User Guide · Step 2 In the navigation pane, choose User Group. Step 3 On the User Group page, click Create User Group. Step 4 Set User Group. Step 5 (Optional) Set Description. Step

Identity and Access Management

User Guide

Issue 09

Date 2017-08-16

Contents

1 What Is IAM?..................................................................................................................................1

2 How Do I Manage User Groups and Grant Permissions to Them?.................................... 2

3 Permission Description................................................................................................................ 4

4 How Do I Manage Users?.......................................................................................................... 11

5 How Do I Create an Agency?.................................................................................................... 14

6 How Do I Switch Roles?............................................................................................................ 16

7 How Do I Configure Federated Identity Authentication?.................................................. 177.1 Introduction to Federated Identity Authentication....................................................................................................... 187.2 Interconnection for Federated Identity Authentication.................................................................................................187.3 SSO Process..................................................................................................................................................................207.4 How Do I Create an Identity Provider and Perform an SSO?...................................................................................... 217.5 How Do I Configure the Name and Permission Information About a Federated User?.............................................. 24

8 How Do I Set Account Policies?............................................................................................... 32

9 User Management Mechanism Explained Using a Picture................................................. 35

A Change History........................................................................................................................... 37

Identity and Access ManagementUser Guide Contents

Issue 09 (2017-08-16) ii

1 What Is IAM?

Identity and Access Management (IAM) is an enterprise-level self-service cloud resourcemanagement system and provides user identity management and access control functions.

With IAM, users can manage user accounts (for example, employees, systems, orapplications) and control the operation rights of these accounts over their resources. Ifmultiple users collaboratively operate resources in an enterprise, IAM prevents users fromsharing their account keys with other users and allows security administrators to grant onlynecessary permissions to users. IAM also ensures account security and reduces security risksfor enterprise information by allowing users to set login verification policies, passwordpolicies, and access control list (ACL).

Identity and Access ManagementUser Guide 1 What Is IAM?

Issue 09 (2017-08-16) 1

2 How Do I Manage User Groups and Grant

Permissions to Them?

Users with Security Administrator permissions in an enterprise can plan user groups basedon user responsibilities, and grant permissions to the user groups so that users in each usergroup have the corresponding permissions. This method makes those permissions easier tomanage for the users in the user groups.

PrerequisitesYou have Security Administrator permissions.

Procedure

Step 1 Choose Management & Deployment > Identity and Access Management.

Step 2 In the navigation pane, choose User Group.

Step 3 On the User Group page, click Create User Group.

Step 4 Set User Group.

Step 5 (Optional) Set Description.

Step 6 Click OK to return to the user group list.

The new user group is displayed in the user group list.

Step 7 Click Modify in the Operation column corresponding to the new user group.

The Modify User Group page is displayed.

Step 8 In the User Group Rights area, click Modify in the Operation column corresponding to thetarget project.

Step 9 In the Available Rights Sets area of the Modify User Group Permission dialog box, select arights set corresponding to the service.

NOTE

For the default rights sets, see Default Permissions.

After you select a rights set name, you can view the JSON-formatted detailed information about thisrights set in the Rights Set Information area. For details, see Permission Information.

Identity and Access ManagementUser Guide

2 How Do I Manage User Groups and Grant Permissions toThem?

Issue 09 (2017-08-16) 2

Step 10 Click OK.

Step 11 Select a user from the Group Members drop-down combo box to add it to the user group.

NOTE

You can enter a keyword to quickly find the target user.

Step 12 Click OK.

----End

Operation ResultThe created user group is displayed in the user group list.

Follow-up Procedure

In the user group list, click next to the target user group to view its details.

Identity and Access ManagementUser Guide

2 How Do I Manage User Groups and Grant Permissions toThem?

Issue 09 (2017-08-16) 3

3 Permission Description

Permissions specify operations that users are allowed to perform on related objects. You canadd operations on a certain object to the permissions of a user group and add a user to the usergroup so that the user inherits the permissions of the user group. User permissionmanagement based on user groups is more organized and avoids confusions.

Identity and Access ManagementUser Guide 3 Permission Description

Issue 09 (2017-08-16) 4

Permission Relationship

Default PermissionsThe system provides two types of default permissions: user management and resourcemanagement.


Issue 09 (2017-08-16) 5

Users with the user management permissions can manage users, user groups, and user grouppermissions. For details, see Table 3-1.

Table 3-1 User management permissions

NodeName

PermissionName

Description

Base SecurityAdministrator

Users with this permission can:l Create, delete, and modify users.l Grant permissions to users.

IAM AgentOperator

Users with this permission can switch to an entrusted userfor processing services.

Users with resource management permissions can control the operations performed on cloudservice resources. For details, see Table 3-2.

NOTE

Object Storage Service (OBS) and other cloud resources are deployed separately. OBS only has TenantAdministrator and Tenant Guest permissions.

Table 3-2 Cloud resource management permissions

NodeName

PermissionName

ManagedCloudResource

Description

Base TenantAdministrator

All services Permissions to operate all cloud resourcesowned by an enterprise.

