Use Cases IAM

This article describes a simple business use case for IAM to help you understand how to implement the service to control user access to the VNG Cloud services you use. This example illustrates two ways that the company Example can apply IAM, including using VNG Cloud vServer.

Initial Setup

Sasha Nguyen and Alex Thompson are the co-founders of Example Company. When founding the company, they understood the importance of a robust identity access management system to protect their resources. They decided to implement Identity Access Management (IAM) for their organization to ensure that only authorized individuals could access the company’s resources and services.

First, Sasha and Alex created a VNG Cloud account (Root user account). They used this account to access the IAM service. Their account was attached to the AdministratorAccess policy, meaning they had full control over all company resources and services with the Root user account.

As the company expanded, Sasha and Alex began hiring employees for various positions. Sasha took on the responsibility of overseeing company operations, while Alex managed the engineering teams. However, they couldn't grant Root user account access to these employees, as it would exceed the authority of each job position. Therefore, they needed to provide employees with User accounts derived from the Root user account on the IAM homepage with specific permissions to access and use the resources.

First, they identified the different roles within the company. For example, they had roles for developers, network administrators, database administrators, and support staff. Each role would have different access permissions to the company's resources and services. Sasha and Alex then created User accounts and user groups (Groups) corresponding to each role. These user groups would contain employees with similar access and roles, making it easier to manage access permissions for each group.

To manage access permissions, Sasha and Alex used IAM policies. They defined what each role and user group could and could not do. They assigned policies and roles to different groups to provide users with the correct level of access to VNG Cloud resources. They used VNG Cloud-managed policies for job functions in the IAM Management Console to create the following permission groups:

• Administrator

• Billing

• Developers

• Network administrators

• Database administrators

• System administrators

• Support users

They then assigned these policies to User accounts or Groups with the corresponding roles and provided usernames and passwords for the User accounts to employees to access and use the resources.

To guide the implementation of the IAM Identity Center, Sasha and Alex referred to the comprehensive "" section in the VNG Cloud IAM User Guide. This step-by-step guide provided detailed instructions for initial configuration. Additionally, they consulted the "" section of the user guide to better understand how to grant user access within the IAM Identity Center.

As the innovative company continued to grow, Sasha and Alex remained diligent in reviewing and updating access permissions for each employee. They regularly adjusted access permissions and levels to ensure that employees had the appropriate access privileges for their roles and responsibilities within the organization or revoked them as needed.

IAM Use Case with vServer

vServer Permissions for User Groups

At Example, different user groups require different permissions:

Assigning System Administrator Permissions to a User Group

Taylor Smith was hired as a project manager, so he needs access to all company resources to manage access and deploy IT projects related to VNG Cloud infrastructure. Therefore, Alex granted Taylor a User account with vServerFullAccess permissions following these steps:

Step 1: Create a User Account in the IAM System

3. Open the User account tab.

4. Select "Create a user account."

5. In the Account user name field, Alex entered the name for the User account as Sysad01.

6. Enter the password for the User account in the Account password field.

7. Then click "Create User Account."

At this point, Alex created a separate User account for Taylor with the following information:

• User account: Username: Sysad01 ; Password: Asddehj

Step 2: Create a User Group

After creating the User account, Alex proceeded to create a user group:

2. Select "Create a group."

3. Alex entered the Group name as SysAd in the Name field and added a description in the Description field.

4. Proceed to the next step. In the User field, Alex selected the Sysad01 User account to add to the Group.

5. Then click "Create a Group."

A Group named SysAd will be created, including the User account: Sysad01.

Step 3: Assign Permissions to the User Group

Currently, IAM provides several default policies that help users quickly and efficiently set up access permissions. Therefore, for the SysAd user group, Alex added the vServerFullAccess policy following these steps:

2. Click to view the details of the vServerFullAccess policy on the list page.

3. Then, in the Policy usage menu, click Attach.

4. In the Group tab, Alex selected the SysAd group and clicked Add.

After completing these steps, the SysAd group will include the User account Sysad01 with the vServerFullAccess policy.

Step 4: Access Resources Using the IAM Account (User account) After creating the User account: Sysad01, Alex granted this account to Taylor, who then used it to access the company's resources:

2. On the login screen, select "SIGNIN WITH IAM USER ACCOUNT."

3. Enter the Root email information: Admin@vngcloud.vn, User name: Sysad01, Password: Asddehj.

4. The screen will navigate to the vServer management page, where you can interact with the resources granted in the Policy assigned to the User account.

