Workspace Permissions
Related Concepts
IAM can be used free of charge on Huawei Cloud. You pay only for the resources in your account. For details about IAM, see IAM Service Overview.
Account
An account registered upon your first use of Huawei Cloud. You can use this account to pay the bill, access all Huawei Cloud resources and services under the account, and to reset user passwords and assign user permissions. You can use your account to receive and pay all bills generated by your IAM users' use of resources.
You cannot modify or delete your account in IAM, but you can do so in My Account.
IAM user
You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own credentials (password and access keys) and can access resources based on the assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.
User group
You can use user groups to assign permissions to IAM users. By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services. If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.
The default user group admin has all the permissions for using all of the cloud resources. Users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.
Example
For example, you want to isolate permissions of employees in groups a and b. That is, employees in group a use Workspace resources in region 1, and employees in group b use Workspace resources in region 2.
- You can create user groups A and B and grant permissions to them. That is, assign the administrator permissions of Workspace in region 1 to user group A, and assign the administrator permissions of Workspace in region 2 to user group B.
- Create two IAM users user1 and user2, and add user1 to user group A and user2 to user group B. IAM user user1 has the administrator permissions of Workspace in region 1, and IAM user user2 has the administrator permissions of Workspace in region 2.
- The administrator of group a can use the account of user1 to log in to Huawei Cloud and go to the Workspace console of the project in region 1 to purchase desktops for the employees of group a and manage the desktops of the project in region 1. The administrator of group b can use the account of user2 to log in to Huawei Cloud and go to the Workspace console of the project in region 2 to purchase desktops for the employees of group b and manage the desktops of the project in region 2. Figure 1 shows the operation process. For details about how to create an IAM user, see Creating an IAM User and Assigning Permissions.
Workspace Administrator Permissions
You can grant users permissions by using roles and policies. Workspace grants administrator permissions to IAM users by using roles.
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and grant Workspace administrator permissions to these groups. Users inherit permissions from their groups. After authorization, IAM users can perform operations on Workspace resources in the corresponding projects.
Table 1 lists all system permissions of Workspace. The Dependency column indicates roles on which a Workspace permission depends to take effect. Workspace roles are dependent on the roles of other services because Huawei Cloud services interact with each other. Therefore, when assigning Workspace permissions to a user group, do not deselect other dependent permissions. Otherwise, Workspace permissions do not take effect.
|
System Permission |
Description |
Details |
|---|---|---|
|
Workspace FullAccess |
All permissions for Workspace |
All permissions for Workspace |
|
Workspace DesktopsManager |
Desktop administrator permissions for Workspace |
Desktop-related operations, including creating and deleting a desktop (general-purpose desktop, dedicated host, rendering desktop, exclusive desktop, and desktop pool), and Internet access, scheduled tasks, App Center, and image management |
|
Workspace UserManager |
User administrator permissions for Workspace |
User management operations, such as creating users, deleting users, and resetting passwords |
|
Workspace SecurityManager |
Security administrator permissions for Workspace |
All security-related operations, such as policy management and user connection recording |
|
Workspace TenantManager |
Tenant administrator permissions for Workspace |
All tenant configuration functions |
|
Workspace ReadOnlyAccess |
Read-only permissions for Workspace |
Read-only permissions for Workspace |
Table 2 lists the permissions to be added for the following operations.
For details about the permissions required for Workspace, see Assigning Permissions to an IAM User or Creating a Custom Policy.
|
Operation |
Dependent System Role, Policy, or Custom Policy |
Description |
|---|---|---|
|
BSS-related permissions: Perform yearly/monthly operations, such as purchasing and changing desktops, and switching from pay-per-use to yearly/monthly billing. |
System role: BSS Administrator Add the following actions to the custom policy: bss:discount:view bss:order:update bss:order:view |
Select either a system role or a custom policy. |
|
IAM-related permissions: Perform scheduled tasks, perform operations on desktop pools, and create and query agencies. |
Permissions required for creating and querying agencies: System role: Security Administrator Add the following actions to the custom policy: iam:roles:getRole iam:roles:listRoles iam:agencies:getAgency iam:agencies:listAgencies iam:agencies:createAgency iam:permissions:listRolesForAgencyOnProject iam:permissions:grantRoleToAgencyOnProject Permissions required for querying agencies: System policy: IAM ReadOnlyAccess Add the following actions to the custom policy: iam:agencies:getAgency iam:agencies:listAgencies iam:permissions:listRolesForAgencyOnProject |
When creating an agency, select either the system role Security Administrator or the custom policy. For agency query only, select either the system policy IAM ReadOnlyAccess or the custom policy. |
|
TMS-related permissions: Query predefined tags during desktop creation. |
System policy: TMS FullAccess Add the following actions to the custom policy: tms:predefineTags:list |
Select either a system policy or a custom policy. |
|
VPCEP-related permissions: Enable or disable Direct Connect access (required for fine-grained authentication of enterprise projects). |
System role: VPCEndpoint Administrator |
VPCEP does not support fine-grained authentication of enterprise projects. |
|
VPC-related permissions: Perform desktop-related operations and enable economical Internet access (required for fine-grained authentication of enterprise projects). |
IAM project-level permissions System policy: VPC ReadOnlyAccess System role: VPC Administrator |
You must have the VPC permission of the enterprise project to which the VPC used for enabling Workspace belongs. |
|
IMS-related permissions: Create an image (required for fine-grained authentication of enterprise projects). |
Add the following actions to the custom policy: ims:images:get ims:images:share |
IMS does not support fine-grained authentication of enterprise projects. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