ServerAdministrator

EVS,ElasticCloudServer(ECS), andVirtualPrivateCloud(VPC)

l For the EVS service, users with thispermission can create, modify, and deleteEVS disks.

l For the ECS service, users with thispermission can create, modify, and deleteECSs.

l For the VPC service, users with thispermission can perform any operationson security groups, security group rules,ports, firewalls, elastic IP addresses(EIPs), and bandwidth. The ServerAdministrator permission depends onthe Tenant Guest permission.

Tenant Guest All services Permissions to query the usage of all cloudresources owned by an enterprise.


Issue 09 (2017-08-16) 6

NodeName

PermissionName


Description

Anti-DDoS Anti-DDoSAdministrator

Anti-DDoS Permissions to enable, disable, and modifyconfigurations. This permission depends onthe Tenant Guest permission and must havepermission to query EIPs in VPCs.

APM APM Admin ServiceStage

Users with this permission can managedomain monitoring data.

CCS CCSAdministrator

CloudCatalogService(CCS)

Users with this permission can customizeproducts, product portfolios, and versions,add a product to a product portfolio, assignauthorization, add constraints, performO&M on product instances, and managequotas.

CCS User CloudCatalogService(CCS)

Users with this permission can viewproducts and manage product instances.

CDE CDE Admin ServiceStage

Users with this permission can manageorchestration of domain' applications.

CDEDeveloper

ServiceStage

Users with this permission can orchestrateapplications.

CTS CTSAdministrator

Cloud TraceService(CTS)

Permissions to enable CTS, create, modify,enable, and disable a tracker, and receiveand view traces.This permission depends on Tenant Guestand OBS Tenant Administratorpermissions.If the OBS Tenant Administratorpermission is unavailable, traces cannot bedelivered to the OBS bucket for storage.

CRS CRSAdministrator

CloudReportService(CRS)

Permissions to:l Connent, delete, modify, and query data

sources.l Create, delete, modify, query, and

preview data sets.l Create, delete, modify, query, and

analyze data in worksheets.l Create, delete, modify, and query

dashboards.l Query quotas.


Issue 09 (2017-08-16) 7

NodeName

PermissionName


Description

DWS DWSAdministrator

DataWarehouseService(DWS)

Management permissions on all DWSresources.The permissions depend on the TenantGuest and Server Administratorpermissions. DWS cannot run properly ifeither of the permissions is unavailable. IfDWS users are to create a VPC or a subnet,the VPC Administrator permission isrequired.

KMS KMSAdministrator

KeyManagement Service(KMS)

Permissions to:l Create, enable, disable, schedule the

deletion of, and cancel the scheduleddeletion of CMKs.

l Query the list of CMKs and informationabout CMKs.

l Create random numbers.l Create DEKs, including plaintext-free

DEKs.l Encrypt and decrypt DEKs.

SVCSTG SvcStg Admin ServiceStage

Users with this permission can approvedomain registration requests, serviceshelving requests, and service subscriptionrequests.

SvcStgDeveloper

ServiceStage

Users with this permission can apply for,use, and release resources. They can alsoconfigure the code library and performoperations on the software repositories.

SvcStgOperator

ServiceStage

Users with this permission can monitorglobal resources, reclaim resources, andback up or restore platform data.

SWR SWR Admin ServiceStage

Users with this permission can managesoftware repositories of domain.

MRS MRSAdministrator

MapReduceService(MRS)

Permissions to view MRS overviewinformation, operation logs, clusterinformation, job information, HDFS fileoperation information, alarm list, and MRSManager portal.


Issue 09 (2017-08-16) 8

NodeName

PermissionName


Description

RDS RDSAdministrator

RelationalDatabaseService(RDS) andDocumentDatabaseService(DDS)

Users who have this right, plus TenantGuest and Server Administrator rights,can perform any operations on RDS andDDS, including creating, deleting,rebooting, or scaling up DB instances,configuring database parameters, andrestoring DB instances.Users who have this right but not the TenantGuest or Server Administrator rightcannot use RDS and DDS.NOTE

l Users who have the VPC Administratorright can create VPCs or subnets.

l Users who have the CES Administratorright can add or modify alarm rules for DBinstances.

DIS DISAdministrator

DataIngestionService(DIS)

Permissions to:l Create, delete, query, and list DIS

streams.l Push data to DIS streams or pull data

from them.l Query stream monitoring metrics.

DPS DPSAdministrator

DataPipelineService(DPS)

Permissions to:l Create and delete pipelines; modify,

obtain, and check pipeline definitions.l Run and pause pipelines; set the schedule

configurations for pipelines; stop theschedule of pipelines.

l Obtain pipeline lists, pipeline instancelists, activity instance lists, computeresources, and activity properties.

Permission Information

Select a rights set name from the Available Rights Sets or Selected Rights Sets area of theEdit dialog box. The JSON-formatted detailed information about the selected rights set isdisplayed in the lower part. The JSON-formatted detailed information about each rights setcontains one or multiple statements. Each statement describes a group of permissions.

The following is a permission information example. Table 3-3 describes the parameters.

