Permissions Management
If you need to assign different permissions to employees in your enterprise, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can assign permissions to allow some software developers to use SCM resources but disallow them to delete or perform any high-risk operations on resources.
If your HUAWEI CLOUD account does not require individual IAM users for permissions management, skip this section.
IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
SCM Permissions
By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit permissions from the groups to which they are added and perform specified operations on cloud services based on the permissions.
You can create IAM users in any region. SCM is a global service for all geographic regions. Therefore, SCM permissions are assigned to users in the Global project, and IAM users do not need to switch regions when accessing SCM.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant SCM users only the permissions for managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by SCM, see Permissions Policies and Supported Actions.
Table 1 lists all the system-defined roles and policies supported by SCM.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
SCM Administrator |
SCM administrator permissions. Users with SCM administrator permissions have all the permissions for the SCM service. |
System-defined role |
The Server Administrator and Tenant Guest roles need to be assigned in the same project. |
|
SCM FullAccess |
All permissions for SCM |
System-defined policy |
None. |
|
SCM ReadOnlyAccess |
Read-only permission for SCM. Users with the read-only permission can only query certificate information but cannot add, delete, or modify certificates. |
System-defined policy |
None. |
Table 2 lists the common operations for each system-defined policy or role of SCM. Select the policies or roles as required.
|
Operation |
SCM Administrator |
SCM FullAccess |
SCM ReadOnlyAccess |
|---|---|---|---|
|
Querying the certificate list |
Yes |
Yes |
Yes |
|
Querying certificate details |
Yes |
Yes |
Yes |
|
Querying the product type of a certificate |
Yes |
Yes |
Yes |
|
Querying the product details of a certificate |
Yes |
Yes |
Yes |
|
Canceling an application |
Yes |
Yes |
No |
|
Purchasing a certificate |
Yes |
Yes |
No |
|
Applying for a certificate |
Yes |
Yes |
No |
|
Saving the information entered when applying for a certificate |
Yes |
Yes |
No |
|
Reading the information entered when applying for a certificate |
Yes |
Yes |
Yes |
|
Modifying a certificate |
Yes |
Yes |
No |
|
Deleting a certificate |
Yes |
Yes |
No |
|
Downloading a certificate |
Yes |
Yes |
No |
|
Uploading authentication information |
Yes |
Yes |
No |
|
Revoking a certificate |
Yes |
Yes |
No |
|
Pushing a certificate |
Yes |
Yes |
No |
|
Querying push records |
Yes |
Yes |
Yes |
|
Uploading a certificate |
Yes |
No |
No |
|
Verifying Certificate Signing Request (CSR) |
Yes |
Yes |
No |
|
Adding an additional domain name |
Yes |
Yes |
No |
|
Canceling privacy authorization |
Yes |
Yes |
No |
Last Article: Pricing Details
Next Article: SCM and Other Services
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.