Permissions Management
If you need to assign different permissions to employees in your enterprise to access your CTS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, software developers in your enterprise may need to use CTS resources but must not delete them or perform any high-risk operations. To ensure this, you can create IAM users for the software developers and grant them only the permissions required for using CTS resources.
If your HUAWEI CLOUD account does not require IAM users for permissions management, you may skip this section.
IAM can be used for free. You pay only for the resources in your account. For details, see IAM Service Overview.
CTS Permissions
By default, new IAM users do not have any permissions assigned. You must add them to user groups and assign permissions policies or roles to these groups. Users then inherit permissions from the groups. This process is called authorization. Users can perform specified operations on cloud services based on their assigned permissions.
CTS is a project-level service deployed and accessed in specific physical regions. To assign CTS permissions to a user group, specify the scope for region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing CTS, users need to switch to a region where they have been authorized to use the CTS service.
You can grant permissions by using roles or policies. Currently, only authorization by roles is supported in CTS.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependency roles for permissions to take effect.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets the requirements for secure access control. For example, you can grant ECS users only the permissions required for managing a certain type of ECSs. Most fine-grained policies divide permissions by API.
Table 1 lists the system-defined permissions supported by CTS.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
CTS FullAccess |
Full permissions for CTS. |
Policy |
None |
|
CTS ReadOnlyAccess |
Read-only permissions for CTS. |
Policy |
None |
|
CTS Administrator |
Full permissions for CTS. |
Role |
When you use this role, you need to also assign the Tenant Guest and OBS Administrator roles in the same project. |
Precautions
- To enable CTS, you must have the Security Administrator permissions and full permissions for CTS (CTS FullAccess is recommended). For details about how to enable CTS, see Enabling CTS. For details about how to assign permissions, see Assigning Permissions to an IAM User.
- To use CTS after CTS is enabled, you only need to have related CTS permissions. The Security Administrator permissions are not required.
Last Article: Billing
Next Article: Constraints
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.