{ "Version" : "1.0", "Statement" : [ {


Issue 09 (2017-08-16) 9

"Effect" : "Allow", "Action" : [ "VPC:vpc:*", "VPC:router:*", "VPC:network:*", "VPC:subnet:*", "VPC:privateip:*", "VPC:port:*", "VPC:vpn:*" ] } ], "Depends" : [ { "catalog": "BASE", "display_name": "Tenant Guest" } ] }

Table 3-3 Parameter description

Parameter Description Value

Version Indicates a version. Example value: 1.0

Statement(system-definedJSONstatement)

Effect Whether an operationincluded in an action isallowed.

Possible values:l Allow: The operation is

allowed.l Deny: The operation is not

allowed.

Action An operation for a serviceincluded in a permission.

Service name: OperationnameExample value:VPC:subnet:*: indicates alloperations performed on asubnet. In this value, VPC is aservice name, and the asterisksign (*) is a wildcardcharacter, indicating alloperations.

Depends(dependentrights set)

catalog Service that a dependentrights set belongs to.

Service nameExample value: BASE

display_name

Name of a dependentrights set.

Rights set nameExample value: Tenant Guest


Issue 09 (2017-08-16) 10

4 How Do I Manage Users?

When an enterprise needs to create a user for a new employee or for development tools (suchas API, CLI, and SDK) to access cloud services, users with Security Administratorpermissions can create a user, set access credential for this user, and add this user to acorresponding user group so that this user has the permissions of this user group.

Prerequisites

You have Security Administrator permissions.

Procedure


Step 2 In the navigation pane, choose User.

Step 3 On the User page, click Create User.

Step 4 On the Create User page, enter User Name.

Step 5 Specify Credential Type.l Password

NOTE

This option is used for logging in to the management console or enables development tools (suchas API, CLI, and SDK) that support password authentication to access cloud services.

l Access key

NOTE

This option enables development tools (such as API, CLI, and SDK) that support keyauthentication to access cloud services.

Step 6 Select a user group to be added from the User Groups drop-down combo box.

NOTE

You can also enter a keyword to quickly find the target user group.

l If you set Credential Type to Password, go to Step 7.l If you set Credential Type to Access key, click OK to download the generated key. The

user creation is complete.

Identity and Access ManagementUser Guide 4 How Do I Manage Users?

Issue 09 (2017-08-16) 11

NOTE

The generated key is the access key. Download it as required.

Step 7 Click Next.

Step 8 Specify Password Type and enter Email and Mobile Number.l Set at first login: The system will send you a one-time login URL using an email. You

can click this URL to log in to the management console and set the password.

NOTE

If you set Password Type to Set at first login, Email must be set.

l Automatically generated: The system randomly generates a 10-byte password. Thisoption enables development tools (such as API, CLI, and SDK) that support passwordauthentication to access cloud services.

NOTE

You can click OK to download the automatically generated password file.

l Set manually: allows you to customize a login password.

NOTE

l SMS-based login verification can be used only when a user is bound with Email and MobileNumber. For the method of enabling this function, see "How Do I Modify My CredentialInformation?" in My Credential User Guide.

l You can log in to the system using the configured user name, email address, or mobile number.

l If you forget your password, you can reset your password using the bound email address or mobilenumber.

l Password requirements are as follows:

The password cannot be the user name or the user name spelled backwards. Comparing thepassword and user name is done case-insensitive.

The password must contain 6 to 32 characters.

The password must contain at least two of the following character types: uppercase letters (A to Z),lowercase letters (a to z), digits (0 to 9), and special characters (!"#$%&'()*+,-./:;<=>?@[]^`{_|}~and spaces).

Step 9 Click OK.

The user creation is complete.

----End

Follow-up Procedurel Viewing user details

In the user list, click corresponding to a user to view the details of the user.l Modifying basic user information

In the user list, click Modify corresponding to a user to modify basic information aboutthe user.

l Modifying a user group to which a user belongsIn the user list, click Modify corresponding to a user. In the User Groups area of theModify User page, add or delete a user group to which the user belongs.

l Deleting a userIn the user list, click Delete corresponding to a user.


Issue 09 (2017-08-16) 12

l Setting user credentialsIn the user list, click Set Credentials corresponding to a user and modify usercredentials or set a key.


Issue 09 (2017-08-16) 13

5 How Do I Create an Agency?

If an enterprise wants to reduce the operating expense (OPEX) or selects a more professionalperson or team to manage cloud resources, the user with Security Administrator permissionsin the enterprise can create an agency to establish a relationship of trust with anotherenterprise account. The entrusted enterprise then manages cloud resources. This functionimplements secure and efficient management of cloud resources.

Prerequisites


Procedure


Step 2 In the navigation pane, choose Agency.

Step 3 On the Agency page, click Create Agency.

Step 4 On the Create Agency page, specify Agency name and Agency Type.l If you set Agency Type to Common domain, enter the agency domain name in Domain

name.l If you set Agency Type to Cloud service, click Select and set the service domain type.

Step 5 Set Validity Period and enter Description.

