Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CCM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access CCM but not to delete CCM or its resources, then you can create an IAM policy to assign the developers the permission to access CCM but prevent them from deleting CCM related data.

If your Huawei Cloud account does not need individual IAM users for permissions management, you may skip over this topic.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

CCM Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

CCM is a global service deployed for all physical regions. Therefore, CCM permissions are assigned to users in the Global project, and the users do not need to switch regions when accessing CCM.

You can grant users permissions by using roles and policies.

Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing CCM, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CCM users the permissions to manage only a certain type of resources.

Table 1 lists the system-defined roles of CCM.

**Table 1** System role supported by CCM
Role/Policy	Description	Type	Dependency
SCM Administrator	SCM administrator permissions. Users with SCM administrator permissions have all the permissions for the SCM service.	System-defined policy	None
SCM FullAccess	All permissions for SCM	System-defined policy	None.
SCM ReadOnlyAccess	Read-only permission for SCM. Users with the read-only permission can only query certificate information but cannot add, delete, or modify certificates.	System-defined policy	None.
PCA FullAccess	All permissions for PCA	System policy	None

**Table 2** Common operations for each system-defined policy or role of SCM
Operation	SCM Administrator	SCM FullAccess	SCM ReadOnlyAccess
Querying the SSL certificate list	√	√	√
Querying the details of an SSL certificate	√	√	√
Querying the SSL certificate type	√	√	√
Querying details about SSL certificates of CAs	√	√	√
Withdrawing an SSL certificate application	√	√	x
Purchasing an SSL certificate	√	√	x
Applying for an SSL certificate	√	√	x
Restoring the information provided when applying for an SSL certificate	√	√	x
Obtaining the information provided when applying for an SSL certificates	√	√	√
Modifying an SSL certificate	√	√	x
Deleting an SSL certificate	√	√	x
Downloading an SSL certificate	√	√	x
Uploading authentication information	√	√	x
Revoking an SSL certificate	√	√	x
Pushing an SSL certificate to other services	√	√	x
Querying the record of SSL certificates pushed to other services	√	√	√
Uploading an SSL certificate	√	√	x
Verifying a CSR	√	√	x
Adding an additional domain name	√	√	x
Canceling privacy authorization	√	√	x
Reissuing an SSL certificate	√	√	x
Unsubscribing from an SSL certificate	√	√	x