Help Center> Relational Database Service> Service Overview> Permissions Management
View PDF

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your RDS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.

With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use RDS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using RDS resources.

If your HUAWEI CLOUD account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.

RDS Permission

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

RDS is a project-level service deployed and accessed in specific physical regions. To assign RDS permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing RDS, users need to switch to a region where they have been authorized to use RDS.

You can grant users permissions by using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant IAM users only the permissions for managing a certain type of database resources. Most policies define permissions based on APIs. For the API actions supported by RDS, see Permissions Policies and Supported Actions.

Table 1 lists all the system-defined roles and policies supported by RDS.

Table 1 System policy summary

Policy Name/System Role

Description

Category

Dependencies

RDS FullAccess

Full permissions for Relational Database Service

System-defined policy

N/A

RDS ReadOnlyAccess

Read-only permissions for Relational Database Service

System-defined policy

N/A

RDS ManageAccess

Database administrator permissions for all operations except deleting RDS resources

System-defined policy

N/A

RDS Administrator

Administrator permissions for RDS

System-defined role

The Tenant Guest and Server Administrator roles need to be assigned in the same project.

Table 2 lists the common operations supported by each system policy of RDS. Please choose proper system policies according to this table.

Table 2 Common operations supported by the RDS system policies

Operation

RDS FullAccess

RDS ReadOnlyAccess

RDS ManageAccess

RDS Administrator

Creating an RDS DB instance

x

Deleting an RDS DB instance

x

x

Querying an RDS DB instance list

Table 3 Common operations and supported actions

Operation

Actions

Remarks

Creating a DB instance

rds:instance:create

rds:param:list

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To create an encryption DB instance, you need to configure the KMS Administrator permission in the project.

Changing DB instance specifications

rds:instance:modifySpec

N/A

Scaling up storage space

rds:instance:extendSpace

N/A

Changing a DB instance type from single to primary/standby

rds:instance:singleToHa

If the original single DB instance is encrypted, you need to configure the KMS Administrator permission in the project.

Rebooting a DB instance

rds:instance:restart

N/A

Deleting a DB instance

rds:instance:delete

N/A

Querying a DB instance list

rds:instance:list

N/A

Querying DB instance details

rds:instance:list

If the VPC, subnet, and security group are displayed in the DB instance list, you need to configure vpc:*:get and vpc:*:list.

Changing a DB instance password

rds:password:update

N/A

Changing a database port

rds:instance:modifyPort

N/A

Changing a floating IP address

rds:instance:modifyIp

To query the list of unused IP addresses, configure the following actions:

vpc:subnets:get

vpc:ports:get

Changing a DB instance name

rds:instance:modify

N/A

Changing a maintenance window

rds:instance:modify

N/A

Performing a manual switchover

rds:instance:switchover

N/A

Changing the synchronize model

rds:instance:modifySynchronizeModel

N/A

Changing the failover priority

rds:instance:modifyStrategy

N/A

Changing a security group

rds:instance:modifySecurityGroup

N/A

Binding or unbinding an EIP

rds:instance:modifyPublicAccess

To query public IP addresses, configure the following actions:

vpc:publicIps:get

vpc:publicIps:list

Modifying the recycling policy

rds:instance:setRecycleBin

N/A

Querying the recycling policy

rds:instance:list

N/A

Enabling or disabling SSL

rds:instance:modifySSL

N/A

Enabling or disabling event scheduler

rds:instance:modifyEvent

N/A

Configuring read/write splitting

rds:instance:modifyProxy

N/A

Applying for a private domain name

rds:instance:createDns

N/A

Migrating a standby DB instance to another AZ

rds:instance:create

Standby DB instance migration involves operations on the IP address in the subnet. For encrypted DB instances, you need to configure the KMS Administrator permission in the project.

Restoring tables to a specified point in time

rds:instance:tableRestore

N/A

Configuring TDE permission

rds:instance:tde

Only used for Microsoft SQL Server and MySQL DB instances.

Changing host permission

rds:instance:modifyHost

N/A

Querying hosts of the corresponding database account

rds:instance:list

N/A

Obtaining a parameter template list

rds:param:list

N/A

Creating a parameter template

rds:param:create

N/A

Modifying parameters in a parameter template

rds:param:modify

N/A

Applying a parameter template

rds:param:apply

N/A

Modifying parameters of a specified DB instance

rds:param:modify

N/A

Obtaining the parameter template of a specified DB instance

rds:param:list

N/A

Obtaining parameters of a specified parameter template

rds:param:list

N/A

Deleting a parameter template

rds:param:delete

N/A

Resetting a parameter template

rds:param:reset

N/A

Comparing parameter templates

rds:param:list

N/A

Saving parameters in a parameter template

rds:param:save

N/A

Querying a parameter template type

rds:param:list

N/A

Setting an automated backup policy

rds:instance:modifyBackupPolicy

N/A

Querying an automated backup policy

rds:instance:list

N/A

Creating a manual backup

rds:backup:create

N/A

Obtaining a backup list

rds:backup:list

N/A

Obtaining the link for downloading a backup file

rds:backup:download

N/A

Deleting a manual backup

rds:backup:delete

N/A

Replicating a backup

rds:backup:create

N/A

Querying the restoration time range

rds:instance:list

N/A

Restoring data to a new DB instance

rds:instance:create

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

Restoring data to an existing or original DB instance

rds:instance:restoreInPlace

N/A

Obtaining the binlog clearing policy

rds:binlog:get

N/A

Merging binlog files

rds:binlog:merge

N/A

Downloading a binlog file

rds:binlog:download

N/A

Deleting a binlog file

rds:binlog:delete

N/A

Configuring a binlog clearing policy

rds:binlog:setPolicy

N/A

Obtaining a database backup file list

rds:backup:list

N/A

Obtaining a backup database list at a specified time point

rds:backup:list

N/A

Querying a database error log

rds:log:list

N/A

Querying a database slow log

rds:log:list

N/A

Downloading a database error log

rds:log:download

N/A

Downloading a database slow log

rds:log:download

N/A

Enabling or disabling the audit log function

rds:auditlog:operate

N/A

Obtaining an audit log list

rds:auditlog:list

N/A

Querying the audit log policy

rds:auditlog:list

N/A

Obtaining the link for downloading an audit log

rds:auditlog:download

N/A

Obtaining a switchover log

rds:log:list

N/A

Creating a database

rds:database:create

N/A

Querying details about databases

rds:database:list

N/A

Querying authorized databases of a specified user

rds:database:list

N/A

Dropping a database

rds:database:drop

N/A

Creating a database account

rds:databaseUser:create

N/A

Querying details about database accounts

rds:databaseUser:list

N/A

Querying authorized accounts of a specified database

rds:databaseUser:list

N/A

Deleting a database account

rds:databaseUser:drop

N/A

Authorizing a database account

rds:databasePrivilege:grant

N/A

Revoking permissions of a database account

rds:databasePrivilege:revoke

N/A

Viewing a task center list

rds:task:list

N/A

Deleting a task from the task center

rds:task:delete

N/A

Submitting an order for a yearly/monthly DB instance

bss:order:update

N/A

Managing a tag

rds:instance:modify

N/A

Adding nodes

rds:instance:expandCluster

N/A

Helpful Links