Sub-users

A sub-user is a type of IAM user identity that features the following:

It belongs to the cloud service account (i.e., the main account) and is created and managed by the main account, typically corresponding to enterprise employees or applications;
It has no permissions by default and can only log on/access resources after the main account authorizes it;
Each sub-user independently owns a long-term valid API key;
It does not support independent billing, and the consumption generated by the sub-user is settled through the main account;
Deleting a sub-user does not affect the resources it has created.

Creating Sub-users

Sub-users log on via email, and the username is the unique identifier of the sub-user under this cloud service account.

Adding Permissions for Sub-users

Sub-users need to obtain resource permissions before they can carry out a series of management tasks. IAM allows sub-users to directly bind resource permissions and can also exercise group resource permissions by joining user groups.

Sub-users Joining User Groups

After a sub-user joins a user group, it automatically obtains the group’s resource permissions. A sub-user can join multiple user groups.

Freezing/Thawing/Cancelling Sub-users

A frozen sub-user will not be able to log in, but it can recover upon thawing. The cancellation of a sub-user is irreversible. Any changes to a sub-user do not affect the use of resources under the cloud service account.

Viewing Sub-user Details

Manage the specific permissions and group information of sub-users through the details page. Note that sub-users cannot manage the resource permissions of their groups.

Overview Group Management