Step 6 In the Rights area, click Modify in the Operation column corresponding to the target regionor project.

Step 7 In the Modify Permission dialog box, select a required rights set for the entrusted enterprisefrom the Available Rights Sets area.

NOTE

For details about rights sets, see Permission Description.

Step 8 Click OK.

The newly created agency is displayed in the agency list.

----End

Identity and Access ManagementUser Guide 5 How Do I Create an Agency?

Issue 09 (2017-08-16) 14

Operation ResultAfter an agency is created, the account of the entrusted enterprise can call an API to managecloud resources.

Follow-up OperationYou can click Modify in the agency list to modify the basic information about the newagency. The information includes the account and validity period of the entrusted domainname.

Identity and Access ManagementUser Guide 5 How Do I Create an Agency?

Issue 09 (2017-08-16) 15

6 How Do I Switch Roles?

After an agency is created, a user can use the entrusted enterprise administrator account to login to the cloud service system and switch roles to manage cloud resources for the enterprisethat creates the agency. This function implements secure and efficient management of cloudresources.

Prerequisitesl You have the te_agency permission.l An agency has been created.

Procedure

Step 1 Click the login account in the upper right of the page and choose Switch Role.

Step 2 On the Switch Role page, enter Domain Name and select the target agency from the AgencyName drop-down list.

Step 3 Click OK.

The operation page of the agency account is displayed.

----End

Follow-up OperationClick the agency account in the upper right corner of the page and choose Switch to to switchback to the original account.

Identity and Access ManagementUser Guide 6 How Do I Switch Roles?

Issue 09 (2017-08-16) 16

7 How Do I Configure Federated Identity

Authentication?

7.1 Introduction to Federated Identity Authentication

7.2 Interconnection for Federated Identity Authentication

7.3 SSO Process

7.4 How Do I Create an Identity Provider and Perform an SSO?

7.5 How Do I Configure the Name and Permission Information About a Federated User?

Identity and Access ManagementUser Guide 7 How Do I Configure Federated Identity Authentication?

Issue 09 (2017-08-16) 17

7.1 Introduction to Federated Identity AuthenticationFederated identity authentication is a mechanism for establishing a relationship of trustbetween an identity provider (IdP) and the service provider (SP). An IdP is an identityprovider owned by an enterprise. SP refers to HUAWEI CLOUD. After a relationship of trustbetween an IdP and the SP is established, the IdP uses the existing credentials to access cloudresources.

With federated identity authentication, the enterprise administrator can implement employeeidentity authentication and authorization using the IdP owned by the enterprise to accessHUAWEI CLOUD, without having to repeatedly create employee information in HUAWEICLOUD.

7.2 Interconnection for Federated Identity AuthenticationBefore interconnection for federated identity authentication, the enterprise IdP and SP need toestablish a relationship of trust between the IdP and SP.

PrerequisitesThe time of the IdP server is consistent with that of the SP server. That is, both servers use theUniversal Time Coordinated (UTC) time. If the time is inconsistent, federated identityauthentication will fail.


Issue 09 (2017-08-16) 18

Trust Relationship

Procedure

Step 1 Exchange the metadata files between the enterprise IdP and SP.l Upload the metadata file of the enterprise IdP to IAM. For details, see How Do I Create

an Identity Provider and Perform an SSO?l Enter https://auth.hwclouds.com/authui/saml/metadata.xml in the address box of a

web browser to obtain the metadata file of IAM and configure this file to the IdP.

Step 2 Create an IdP.

For details, see How Do I Create an Identity Provider and Perform an SSO?

Step 3 Configure the name and permission information about the federated user.

For details, see How Do I Configure the Name and Permission Information About aFederated User?

Configure the login link generated in Step 2 to the enterprise portal to facilitate future access.

----End


Issue 09 (2017-08-16) 19

https://auth.hwclouds.com/authui/saml/metadata.xml

7.3 SSO Process

Process

Description1. Open the login link generated after an IdP is created in a web browser, the web browser

initiates single sign-on (SSO).2. IAM finds the metadata file of the enterprise IdP based on domain and IdP carried in the

link and constructs a SAML Request to respond to the web browser.3. The web browser responds and forwards the SAML Request to the enterprise IdP.4. Users enter a user name and password on the IdP server completes identity

authentication.5. The IdP server constructs an assertion in a SAML Response to respond the web browser.6. The web browser responds and forwards the SAML Response to IAM.


Issue 09 (2017-08-16) 20

7. IAM extracts the assertion from the SAML Response and parses the assertion. Based onthe configured rules, IAM generates a token to implement the login.

NOTE

The assertion must carry a signature. Otherwise, the login will fail.

To view the interactive requests and assertion information more easily, you are advisedto use the Chrome web browser and install the plug-in SAML Message Decoder.

7.4 How Do I Create an Identity Provider and Perform anSSO?

Most of enterprises or organizations have their own identity providers (IdPs), who provide asecure and reliable identity authentication service. For example, the IAM service acts as theIdP for the HUAWEI CLOUD.

