Permissions Management
If you need to assign different permissions to employees in your enterprise to access your CSS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use CSS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using CSS resources.
If the HUAWEI CLOUD account has met your requirements, you do not need to create an independent IAM user for permission management. Then you can skip this section. This will not affect other functions of CSS.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
Permissions Management
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
CSS is a project-level service deployed in specific physical regions. Therefore, CSS permissions are assigned to users in specific regions (such as CN North-Beijing1) and only take effect for these regions. If you want the permissions to take effect for all regions, you need to assign the permissions to users in each region. When accessing CSS, the users need to switch to a region where they have been authorized to use cloud services.
You can grant users permissions by using roles and policies.
- Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies are a type of fine-grained authorization mechanism that defines the permissions for performing operations on specific cloud resources under certain conditions. This mechanism allows for flexible policy-based authorization and meets requirements for secure access control. For example, you can grant CSS users only the permissions for managing a certain type of CSS. For the API actions supported by CSS, see Permissions Policies and Supported Actions.
Table 1 lists all the system roles supported by CSS. For example, some CSS roles are dependent on the roles of other services. When assigning CSS roles to users, you need to also assign dependent roles for the CSS permissions to take effect.
|
Role Name |
Description |
Dependency |
|---|---|---|
|
Elasticsearch Administrator |
CSS administrator |
Dependent on the Tenant Guest and Server Administrator roles.
|
|
Permission Type |
Description |
Type |
Required Role |
|---|---|---|---|
|
Permission 1 |
Permissions:
|
System-defined role |
|
|
Permission 2 |
Permissions:
|
System-defined role |
|
|
Permission 3 |
Permissions:
|
System-defined role |
This permission is dependent on the Tenant Guest role, which must be assigned in the same project as Permission 3. |
Table 3 lists the common operations supported by each system permission of CSS. Please choose proper system policies according to this table.
|
Operation |
CSS FullAccess |
CSS ReadOnlyAccess |
Elasticsearch Administrator |
Remarks |
|---|---|---|---|---|
|
Creating a cluster |
√ |
x |
√ |
- |
|
Querying a cluster list |
√ |
√ |
√ |
- |
|
Querying cluster details |
√ |
√ |
√ |
- |
|
Deleting a cluster |
√ |
x |
√ |
- |
|
Restarting a cluster |
√ |
x |
√ |
- |
|
Expanding cluster capacity |
√ |
x |
√ |
- |
|
Adding instances and expanding instance storage capacity |
√ |
x |
√ |
- |
|
Querying tags of a specified cluster |
√ |
√ |
√ |
- |
|
Querying all tags |
√ |
√ |
√ |
- |
|
Creating a Poisson word dictionary |
√ |
x |
√ |
Depending on OBS and IAM permissions |
|
Querying the Poisson word dictionary status |
√ |
√ |
√ |
- |
|
Deleting a Poisson word dictionary |
√ |
x |
√ |
- |
|
Loading a custom word dictionary |
√ |
x |
√ |
Depending on OBS and IAM permissions |
|
Querying the status of a custom word dictionary |
√ |
√ |
√ |
- |
|
Deleting a custom word dictionary |
√ |
x |
√ |
- |
|
Automatically setting basic configurations of a cluster snapshot |
√ |
x |
√ |
Depending on OBS and IAM permissions |
|
Modifying basic configurations of a cluster snapshot |
√ |
x |
√ |
Depending on OBS and IAM permissions |
|
Setting the automatic snapshot creation policy |
√ |
x |
√ |
- |
|
Querying the automatic snapshot creation policy |
√ |
√ |
√ |
- |
|
Manually creating a snapshot |
√ |
x |
√ |
- |
|
Querying the snapshot list |
√ |
√ |
√ |
- |
|
Restoring a snapshot |
√ |
x |
√ |
- |
|
Deleting a snapshot |
√ |
x |
√ |
- |
|
Disabling the snapshot function |
√ |
x |
√ |
- |
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.