Assigning Developer Permissions to a User Group

Johnson Miles and Scott Enzi joined the company as Developers, so they need permissions to work with Servers, such as viewing the list, starting, or stopping Servers. However, they cannot create or change Server configurations and view billing information. Therefore, Alex granted them User accounts in the Devs user group with the Developer policy. Johnson and Scott can then use the User account username and password to access and use the granted resources:

Step 1: Create a User Account in the IAM System

2. Open the User account tab.

3. Select "Create a user account."

4. In the Account user name field, Alex entered the name for the User account as Dev01.

5. Enter the password for the User account in the Account password field.

6. Then click "Create User Account."

At this point, Alex created two separate User accounts for Johnson Miles and Scott Enzi with the following information:

• User account 1: Username: Dev01 ; Password: Asddehj1

• User account 2: Username: Dev02 ; Password: Aseeeghe2

Step 2: Create a User Group

After creating the User accounts, Alex proceeded to create a user group:

2. Select "Create a group."

3. Alex entered the Group name as DevGroup in the Name field and added a description in the Description field.

4. Proceed to the next step. In the User field, Alex selected the Dev01 and Dev02 User accounts to add to the Group.

5. Then click "Create a Group."

A Group named DevGroup will be created, including the two User accounts: Dev01 and Dev02.

Step 3: Assign Permissions to the User Group

After creating the Group, Alex needed to create a policy to assign to the Group:

2. Create a new policy by clicking "Create a Policy."

3. In the Information screen, in the Name field, Alex entered the name of the Policy as Developers.

4. Proceed to the Permissions step. Alex selected Product: vServer.

5. In the Action field, Alex selected the permissions: ListServer, GetServer, StartServer, StopServer, RebootServer.

6. Currently, Alex grants the Developer group permissions to all Servers, so he selected All Resources in the Resource field.

7. Then click "Create Policy" to create the new policy.

8. After that, on the Policy list page, select the newly created Developers policy.

9. On the Policy detail page, select the Policy usage tab and click Attach.

10. In the Group tab, Alex selected the DevGroup and clicked Add.

After completing these steps, the SysAd group will include the two User accounts Dev01 and Dev02 with the Developers policy.

Bước 4: Truy cập vào tài nguyên sử dụng IAM account (User account)

Sau khi tạo 2 User account: Dev01, Dev02, Alex đã cấp quyền sử dụng account này cho Johnson và Scott, họ đã sử dụng để truy cập vào tài nguyên của Công ty và sử dụng chúng:

2. Tại màn hình Đăng nhập: chọn SIGNIN WITH IAM USER ACCOUNT

3. Nhập thông tin Root email: Admin@vngcloud.vn, Username: Dev01 ; Pasword: Asddehj1 / Username: Dev02 ; Pasword: Aseeeghe2

4. Màn hình sẽ điều hướng sang trang quản lý vServer, tại đây có thể thao tác vào các tài nguyên được cấp quyền trong Policy đã gán với User account.

Step 4: Access Resources Using the IAM Account (User account)

After creating the two User accounts: Dev01 and Dev02, Alex granted these accounts to Johnson and Scott, who then used them to access the company's resources:

2. On the login screen, select "SIGNIN WITH IAM USER ACCOUNT."

3. Enter the Root email information: Admin@vngcloud.vn, Username: Dev01 ; Password: Asddehj1 / Username: Dev02 ; Password: Aseeeghe2.

4. The screen will navigate to the vServer management page, where you can interact with the resources granted in the Policy assigned to the User account.

Assigning Support Permissions to a User Group

Step 1: Create a User Account in the IAM System

2. Open the User account tab.

3. Select "Create a user account."

4. In the Account user name field, Alex entered the name for the User account as Supo01.

5. Enter the password for the User account in the Account password field.

6. Then click "Create User Account."

At this point, Alex created a separate User account for Taylor with the following information:

• User account: Username: Supo01 ; Password: Asddehj3

Step 2: Create a User Group

After creating the User account, Alex proceeded to create a user group:

2. Select "Create a group."

3. Alex entered the Group name as SupportGroup in the Name field and added a description in the Description field.

4. Proceed to the next step. In the User field, Alex selected the Supo01 User account to add to the Group.

5. Then click "Create a Group."

A Group named SupportGroup will be created, including the User account: Supo01.

Step 3: Assign Permissions to the User Group Currently, IAM provides several default policies that help users quickly and efficiently set up access permissions. Therefore, for the SupportGroup user group, Alex added the vServerReadOnlyAccess policy following these steps:

2. Click to view the details of the vServerReadOnlyAccess policy on the list page.

3. Then, in the Policy usage menu, click Attach.

4. In the Group tab, Alex selected the SupportGroup and clicked Add.

After completing these steps, the SupportGroup will include the User account Supo01 with the vServerReadOnlyAccess policy.

Step 4: Access Resources Using the IAM Account (User account) After creating the User account: Supo01, Alex granted this account to Taylor, who then used it to access the company's resources:

2. On the login screen, select "SIGNIN WITH IAM USER ACCOUNT."

3. Enter the Root email information: Admin@vngcloud.vn, User name: Supo01, Password: Asddehj3.

The screen will navigate to the vServer management page, where you can interact with the resources granted in the Policy assigned to the User account.