Sub-users

A sub-user is a type of IAM (Identity and Access Management) user, with the following characteristics:

• Belongs to a cloud service account (i.e., the primary account), created and managed by the primary account. It generally corresponds to enterprise employees or applications.
• Has no permissions by default; it can only log in/access resources after being authorized by the primary account.
• Each sub-user independently holds a long-term valid API secret key.
• Does not support independent billing; all consumption generated by the sub-user is settled through the primary account.
• Deleting a sub-user does not affect the resources created by it.

Creating a Sub-user

A sub-user logs in via email, and the username is the unique identifier of the sub-user under the cloud service account.

Adding Permissions to a Sub-user

A sub-user needs to obtain resource permissions before performing a series of management tasks. IAM allows the sub-user to be directly bound with resource permissions, or to exercise the group’s resource permissions by joining a user group.

Sub-user Joining a User Group

After a sub-user joins a user group, it automatically obtains the group’s resource permissions. A sub-user can join multiple user groups.

Freezing/Unfreezing/Canceling a Sub-user

A frozen sub-user will not be able to log in, but it can recover upon thawing. The cancellation of a sub-user is irreversible. Any changes to a sub-user do not affect the use of resources under the cloud service account.

Viewing Sub-user Details

Manage the sub-user’s specific permissions and group information through the details page. Note that a sub-user cannot manage the resource permissions of the group it belongs to.