Permissions
If you need to assign different permissions to employees in your enterprise to access your Cloud Connect resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your HUAWEI CLOUD resources.
With IAM, you can create IAM users for employees in your enterprise and assign permissions to control access to resources. For example, you can assign permissions to software developers so that they use Cloud Connect but cannot delete Cloud Connect resources or perform any other high-risk operations.
Skip this part if your HUAWEI CLOUD account does not require individual IAM users for permissions management.
IAM is free. For more information about IAM, see the IAM Service Overview.
Cloud Connect Permissions
By default, new IAM users do not have permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups.
Cloud Connect is a global service deployed and accessed without specifying any physical region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.
You can grant permissions by using roles or policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant Cloud Connect users the permissions for only managing a certain type of resources.
|
System Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
Cross Connect Administrator |
Has all permissions for Cloud Connect resources. For permissions of this role to take effect, users must also have the Tenant Guest and VPC Administrator permissions. |
System-defined role |
Tenant Guest and VPC Administrator
|
|
CC FullAccess |
All permissions on Direct Connect. |
System-defined policy |
- |
|
CC ReadOnlyAccess |
Read-only permissions for Cloud Connect resources. Users who have these permissions can only Cloud Connect resources. |
System-defined policy |
- |
|
CC Network Depend QueryAccess |
Read-only permissions required to access dependency resources when using Cloud Connect. Users who have these permissions can view VPCs or virtual gateways. |
System-defined policy |
- |
Table 2 lists common operations supported by each system-defined role.
|
Operation |
Cross Connect Administrator |
CC FullAccess |
CC ReadOnlyAccess |
|---|---|---|---|
|
Creating a cloud connection |
√ |
√ |
× |
|
Viewing a cloud connection |
√ |
√ |
√ |
|
Modifying a cloud connection |
√ |
√ |
× |
|
Deleting a cloud connection |
√ |
√ |
× |
|
Binding a bandwidth package to a cloud connection |
√ |
√ |
× |
|
Unbinding a bandwidth package from a cloud connection |
√ |
√ |
× |
|
Loading a network instance |
√ |
√ |
× |
|
Viewing a network instance |
√ |
√ |
√ |
|
Modifying a network instance |
√ |
√ |
× |
|
Removing a network instance |
√ |
√ |
× |
|
Buying a bandwidth package |
√ |
√ |
× |
|
Viewing a bandwidth package |
√ |
√ |
√ |
|
Modifying the bandwidth |
√ |
√ |
× |
|
Unsubscribing from a yearly/monthly bandwidth package |
√ |
√ |
× |
|
Renewing a yearly/monthly bandwidth package |
√ |
√ |
× |
|
Assigning inter-region bandwidth |
√ |
√ |
× |
|
Viewing inter-region bandwidth |
√ |
√ |
√ |
|
Modifying inter-region bandwidth |
√ |
√ |
× |
|
Deleting an inter-region bandwidth |
√ |
√ |
× |
|
Viewing the monitoring data of an inter-region bandwidth |
√ |
√ |
√ |
|
Viewing route information |
√ |
√ |
√ |
|
Asking others to authorize their VPCs to you |
× |
× |
× |
|
Viewing the VPCs that you authorized to others |
√ |
√ |
√ |
|
Viewing the VPCs that others authorized to you |
√ |
√ |
√ |
|
Canceling authorization |
× |
× |
× |
|
Submitting a cross-border application |
× |
× |
× |
|
Editing the cross-border application |
× |
× |
× |
|
Canceling the cross-border application |
× |
× |
× |
|
Viewing the cross-border application |
√ |
√ |
√ |
Last Article: Billing
Next Article: Integration with Other Services
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.