After single sign-on (SSO) is configured, redirection between an enterprise website and theHUAWEI CLOUD is implemented. SSO is a prerequisite for redirection between anenterprise website and the HUAWEI CLOUD without login.

Prerequisitesl You have Security Administrator permissions.l The enterprise has the IdP service, and this IdP supports the SAML2.0 protocol.

NOTE

Security Assertion Markup Language (SAML): An XML-based open standard for exchanging authenticationand authorization data between security domains. If you are unfamiliar with the SAML content, you areadvised to learn the basic information about SAML2.0 at https://en.wikipedia.org/wiki/SAML_2.0.

l You have configured the metadata file provided by the HUAWEI CLOUD to the IdPserver of the enterprise.

a. The website is https://auth.hwclouds.com/authui/saml/metadata.xml.b. Right-click on the browser and choose Save as, and set a file name, for example,

hec-metadata.xml.c. Configure the hec-metadata.xml file to the IdP server of the enterprise.

NOTE

The configuration operation depends on the IdP server brand and version of the enterprise.

l You have obtained the metadata file of the enterprise IdP.For the acquisition method, consult the corresponding enterprise department. Generally,you can obtain the metadata file of an enterprise IdP using a URL address. Save theobtained file.

ContextYou have a basic knowledge of the following concepts for better understanding how to createand configure an identity provider:

l Currently, the IAM service of the HUAWEI CLOUD supports entrusted authenticationand SSO using the standard SAML2.0 protocol. The enterprise administrator is able tocreate an IdP in the IAM service (https://console.hwclouds.com/iam/) of HUAWEICLOUD to implement redirection between the enterprise portal and the HUAWEI


Issue 09 (2017-08-16) 21

https://en.wikipedia.org/wiki/SAML_2.0

https://auth.hwclouds.com/authui/saml/metadata.xml

https://console.hwclouds.com/iam/

CLOUD and implement the user and information mapping between IAM of theHUAWEI CLOUD and the enterprise's IdP.

l IdP: indicates the identity provider of an enterprise in this document.l Service provider (SP): indicates the HUAWEI CLOUD in this document.l Metadata: indicates a SAML2.0-compliant interface file. The file contains interface

addresses and certificate information required by the SAML2.0 protocol. Two such filesare available, one for IdP and the other for SP. The IdP and SP set up a trust relationshipby exchanging their metadata files and configuring data in the file of each other. TheHUAWEI CLOUD uses the address and certificate in the metadata file to communicatewith the IdP server.

Procedure


Step 2 In the navigation pane, click Identity Provider.

Step 3 On the Identity Provider page, click Create Identity Provider.

Step 4 Set the Name, Status, and Description.

Step 5 Click OK.

If information shown in Figure 7-1 is displayed, the IdP has been successfully created.

Figure 7-1 IdP created successfully

Step 6 After this page is closed, click Modify in the Operation column of the target IdP

Step 7 In the Metadata Configuration area on the Modify Identity Provider page, configuremetadata.l Automatically extracting metadata

a. Click on the left of Upload, and select the metadata file of the enterprise IdP.b. Click Upload.

A dialog box is displayed, showing the metadata extracted by the system.c. Click OK.

n If "The uploaded file contains multiple IdPs. Select an IdP as needed." isdisplayed, select the desired IdP you need from the Entity ID drop-down listbox.

n If a message is displayed indicating that Entity ID in the metadata file isempty or that the signature certificate has expired, check whether the metadatafile is correct. Then, upload the file again or manually configure metadata.

l Manually configuring metadata

a. Click manually configure.


Issue 09 (2017-08-16) 22

b. On the displayed Manually Configure Metadata page, enter Entity ID, SignatureCertificates, SingleSignOnService, and other parameters.n Entity ID: uniquely identifies an enterprise IdP. A metadata file can contain

multiple IdPs. You need to select your desired IdP.n Signature Certificates: indicates a certificate used for verifying the signature

and contains a public key. For security purposes, you are advised to use apublic key whose length is greater than or equal to 2048 bits. During federatedidentity authentication, the system checks the credibility and integrity of anassertion based on the signature certificate in the metadata file.

n SingleSignOnService: indicates the method of sending SAML requests duringthe SSO process. SingleSignOnService in the metadata file must supportHTTP Redirect or HTTP POST.

NOTE

For details about SSO, see SSO Process

c. Click OK.

Step 8 In the Identity Conversion Rule area, click Create Rule to create an identity conversionrule.

NOTE

For details about how to create an identity conversion rule, see How Do I Configure the Name andPermission Information About a Federated User?

Step 9 Click OK and save the settings.

Step 10 Attempt to perform an SSO.

1. Click View in the Operation column correspond to the IdP on the Identity Providerpage.

2. Click Copy on the right of Login link to copy the address in Login link and open itusing the browser.

3. Check whether the login page provided by the IdP server of the enterprise can bedisplayed.– If it is displayed, go to Step 10.4.– If it is not displayed, check whether the obtained enterprise metadata file and the

enterprise IdP server are correctly configured.


Issue 09 (2017-08-16) 23

4. Enter a user name and password and check whether you can log in to the HUAWEICLOUD.

– If the login is successful, configure this address as a link to your enterprise website.

