guide you on how to assign permissions to two functional groups to access vServer and vStorage products.
First, the access rights of the above two groups of job functions will be defined as follows:
System Administrator : responsible for managing all resources on the Cloud, should be granted full vServer rights, vStorage will correspond to the managed policies already created by VNG Cloud: vServerFullAccess, vStorageFullAccess
Developer : only needs to view resources on the Cloud, so just grant read-only permission to vServer, vStorage will correspond to the managed policies already created by VNG Cloud: vServerReadOnlyAccess, vStorageReadOnlyAccess.
To make it easier to manage decentralization for many members in the company, we will organize 2 more User Groups with the names: SystemAdmin and Developer , with members with the same job function being attached. Corresponding User Groups to enjoy the rights granted to User Groups. Managing with User Groups will help you flexibly change permissions when necessary, or when members change job functions.tr
With the above organization, we will have a detailed statistical table as follows:
Job function | User Group | Permission | Describe |
System Administrator | SystemAdmin | vServerFullAccess vStorageFullAccess | Full rights on vServer, vStorage |
Developer | Developer | vServerReadOnlyAccess vStorageReadOnlyAccess | Only view information on vServer and vStorage |
Correspondingly, we will have an organizational model as below:
To set up IAM according to the above model, we will have the following steps:
Step 1 : Create User Groups (SystemAdmin, Developer) and attach corresponding managed policies
Step 2 : Create User Account (System1, System2, Developer1, Developer2) and attach to the corresponding User Groups
Step 3 : Log in to User Accounts to check permissions
Detailed step-by-step instructions
Step 1: Create User Groups (SystemAdmin, Developer) and attach corresponding managed policies
Access the Group tab on the IAM management page here , click " Create a Group " and fill in the group name information as SystemAdmin, click Next step to go to the step of attaching Policy
Search and attach 2 managed policies, vServerFullAccess and vStorageFullAccess, to the group: SystemAdmin, then click Create Group to create
Follow the same steps above when creating a group: Developer, select managed policy as vServerReadOnlyAccess and vStorageReadOnlyAccess
So you have completed creating 2 User Groups: SystemAdmin and Developer with full rights as defined
Step 2: Create User Account (System1, System2, Developer1, Developer2) and attach to the corresponding User Groups
Proceed to create User Accounts by accessing the User Account tab on the IAM management page here , clicking Create a User Account, filling in Username and Password information, then clicking Create User Account (note for brief instructions in Here we create 4 user accounts with the same password. We recommend that you create separate user accounts with different passwords, or change passwords when using):
After successfully creating User Accounts, they will be listed on the User Account page as below
To add Users: System1, System2, Developer1, Developer2 to Group: SystemAdmin, Developer, you can do it in each User Account or Group, here we will guide you to add User Account in Group, go to Group tab and click on the name. of Group to enter the details of the Group, as here is Group: SystemAdmin
Select the User tab
Click Add Users , a popup will appear, select User: System1, System2 and click Add:
To add User: Developer1, Developer2 to Group: Developer, follow the same steps as above:
So you have completed creating User Accounts and adding them to the corresponding Group, at this point the User Accounts will fully inherit the rights that the Group has.
Step 3: Log in to User Accounts to check permissions
Now you can log in to User Accounts to check permissions. Here we will try to log in to 2 Users: System1, Developer1 to perform some operations on vServer to check permissions.
Access vServer here , without logging into any account you will be redirected to the sign-in page, select " Sign-in With IAM User Account "
Fill in the root user email account information where the IAM user was previously created, IAM username and password information, click Sign-in with IAM User Account
At this point you will see that User: System1 has full rights on vServer. You can create a new Server or change Server information to check permissions. For example, below is User: System1 successfully starting a Server.
Do the same steps above to log in to User: Developer1, now you will see that User: Developer1 only has the right to view vServer information, cannot interactively change the Server, for example below is User: Developer1 wanting to start 1 Server but refused execution
So you have completed assigning access rights according to job functions. Now to grant permissions to new members, you just need to create a User Account and add it to the Group. To change permissions, you just need to change the Policy. at Groups makes it easier to manage access to resources on VNG Cloud.
Last updated
