Permissions Management
You can create users or administrators in OneAccess and grant them permissions for controlling access to specific applications or specific functions of the administrator portal. As the enterprise administrator, you can do this in the OneAccess instance you have created.
If you need to assign different permissions for OneAccess instances to employees in your organization, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources. You can use IAM to manage permissions for modifying OneAccess instances in HUAWEI CLOUD.
With IAM, you can create IAM users under your account, and assign permissions to these users to control their access to specific resources. For example, you can grant permissions to allow certain IT personnel in your enterprise to view OneAccess instances but disallow them to modify the certificates.
You can skip this section if you do not need fine-grained permissions management.
IAM is free of charge. For more information about IAM, see IAM Service Overview.
OneAccess Permissions
By default, new IAM users do not have permissions. To assign permissions to new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which you add them and can perform specific operations on cloud services.
OneAccess is a global service deployed and accessed without specifying any physical region. You can assign OneAccess permissions to users in the global service project. The users do not need to switch regions when they access OneAccess.
You can grant permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users. When you grant permissions using roles, you need to also assign dependency roles.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant Elastic Cloud Server (ECS) users only the permissions required for managing a certain type of ECS resources. Most policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by OneAccess, see OneAccess Actions.
Table 1 lists all the system-defined roles and policies supported by OneAccess.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
Tenant Administrator |
Users assigned this role can customize domain names, unbind domain names, and modify certificates, but they cannot purchase or use OneAccess instances. |
System-defined role |
|
Tenant Guest |
Users assigned this role can only view OneAccess instances. |
System-defined role |
|
OneAccess FullAccess |
Full permissions for OneAccess. |
System-defined policy |
|
OneAccess ReadOnlyAccess |
Read-only permissions for OneAccess. Users granted these permissions can only view this service and cannot configure resources in it. |
System-defined policy |
You can only use a HUAWEI CLOUD account to purchase OneAccess instances.
Table 2 lists the common operations supported by each system-defined policy or role of OneAccess. Choose appropriate policies or roles as required.
|
Operation |
Tenant Administrator |
Tenant Guest |
OneAccess FullAccess |
OneAccess ReadOnlyAccess |
|---|---|---|---|---|
|
Querying instances |
√ |
√ |
√ |
√ |
|
Querying domain certificate details |
√ |
√ |
√ |
√ |
|
Purchasing instances |
× |
× |
× |
× |
|
Customizing domain names |
√ |
× |
√ |
× |
|
Unbinding custom domain names |
√ |
× |
√ |
× |
|
Modifying domain certificates |
√ |
× |
√ |
× |
OneAccess Actions
OneAccess provides system-defined policies, which can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are basic concepts related to policies:
- Permissions: Statements in a policy that allow or deny certain operations.
- Actions: Specific operations that are allowed or denied.
- IAM or enterprise projects: Type of projects for which permissions can be granted. For example, policies that contain actions for both IAM projects and enterprise projects can be assigned in both IAM and Enterprise Management, but policies that contain only actions for IAM projects can be assigned only in IAM. For details, see What Are the Differences Between IAM Projects and Enterprise Projects?
|
Permission |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|
|
Querying instances |
oneaccess:instances:get |
√ |
× |
|
Customizing domain names |
oneaccess:domains:create |
√ |
× |
|
Unbinding custom domain names |
oneaccess:domains:delete |
√ |
× |
|
Querying domain certificate details |
oneaccess:certificates:get |
√ |
× |
|
Modifying domain certificates |
oneaccess:certificates:update |
√ |
× |
|
Modifying specifications |
oneaccess:instances:update |
√ |
× |
Last Article: Billing
Next Article: Change History
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.