– If the login fails, check your user name and password.

----End

Follow-up Procedurel Viewing IdP information

On the Identity Provider page, click View in the Operation column corresponding toan IdP to query the basic information, metadata file status, and identity conversion rulesof the IdP.

NOTE

You can click View Identity Provider Information on the Modify Identity Provider page toenter the Modify Identity Provider page.

l Modifying IdP information

On the Identity Provider page, click Modify in the Operation column corresponding toan IdP to enter the Modify Identity Provider page. You can set Status (Enabled orDisabled), Description, Metadata File, and Identity Conversion Rule.

l Deleting an IdP

On the Identity Provider page, click Delete in the Operation column corresponding toan IdP to delete the IdP.

7.5 How Do I Configure the Name and PermissionInformation About a Federated User?

User identity authentication and permission configuration in the HUAWEI CLOUD can beimplemented by creating identity conversion rules. This section describes how to create anidentity conversion rule. You can set certain rules to set up the mapping between the user andpermission information returned by the enterprise IdP server and those of the HUAWEICLOUD. The user names and permission names returned by the enterprise IdP server and theHUAWEI CLOUD may be different. For example, set [email protected] of email in theattributes to the user name in the HUAWEI CLOUD and allocate the user to the admin usergroup based on idp_admin in Groups.

Prerequisitesl The basic IdP information has been set and SSO is successful. For details, see How Do I

Create an Identity Provider and Perform an SSO?

l You have Security Administrator permissions.

l The enterprise has the IdP service, and this IdP supports the SAML2.0 protocol.

l You have a preliminary understanding of the SAML2.0 protocol and are familiar withmetadata files.

l You have learned the assertion structure displayed after successful SAML2.0authentication.


Issue 09 (2017-08-16) 24

ContextIdPs maintain user identity and permission information. After an SSO is complete, the IdPreturns an assertion structure to the SP. The assertion structure contains the user identity andpermission information that pass the authentication and presents the information as anattribute list. The following example shows the attributes in an assertion.

... <saml2:AttributeStatement> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>[email protected]:AttributeValue>[email protected]> </saml2:Attribute> <saml2:Attribute FriendlyName="GROUPS" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>dev-adm;sec-admsaml2:AttributeValue>dev-adm;sec-adm> </saml2:Attribute> </saml2:AttributeStatement> ...

Procedure


Step 2 In the navigation pane, click Identity Provider.

Step 3 On the Identity Provider page, click Modify in the Operation column corresponding to anIdP.

The Modify Identity Provider page is displayed.

Step 4 In the Identity Conversion Rule area, click Create Rule to add an identity conversion rule.

NOTE

After you create an IdP, the HUAWEI CLOUD will preconfigure a default rule. The default user namefor this rule is FederationUser. This user is allowed to view only certain GUIs. In the IdentityConversion Rule area, click View Rules to view the current rules.

In the Identity Conversion Rule area, you can click Create Rule and create a rule to defineuser names, set user permissions, and specify the scenarios where the rule takes effect.

NOTE

Do not configure sensitive personal information in rules, for example, use a credit card number as a username.


Issue 09 (2017-08-16) 25

The parameters are described as follows:l User Name: indicates the user name displayed in the HUAWEI CLOUD after a

federated user logs in. You can enter a simple expression in this input box, for example,Federation_user_{email}. {email} is a placeholder, which is replaced by the value ofthe email attribute in the actual assertion. As indicated by the sample assertion, the username is [email protected].

NOTE

In Editing rules, placeholders, such as {0} and {1}, rather than {email} are used. After a rule iscreated, the system automatically converts the rule. Pay attention to the difference when editingrules.

l User Group: indicates the user group to which the federated user belongs in theHUAWEI CLOUD after the federated user logs in. The user group of a user determinesthe permissions of the user.

l Conditions for Validating This Rule: You can set certain conditions so that a rule takeseffect only when it meets the conditions. If the user group admin is specified in a ruleand you need to grant the admin permission to only certain users who perform thefederated login, you can specify conditions so that the rule takes effect only when theseconditions are met. If no rule takes effect, the user is not allowed to log in to the system.The user can click the login link to display the corresponding error message.

----End

Follow-up Procedurel Viewing rules

In the Identity Conversion Rule area, click View Rules. The newly created identityconversion rule is displayed in the JSON file.

l Editing rulesIn the Identity Conversion Rule area, click Edit Rule. This function provides flexiblesyntax for editing rules to meet the federated identity authentication requirements. Thefollowing shows a typical editing example.

NOTE

After the rules are edited, you can click Verify Rule in the lower left corner of the page to verifythe correctness of the rules.


Issue 09 (2017-08-16) 26

– Rule file descriptionEach rule is saved in a JSON file. The example is as follows:[ { "local": [ { "<user> or <group>" } ], "remote": [ { "<condition>" } ] } ] n local: indicates the user information after conversion. It can be the placeholder

{0..n}.n remote: indicates the expression that is a combination of assertion attributes

and operators.n condition: The following three conditions are supported:

○ empty: unlimited. That is, the condition is always valid and the returnedvalue is the input attribute value. This value is used to replace theplaceholder in the local block.

