DGC Permissions Management
If you need to assign different permissions to employees in your enterprise to access your DGC resources in HUAWEI CLOUD, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources. For example, if you want to allow some software developers in your enterprise to use DGC resources but disallow them to delete workspaces or perform any high-risk operations, you can create IAM users for the software developers and grant them only the permissions required for using DGC resources.
If you do not require individual IAM users for permissions management, skip this chapter.
IAM is free of charge. You pay only for the resources you use. For more information about IAM, see IAM Service Overview.
Elastic Cloud Server (ECS) permissions are required only when ECS-related operations, such as starting and stopping operators, need to be performed on DGC.
DGC Permissions
By default, new IAM users do not have any permissions. To grant permissions to a user, add the user to one or more groups and attach permissions, policies, or roles to these groups. The users then inherit permissions from the groups. This process is called authorization. After authorization, the users can perform specified operations.
DGC is a project-level service deployed in specific physical regions. To assign DGC permissions to a user group, specify the scope as region-specific projects and select projects (for example, cn-north-1 in CN North-Beijing1) for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing DGC, users need to switch to a region where they are authorized to use cloud services.
- IAM roles: IAM initially provides a coarse-grained authorization mechanism to define permissions based on users' job responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
DGC does not support permission control based on IAM roles.
- DGC workspace roles: DGC provides fine-grained authorization based on workspace roles for specific operations. This mechanism allows for more flexible authorization based on the workspace roles, meeting requirements for secure access control. For example, if you want to create a data connection, you must be assigned with the admin or developer role.
After a role is granted to you, you have all the permissions of the role. For details on how to authorize the DGC role, see Creating Users and Granting DGC Permissions.
DGC Permissions describes the common operations supported by DGC and the permissions granted to each role. You can select roles as required.
Table 1 lists all the system-defined roles and permissions supported by DGC.
|
Role |
Description |
Category |
Dependency |
|---|---|---|---|
|
DAYU Administrator |
Users with the DAYU Administrator policy have all permissions in DGC.
NOTE:
Users assigned the Tenant Administrator role have all permissions for all services except IAM. In other words, users with the Tenant Administrator role can perform all operations in DGC. |
System-defined role |
For details on the system permissions on which DGC depends, see Table 2. When configuring permissions for a DGC user, you must select the permissions of the services on which DGC depends, in the same project.
|
|
DAYU User |
Users with the DAYU User policy have the permissions of the role assigned to them in a workspace. Users with the DAYU User policy have the permissions of the role assigned to them in a workspace. Roles in a workspace can be admin, developer, operator, and viewer. For details on the operation permissions of each role, see DGC Permissions. |
System-defined role |
Table 2 lists the permissions on which DGC depends. When granting these permissions to a user, note the following points:
- If you have enabled policy-based access control, select the system policies of the services on which the policy-based access control depends, in the same project. If the services on which the policy-based access control depends do not have system policies, select the system roles of the services.
- If you have not enabled policy-based access control, select the system roles of the services on which DGC depends in the same project when configuring permissions for DGC users.
|
Service Name |
Mandatory |
Policy |
Role |
|---|---|---|---|
|
VPC |
Yes |
VPC FullAccess |
VPC Administrator |
|
KMS |
Yes |
KMS CMKFullAccess |
KMS Administrator |
|
APIG |
Yes |
- |
APIG Administrator |
|
SMN |
Yes |
- |
SMN Administrator |
|
EVS |
Yes |
EVS FullAccess |
Server Administrator |
|
BSS |
Yes |
EnterpriseProject BSS FullAccess |
BSS Administrator |
|
ECS |
Yes |
ECS FullAccess |
Server Administrator |
|
OBS |
Yes |
OBS OperateAccess |
OBS Buckets Viewer |
|
DWS |
No |
DWS ReadOnlyAccess |
DWS Administrator |
|
DLI |
No |
- |
DLI Service Admin |
|
DLC |
No |
DLCatalog MRS-Hive Policy |
DLCatalog MRS-Hive Group |
|
MRS |
No |
MRS ReadOnlyAccess |
MRS Administrator |
|
CloudTable |
No |
- |
cloudtable Administrator |
|
CS |
No |
CS FullAccess |
CS Tenant Admin |
|
GES |
No |
GES ReadOnlyAccess |
GES Administrator |
|
RDS |
No |
RDS ReadOnlyAccess |
RDS Administrator |
Last Article: Basic Concepts
Next Article: DGC Permissions
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.