Permissions
If you need to grant your enterprise personnel permissions to access your IAM Identity Center resources, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions to control their access to specific resources.
You can skip this section if you do not need fine-grained permissions management.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see What Is IAM?.
IAM Identity Center Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
IAM Identity Center is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access IAM Identity Center in all regions.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you may need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions.
Table 1 lists all the system-defined permissions for IAM Identity Center.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
IdentityCenter FullAccess |
Administrator permissions for IAM Identity Center. Users with these permissions can perform all operations on IAM Identity Center. |
System-defined policy |
None |
|
IdentityCenter ReadOnlyAccess |
Read-only permissions for viewing data on IAM Identity Center. |
System-defined policy |
None |
Table 2 lists the common operations supported by system-defined permissions for IAM Identity Center.
|
Operation |
IdentityCenter FullAccess |
IdentityCenter ReadOnlyAccess |
|---|---|---|
|
Creating a user |
√ |
x |
|
Viewing details about a user |
√ |
√ |
|
Modifying user details |
√ |
x |
|
Creating a group |
√ |
x |
|
Adding a user to or removing a user from a group |
√ |
x |
|
Deleting a group |
√ |
x |
|
Viewing details about a group |
√ |
√ |
|
Creating a permission set |
√ |
x |
|
Modifying a permission set |
√ |
x |
|
Deleting a permission set |
√ |
x |
|
Viewing details about a permission set |
√ |
√ |
Helpful Links
- IAM Service Overview
- Creating a User and Granting IAM Identity Center Permissions
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
