Updated on 2024-01-26 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise to access your Global Accelerator resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

With IAM, you can use your HUAWEI ID to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use Global Accelerator resources but should not delete them or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the required permissions.

Skip this section if your HUAWEI ID does not require individual IAM users for permissions management.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the What Is IAM?

Global Accelerator Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups that they are added to, and can perform specified operations on cloud services.

Global Accelerator is a global service for access from any region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.

You can grant permissions by using roles or policies.

  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you may need to also assign other dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for secure access control. For example, you can grant users only the permissions for managing Global Accelerator resources.
Table 1 lists the system-defined roles or policies supported by Global Accelerator.
Table 1 System-defined roles and policies supported by Global Accelerator

Role/Policy Name

Description

Type

Dependency

GA FullAccess

Permissions: all permissions for Global Accelerator

Scope: Global-level service

System-defined policy

-

GA ReadOnlyAccess

Permissions: read-only permissions for Global Accelerator

Scope: Global-level service

System-defined policy

-

Table 2 lists the common operations supported by each system-defined permissions for Global Accelerator.

Table 2 Common operations supported by system-defined permissions

Operation

GA FullAccess

GA ReadOnlyAccess

Creating a global accelerator

×

Viewing a global accelerator

Modifying a global accelerator

×

Deleting a global accelerator

×

Adding a listener

×

Viewing a listener

Modifying a listener

×

Deleting a listener

×

Adding an endpoint group

×

Viewing an endpoint group

Modifying an endpoint group

×

Deleting an endpoint group

×

Adding an endpoint

×

Viewing an endpoint

Modifying an endpoint

×

Removing an endpoint

×

Configuring a health check

×

Viewing health check settings

Modifying health check settings

×

Disabling a health check

×

Deleting a health check

×

Creating an IP address group

×

Querying IP address groups

Querying the details of an IP address group

Modifying an IP address group

×

Deleting an IP address group

×

Adding CIDR blocks to an IP address group

×

Removing CIDR blocks from an IP address group

×

Associating an IP address group with a listener

×

Disassociating an IP address group from a listener

×

Adding tags to a resource

×

Querying tags of a specific resource

Deleting tags from a resource

×