Permissions
If you need to control access your ELB resources in a per user manner, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources of various types. For example, some software developers in your enterprise need to use ELB resources but should not delete them or perform any high-risk operations. To achieve this, you can create IAM users for these software developers and grant them the permissions required for using ELB resources.
Skip this section if your HUAWEI CLOUD account does not need individual IAM users for permissions management.
IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
ELB Permissions
By default, new IAM users do not have permissions assigned. To grant permissions to a user, add the user to one or more groups and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
ELB is a project-level service deployed and accessed in specific physical regions. To assign ELB permissions to a user group, specify the scope as region-specific projects and select projects for which you want the permissions to take effect. If you select All projects, the permissions will take effect for the user group in all region-specific projects. When accessing ELB, users need to switch to a region where they have been authorized to use ELB.
You can grant permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles that the permissions depend on to take effect. However, roles are not the ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant ELB users the permissions for only managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by ELB, see Permissions Policies and Supported Actions.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
ELB FullAccess |
Permissions: all permissions on ELB resources Scope: project-level service |
Fine-grained policy |
|
ELB ReadOnlyAccess |
Permissions: read-only permissions on ELB resources Scope: project-level service |
Fine-grained policy |
|
ELB Administrator |
Permissions: all permissions on ELB resources. Only users who have the Tenant Guest permission can be granted this role/policy. Scope: project-level service
NOTE:
|
RBAC policy |
Table 2 describes the system-defined roles supported by ELB.
|
Operation |
ELB FullAccess |
ELB ReadOnlyAccess |
ELB Administrator |
|---|---|---|---|
|
Creating a load balancer |
√ |
× |
√ |
|
Querying a load balancer |
√ |
√ |
√ |
|
Querying a load balancer and associated resources |
√ |
√ |
√ |
|
Querying load balancers |
√ |
√ |
√ |
|
Modifying a load balancer |
√ |
× |
√ |
|
Deleting a load balancer |
√ |
× |
√ |
|
Adding a listener |
√ |
× |
√ |
|
Querying a listener |
√ |
√ |
√ |
|
Modifying a listener |
√ |
× |
√ |
|
Deleting a listener |
√ |
× |
√ |
|
Adding a backend server group |
√ |
× |
√ |
|
Querying a backend server group |
√ |
√ |
√ |
|
Modifying a backend server group |
√ |
× |
√ |
|
Deleting a backend server group |
√ |
× |
√ |
|
Adding a backend server |
√ |
× |
√ |
|
Querying a backend server |
√ |
√ |
√ |
|
Modifying a backend server |
√ |
× |
√ |
|
Deleting a backend server |
√ |
× |
√ |
|
Configuring a health check |
√ |
× |
√ |
|
Querying a health check |
√ |
√ |
√ |
|
Modifying a health check |
√ |
× |
√ |
|
Disabling a health check |
√ |
× |
√ |
|
Assigning an EIP |
× |
× |
√ |
|
Binding an EIP to a load balancer |
× |
× |
√ |
|
Querying an EIP |
√ |
√ |
√ |
|
Unbinding an EIP from a load balancer |
× |
× |
√ |
Last Article: Billing (Dedicated Load Balancers)
Next Article: Product Concepts
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.