Updated on 2023-12-25 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CCM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access CCM but not to delete CCM or its resources, then you can create an IAM policy to assign the developers the permission to access CCM but prevent them from deleting CCM related data.

If your Huawei Cloud account does not need individual IAM users for permissions management, you may skip over this topic.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

CCM Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

CCM is a global service deployed for all physical regions. Therefore, CCM permissions are assigned to users in the Global project, and the users do not need to switch regions when accessing CCM.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing CCM, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CCM users the permissions to manage only a certain type of resources.

Table 1 lists the system-defined roles of CCM.

Table 1 System role supported by CCM

Role/Policy

Description

Type

Dependency

SCM Administrator

SCM administrator permissions. Users with SCM administrator permissions have all the permissions for the SCM service.

System-defined policy

None

SCM FullAccess

All permissions for SCM

System-defined policy

None.

SCM ReadOnlyAccess

Read-only permission for SCM. Users with the read-only permission can only query certificate information but cannot add, delete, or modify certificates.

System-defined policy

None.

PCA FullAccess

All permissions for PCA

System policy

None

Table 2 Common operations for each system-defined policy or role of SCM

Operation

SCM Administrator

SCM FullAccess

SCM ReadOnlyAccess

Querying the SSL certificate list

Querying the details of an SSL certificate

Querying the SSL certificate type

Querying details about SSL certificates of CAs

Withdrawing an SSL certificate application

x

Purchasing an SSL certificate

x

Applying for an SSL certificate

x

Restoring the information provided when applying for an SSL certificate

x

Obtaining the information provided when applying for an SSL certificates

Modifying an SSL certificate

x

Deleting an SSL certificate

x

Downloading an SSL certificate

x

Uploading authentication information

x

Revoking an SSL certificate

x

Pushing an SSL certificate to other services

x

Querying the record of SSL certificates pushed to other services

Uploading an SSL certificate

x

Verifying a CSR

x

Adding an additional domain name

x

Canceling privacy authorization

x

Reissuing an SSL certificate

x

Unsubscribing from an SSL certificate

x