How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
Symptom
You want to grant an IAM user permissions to place orders but disallow the user to pay for the orders.
Solutions
However, the system permissions of the Billing Center registered with IAM cannot meet your requirements. You need to create a custom policy containing the required permissions and use the policy to grant permissions to the IAM user.
Prerequisites
You have already created IAM user A and user group B and you have added the user to the user group. For details, see Creating an IAM User.
Procedure
- Log in to the HUAWEI CLOUD management console.
- On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
- On the IAM console, choose Permissions > Policies/Roles from the navigation pane, and click Create Custom Policy in the upper right corner.
Figure 1 Creating a custom policy
- Set the policy name to BillingCenter_Orders.
- Set the scope to Project-level services.
Figure 2 Setting the scope
- Select Visual editor.
- In the Policy Content area, configure permissions that allow the user to place orders but disallow the user to pay for the orders.
- Configuring permissions to disallow order payment
- Select Deny.
- For the cloud service, select BSS (BSS).
- In the Select action step, expand the ReadWrite area, and select the action bss:order:pay.
Figure 3 Configuring permissions to disallow order payment
- Set the resource type to All.
- Configuring permissions to allow order placement
- Select Allow.
- For the cloud service, select BSS (BSS).
- In the Select action step, expand the ReadWrite area, select the action bss:order:update, and select all the actions in the ReadOnly area.
Figure 4 Configuring permissions to allow order placement
- Set the resource type to All.
- Configuring permissions to disallow order payment
- Set a description for the policy, for example, "Permissions to place orders but disallow order payment."
- Click OK.
- Attach the policy to user group B. Users in the group inherit the permissions defined in this policy.
You can attach custom policies to a user group in the same way you attach system-defined policies. For details, see Creating a User Group and Assigning Permissions.
- When the IAM user logs in and goes to the My Orders page of the Billing Center, the Pay button is not displayed in the Operation column.
Figure 5 My Orders page displayed if permissions are granted successfully
Figure 6 My Orders page displayed if permissions failed to be granted
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.