Help Center/ Workspace/ User Guide (Application Streaming)/ Administrator Operation Guide/ Permissions Management/ Permission Management
Updated on 2024-07-31 GMT+08:00
View PDF

Permission Management

  • The Identity and Access Management (IAM) service is used to manage the permissions for accessing cloud services and resources.
  • Workspace Application Streaming is a regional project. You can create multiple IAM user groups and grant them the Workspace Application Streaming administrator permissions of different projects to manage users' access to Workspace Application Streaming resources.
  • If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

Related Concepts

IAM is a free service. You only pay for the resources in your account.

Account

An account is created after you successfully sign up for Huawei Cloud, and you can use it to purchase Huawei Cloud resources. The account has full access permissions for your cloud resources and can be used to make payments for them. You can use the account to reset user passwords, assign permissions, and receive and pay all bills generated by your IAM users for their usage of resources.

You cannot modify or delete your account in IAM, but you can do so in My Account.

IAM user

You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (passwords or access keys) and uses cloud resources based on assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.

User group

You can use user groups to assign permissions to IAM users. New IAM users do not have any permissions assigned by default. You need to add them to one or more groups. The users then inherit permissions from the groups and can perform specified operations on resources or cloud services based on the permissions they have been assigned. If you add a user to multiple user groups, the user inherits all the permissions that are assigned to these groups.

The default user group admin has all the permissions for using all of the cloud resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.

Enterprise project permissions

For details, see Enterprise Project Permissions.

Workspace Application Streaming Administrator Permissions

You can grant users permissions by using roles and policies. Workspace Application Streaming grants administrator permissions to IAM users by using roles. If Workspace Application Streaming and Workspace use the same project, they share one user list. When a user group of Workspace Application Streaming is granted permissions, a user group of Workspace also has these permissions.

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and grant Workspace Application Streaming administrator permissions to these groups. Users inherit permissions from their groups. After being granted permissions, IAM users can perform operations on Workspace Application Streaming resources in the corresponding projects.

See Table 1. In Table 2, the Dependent System-defined Role, Policy, or Custom Policy column indicates roles on which a Workspace Application Streaming permission depends to take effect. Workspace Application Streaming roles are dependent on the roles of other services because Huawei Cloud services interact with each other. Therefore, when assigning Workspace Application Streaming permissions to a user group, do not deselect other dependent permissions. Otherwise, Workspace Application Streaming permissions do not take effect.

Table 1 Workspace Application Streaming system-defined permissions

System-defined Permission

Description

Detail

Workspace FullAccess

All permissions for Workspace Application Streaming

All permissions for Workspace Application Streaming

Workspace AppManager

Application administrator permissions for Workspace Application Streaming

Cloud application-related operations, including creating and deleting an application, and operations such as accessing the Internet and performing scheduled tasks

Workspace UserManager

User administrator permissions for Workspace Application Streaming

User management operations, such as creating users, deleting users, and resetting passwords

Workspace SecurityManager

Security administrator permissions for Workspace Application Streaming

All security-related operations, such as policy management and user connection recording

Workspace TenantManager

Tenant administrator permissions for Workspace Application Streaming

All tenant configuration functions

Workspace ReadOnlyAccess

Read-only permissions for Workspace Application Streaming

Read-only permissions for Workspace Application Streaming

Table 2 lists the permissions to be added for the following operations.

For details about the dependent permissions of Workspace Application Streaming, see Assigning Permissions to an IAM User or Creating a Custom Policy.

Table 2 Additional permissions required for Workspace Application Streaming

Operation

Dependent System-defined Role, Policy, or Custom Policy

Description

BSS-related permissions: for yearly/monthly operations, such as purchasing and changing resources, and switching from pay-per-use to yearly/monthly. You need to view the renewal information management permission when querying the number of applications to be renewed on the Overview page.

System-defined role: BSS Administrator

Add the following actions to the custom policy:

bss:discount:view

bss:order:update

bss:order:view

bss:order:pay

bss:renewal:view

Select either the system-defined role or the custom policy.

IAM-related permissions: for creating and querying agencies in a scheduled task

Permissions required for creating and querying agencies:

System-defined role: Security Administrator

Add the following actions to the custom policy:

iam:roles:getRole

iam:roles:listRoles

iam:agencies:getAgency

iam:agencies:listAgencies

iam:agencies:createAgency

iam:permissions:listRolesForAgencyOnProject

iam:permissions:grantRoleToAgencyOnProject

Permissions required for querying agencies:

System-defined policy: IAM ReadOnlyAccess

Add the following actions to the custom policy:

iam:agencies:getAgency

iam:agencies:listAgencies

iam:permissions:listRolesForAgencyOnProject

When creating an agency, select either the system-defined role Security Administrator or the custom policy.

For agency query, select either the system-defined policy IAM ReadOnlyAccess or the custom policy.

TMS-related permissions: for querying predefined tags during application creation

System-defined policy: TMS FullAccess

Add the following actions to the custom policy:

tms:predefineTags:list

Select either the system-defined policy or the custom policy.

VPCEP-related permissions: for enabling or disabling Direct Connect

System-defined role: VPCEndpoint Administrator

VPCEP does not support fine-grained authentication of enterprise projects.

VPC-related permissions: for application-related operations such as creating applications and enabling economical Internet access (required for fine-grained authentication of enterprise projects)

IAM project-level permissions

System-defined policy: VPC ReadOnlyAccess

System-defined role: VPC Administrator

You must have the VPC permission of the enterprise project to which the VPC used for enabling Workspace Application Streaming belongs.

IMS-related permissions: for creating images (required for fine-grained authentication of enterprise projects)

Add the following actions to the custom policy:

ims:images:get

ims:images:share

IMS does not support fine-grained authentication of enterprise projects.
Parent topic: Permissions Management