○ any_one_of: The condition is valid only if the input attributes include anyspecified value, and a Boolean value is returned. The returned valuecannot be used to replace the placeholder in the local block.

○ not_any_of: The condition is valid only if the input attributes do notinclude any specified value, and a Boolean value is returned. The returnedvalue cannot be used to replace the placeholder in the local block.

– Example of EmptyThe Empty condition indicates that a character string value can be returned. Thisvalue is used to replace the placeholder {0..n} in the local block. The example is asfollows:[ { "local": [ { "user": { "name": "{0} {1}" } }, { "group": { "name": "{2}" } } ], "remote": [ { "type": "FirstName" }, { "type": "LastName" }, { "type": "Groups" } ]


Issue 09 (2017-08-16) 27

} ] Assume that the HUAWEI CLOUD receives the following assertion.(For easy understanding, the following examples use a simplified assertionstructure.){FirstName: Jone} {LastName: Smith} {Groups: [admin, manager]}The following attributes are mapped into the HUAWEI CLOUD:n UserName: John Smithn Groups: admin; manager

– Example of Any one of and Not any ofDifferent from the Empty condition, the returned values of the Any one of and Notany of conditions are Boolean values. These values cannot be used to replace theplaceholder of in the local block. In the following example, only the placeholder{0} exists and is replaced by the returned value of Empty in the remote block, andthe value of group is fixedly set to admin.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ "idp_admin" ] } ] } ] Assume that the HUAWEI CLOUD receives the following assertion.{UserName: Jone Smith} {Groups: [idp_user, idp_admin, idp_agency]}The following attributes are mapped into the HUAWEI CLOUD:n UserName: John Smithn Groups: adminOppositely, assume that the HUAWEI CLOUD receives the following assertion.{UserName: Jone Smith} {Groups: [idp_user, idp_agency]}None of the rules takes effect, and the current user is not allowed to log in to thesystem.

– Condition including a regular expression


Issue 09 (2017-08-16) 28

You can specify "regix": true in conditions to indicate that the system is calculatingthe result using a regular expression. This is an advanced function, which isprovided for you to have a simple understanding of it.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ ".*@mail.com$" ], "regex": true } ] } ]

– Condition combination

Multiple conditions are combined using the logical AND.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user" ] }, { "type": "Groups", "not_any_of": [ "idp_agent" ] } ] } ]


Issue 09 (2017-08-16) 29

The preceding mapping is similar to the following example:[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user", "idp_agent" ] } ] } ]

– Multiple rulesIf multiple rules are combined, the methods for generating user names and usergroups are different.The user name in the first valid rule is used as UserName. At least one user namerule among all rules must take effect. Otherwise, the user is not allowed to log in.The collection of the user group names in all valid rules is used as Groups.Separating the configuration of user names and user groups using the multi-ruleconfiguration method makes the configuration easy-to-read.[ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "UserName" } ] }, { "local": [ { "group": { "name": "admin" } } ], "remote": [ { "type": "Groups", "any_one_of": [ "idp_admin"


Issue 09 (2017-08-16) 30

] } ] }, { "local": [ { "group": { "name": "agency" } } ], "remote": [ { "type": "orgPersonType", "any_one_of": [ "idp_agency" ] } ] } ]Assume that the HUAWEI CLOUD receives the following assertion.{UserName: Jone Smith} {Groups: [idp_user, idp_admin, idp_agency]}The following attributes are mapped into the HUAWEI CLOUD:n UserName: John Smithn Groups: admin; agency


Issue 09 (2017-08-16) 31

8 How Do I Set Account Policies?

Users with Security Administrator permissions in an enterprise can set login verificationpolicies, password policies, and the ACL to improve user information and system security.

Prerequisites


Procedure


Step 2 Set login verification policies.

1. In the navigation pane, choose Account Settings > Login Authentication Policies.2. In the Account Locking Policy area, enter Duration, Maximum Number of Attempts,

and Locking Duration.If the number of login attempts reaches the specified upper limit within the specifiedduration, the user account will be locked for a period of time.

3. In the Account Disabling Policy area, select If an account is not used within thevalidity period, it will be disabled and set Account Expiration.

NOTE

– This policy takes effect only for users created by the enterprise administrator.

– The value range of Account Expiration is 1 to 240. The default value is 120.

4. In the Recent Login Information area, select Display last login information upon asuccessful login.Users can view login information, such as the last login time, on the Login Verificationpage.

5. In the Login Verification Information area, customize the verification informationdisplayed upon a successful login.Users can view the customized verification information on the Login Verification page.

6. Click Apply.

Step 3 Set password policies.

1. In the navigation pane, choose Account Settings > Password Policies.

Identity and Access ManagementUser Guide 8 How Do I Set Account Policies?

Issue 09 (2017-08-16) 32

NOTE

Password requirements are as follows:

– The password cannot be the user name or the reverse of the user name.

– The password must contain 6 to 32 characters.

