Permissions Management
Scenarios
If you need to assign different permissions to other users to access your IEC resources, use IAM for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users and assign permissions to these users to control their access to specific resources.
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing IEC resources.
- Grant only the permissions required for users to perform specific tasks.
- Entrust a cloud service to perform professional and efficient O&M on IEC resources.
Skip this section if your HUAWEI CLOUD account does not need individual IAM users.
IAM is free. You pay only for resources purchased using your account. For more information about IAM, see IAM Service Overview.
IEC Permissions
The IEC console is deployed globally. You do not need to switch regions when you access the IEC console. When you want to use the Tenant Administrator or Tenant Guest permissions, you need to select some IEC-specific regions. For details, see Table 1. Regions mentioned above refer to the regions divided by physical location on HUAWEI CLOUD, and they are different from IEC edge regions. For details, see What Are the Differences Between HUAWEI CLOUD Regions and IEC Regions?
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, and meets the requirements for secure access control. For example, for the IEC service, the administrator can allow IAM users only to query network ACLs, but not create network ACLs. Most policies define permissions based on APIs. For the API actions supported by IEC, see Permission Policies and Supported Actions.
|
Policy Name |
Description |
Scope |
Type |
Dependencies |
|---|---|---|---|---|
|
IEC FullAccess |
Users with this permission can perform any operation on IEC resources. |
Select Global service project only. |
System-defined policy |
None |
|
IEC ReadOnlyAccess |
Users with this permission can query the usage of IEC resources. Specifically, a user with this permission can only read IEC resources. |
Select Global service project only. |
System-defined policy |
None |
|
Tenant Administrator |
Users with this permission can perform all the operations on all services except IAM. |
Select Global service project and Region-specific projects. For Region-specific projects, select:
|
System-defined role |
None |
|
Tenant Guest |
Users with this permission can perform read-only operations on all services except IAM. |
Select Global service project and Region-specific projects. For Region-specific projects, select:
|
System-defined role |
None |
Table 2 lists the common operations supported by each system-defined policy of IEC.
|
Operation |
IEC ReadOnlyAccess |
IEC FullAccess |
|---|---|---|
|
Querying bandwidths |
√ |
√ |
|
Querying a specified bandwidth |
√ |
√ |
|
Modifying a bandwidth |
x |
√ |
|
Deleting a bandwidth |
x |
√ |
|
Deleting a subnet |
x |
√ |
|
Querying a specified subnet |
√ |
√ |
|
Updating a subnet |
x |
√ |
|
Querying subnets |
√ |
√ |
|
Creating a subnet |
x |
√ |
|
Deleting a VPC |
x |
√ |
|
Querying VPCs |
√ |
√ |
|
Updating a VPC |
x |
√ |
|
Querying a specified VPC |
√ |
√ |
|
Creating a VPC |
x |
√ |
|
Querying the network quota |
√ |
√ |
|
Creating a route table |
x |
√ |
|
Querying route tables |
√ |
√ |
|
Querying details of a route table |
√ |
√ |
|
Updating a route table |
x |
√ |
|
Deleting a route table |
x |
√ |
|
Querying routes |
√ |
√ |
|
Adding a route |
x |
√ |
|
Updating a route |
x |
√ |
|
Deleting a route |
x |
√ |
|
Associating a subnet with a route table |
x |
√ |
|
Disassociating a subnet from a route table |
x |
√ |
|
Querying the route table with which the subnet is associated |
√ |
√ |
|
Querying network ACLs |
√ |
√ |
|
Creating a network ACL |
x |
√ |
|
Updating a network ACL |
x |
√ |
|
Updating a network ACL rule |
x |
√ |
|
Deleting a network ACL |
x |
√ |
|
Querying a specified network ACL |
√ |
√ |
|
Deleting an EIP |
x |
√ |
|
Querying a specified EIP |
√ |
√ |
|
Updating an EIP |
x |
√ |
|
Querying EIPs |
√ |
√ |
|
Assigning an EIP |
x |
√ |
|
Deleting a security group |
x |
√ |
|
Querying a specified security group |
√ |
√ |
|
Querying security groups |
√ |
√ |
|
Creating a security group |
x |
√ |
|
Deleting a security group rule |
x |
√ |
|
Querying a specified security group rule |
√ |
√ |
|
Querying security group rules |
√ |
√ |
|
Creating a security group rule |
x |
√ |
|
Deleting an edge service |
x |
√ |
|
Querying a specified edge service |
√ |
√ |
|
Querying edge services |
√ |
√ |
|
Querying the edge service quota |
√ |
√ |
|
Querying edge instances |
√ |
√ |
|
Starting, stopping, or restarting an edge instance |
x |
√ |
|
Batch deleting edge instances |
x |
√ |
|
Modifying an edge instance |
x |
√ |
|
Querying a specified edge instance |
√ |
√ |
|
Creating an edge instance |
x |
√ |
|
Changing the OS |
x |
√ |
|
Updating the NIC configuration of an edge instance |
x |
√ |
|
Deleting the NIC of an edge instance |
x |
√ |
|
Adding a NIC to an edge instance |
x |
√ |
|
Querying edge instance flavors |
√ |
√ |
|
Querying a specified job |
√ |
√ |
|
Querying edge sites |
√ |
√ |
|
Querying a specified disk |
√ |
√ |
|
Querying disk types |
√ |
√ |
|
Querying disks |
√ |
√ |
|
Querying edge images |
√ |
√ |
|
Creating an edge image |
x |
√ |
|
Querying a specified edge image |
√ |
√ |
|
Deleting an edge image |
x |
√ |
|
Querying regions where edge images are available |
√ |
√ |
|
Querying the edge image quota |
√ |
√ |
|
Querying edge images in a specified HUAWEI CLOUD region |
√ |
√ |
|
Creating an edge image using an edge instance |
x |
√ |
|
Querying statistics for edge instances |
√ |
√ |
|
Querying statistics for bandwidths |
√ |
√ |
|
Querying the resource usage |
√ |
√ |
For details about how to create an IAM user and grant permissions to the user, see Example Process.
Last Article: Billing
Next Article: Basic Concepts
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.