– The password must contain at least two of the following character types: uppercase letters (Ato Z), lowercase letters (a to z), digits (0 to 9), and special characters (!"#$%&'()*+,-./:;<=>?@[]^`{_|}~ and spaces).

2. In the Setting Policy area, set parameters as follows:– Set Minimum Number of Characters.

NOTE

The default value contains 6 characters.

– Select Disallow same consecutive characters in a password and set MaximumNumber of Same Consecutive Characters.

– Select Disallow password repetition and set Most Recent Passwords Disallowed.3. In the Expiration Policy area, select Force password change upon password

expiration (You are prompted to change your password 15 days before passwordexpiration) and set Password Validity Period.The user must change the password within the time specified in Password ValidityPeriod. Otherwise, the user cannot log in to the system.

4. In the Minimum Password Validity Period Policy area, select A new password can bechanged only after it has been used for the specified minimum password validityperiod and set Min. Password Validity Period.After the password is changed, you can change it again only after the time specified byMin. Password Validity Period.

5. Click Apply.

Step 4 Set the ACL.

1. In the navigation pane, choose Account Settings > ACL.

NOTE

The ACL does not take effect for root users of domains (except the domains starting with op_svc).

2. On the ACL page, enter the allowed IP addresses or network segments.– Allowed IP Address Ranges: allows users to access the system using only

specified IP addresses.

NOTE

You can click Restore Defaults to restore the allowed IP address range to the default value,0.0.0.0-255.255.255.255.

– Allowed IP Addresses or Network Segments: allows users to access the systemusing only specified IP addresses or network segments.For example: 10.10.10.10/32

NOTE

– If both Allowed IP Address Ranges and Allowed IP Addresses or Network Segments areset, a user is allowed to access IAM when the IP address of the user meets the conditionspecified by either of the two parameters.

– The ACL takes effect for the users who use cloud services on the management console butdoes not take effect for the users who use cloud services by calling APIs.


Issue 09 (2017-08-16) 33

3. Click Apply.

----End


Issue 09 (2017-08-16) 34

9 User Management Mechanism Explained

Using a Picture

Identity and Access ManagementUser Guide 9 User Management Mechanism Explained Using a Picture

Issue 09 (2017-08-16) 35

Identity and Access ManagementUser Guide 9 User Management Mechanism Explained Using a Picture

Issue 09 (2017-08-16) 36

A Change History

Release Date What's New

2017-07-27 This issue is the ninth official release.Added the following contents:l CTS Administrator permissionl Description for automatically extracting metadata and manually

configuring metadata in chapter How Do I Create an IdentityProvider and Perform an SSO?

2017-06-28 This issue is the eighth official release.Modified the following contents:l Server Administrator permissionl VPC Administrator permission

Identity and Access ManagementUser Guide A Change History

Issue 09 (2017-08-16) 37


2017-05-19 This issue is the seventh official release.l Added the following contents:

– Introduction to Federated Identity Authentication– Interconnection for Federated Identity Authentication– SSO Process– APM Admin permission– CCS Administrator permission– CCS User permission– CDE Admin permission– CDE Developer permission– SvcStg Admin permission– SvcStg Developer permission– SvcStg Operator permission– SWR Admin permission

l Modified the description for the RDS Administrator permission.l Deleted the following contents:

– te_devcloud_project_admin permission– te_devcloud_project_poweruser permission– te_devcloud_project_readonly permission– te_devcloud_codehub_admin permission– te_devcloud_codehub_poweruser permission– te_devcloud_codehub_readonly permission– te_devcloud_codecheck_admin permission– te_devcloud_codecheck_poweruser permission– te_devcloud_codecheck_readonly permission– te_devcloud_codeci_admin permission– te_devcloud_codeci_poweruser permission– te_devcloud_codeci_readonly permission– te_devcloud_test_admin permission– te_devcloud_test_poweruser permission– te_devcloud_test_readonly permission– te_devcloud_release_admin permission– te_devcloud_release_poweruser permission– te_devcloud_release_readonly permission


Issue 09 (2017-08-16) 38


2017-04-27 This issue is the sixth official release.Added the following contents:l How Do I Create an Agency?l How Do I Switch Roles?l DWS Administrator permission

2017-03-30 This issue is the fifth official release.l Synchronized the update on the Create User page and updated

How Do I Manage Users?l Added the following contents:

– Agent Operator permission– CRS Administrator permission

2016-11-30 This issue is the fourth official release.Synchronized the update on the Account Settings page and updatedHow Do I Set Account Policies?

2016-09-30 This issue is the third official release.Added the following chapters:l Permission Descriptionl How Do I Create an Identity Provider and Perform an SSO?l How Do I Configure the Name and Permission Information

About a Federated User?

2016-08-25 This issue is the second official release.Added the setting of the parameter Min. Password Validity Period.

2016-03-14 This issue is the first official release.


Issue 09 (2017-08-16) 39

Documents

User Guide · Step 2 In the navigation pane, choose User Group. Step 3 On the User Group page, click Create User Group. Step 4 Set User Group. Step 5 (Optional) Set Description. Step