Permissions

If you need to assign different permissions to employees in your enterprise to access your cloud resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use resources but cannot delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the developers and grant them only the permissions for using resources.

You can skip this section if you do not need fine-grained permissions management.

IAM is a free service. You only pay for the resources in your account.

For more information about IAM, see IAM Service Overview.

GeminiDB Permissions

By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups.

GeminiDB is a project-level service deployed in specific physical regions. When assigning GeminiDB permissions to a user group, you need to specify region-specific projects where the permissions will take effect. If you select All projects, the permissions will be granted for all region-specific projects. To access GeminiDB, you need to switch to the region where you are authorized.

You can grant users permissions using roles and policies.

Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. When using roles to grant permissions, you also need to assign other dependent roles. Roles are not ideal for fine-grained authorization and secure access control.
Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and more secure access control.

Table 1 lists all the system-defined roles and policies supported by GeminiDB.

**Table 1** GeminiDB policies or roles
Policy Name/System Role	Description	Type	Dependency
GeminiDB FullAccess	All permissions for GeminiDB	System-defined policy	To create a yearly/monthly instance, you need to configure the following CBC actions: bss:balance:view bss:balance:update bss:order:view bss:order:pay bss:order:update bss:renewal:view bss:renewal:update To unsubscribe from a yearly/monthly instance, you need to configure the following CBC action: bss:unsubscribe:update
GeminiDB ReadOnlyAccess	Read-only permissions for GeminiDB	System-defined policy	None

Table 2 lists the common operations supported by each system-defined policy or role of GeminiDB. Select the policies or roles as required.

**Table 2** Common operations supported by each system-defined policy or role
Operation	GeminiDB FullAccess	GeminiDB ReadOnlyAccess
Creating an instance	√	x
Querying instances	√	√
Querying details of an instance	√	√
Querying tasks	√	√
Deleting an instance	√	x
Restarting an instance	√	x
Resetting a password	√	x
Changing a security group	√	x
Changing a database port	√	x
Binding or unbinding an EIP	√	x
Scaling up storage space	√	x
Changing instance specifications	√	x
Adding nodes	√	x
Deleting nodes	√	x
Modifying a backup policy	√	x
Renaming an instance	√	x
Creating a manual backup	√	x
Querying backups	√	√
Restoring data to a new instance	√	x
Deleting a backup	√	x
Creating a parameter template	√	x
Querying parameter templates	√	√
Modifying a parameter template	√	x
Deleting a parameter template	√	x
Querying enterprise project quotas	√	√
Modifying enterprise project quotas	√	x
Enabling or disabling SSL	√	x

Table 3 lists common GeminiDB operations and corresponding actions. You can refer to this table to customize permission policies.

**Table 3** Common operations and supported actions
Operation	Actions	Authorization Scope	Remarks
Accessing the instance creation page	vpc:vpcs:list vpc:subnets:get vpc:securityGroups:get	Supported: IAM projects Enterprise projects	The VPC, subnet, and security group are displayed on the instance creation page.
Creating an instance	nosql:instance:create vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get	Supported: IAM projects Enterprise projects	If the default VPC, subnet, and security group are used, the *vpc::create permission must be configured. To create an encrypted instance, you need to configure the KMS Administrator** permission for the project.
Querying instances	nosql:instance:list	Supported: IAM projects Enterprise projects	-
Querying details of an instance	nosql:instance:list	Supported: IAM projects Enterprise projects	If the VPC, subnet, and security group need to be displayed on the instance details page, add the *vpc::get and vpc::list* actions.
Querying tasks	nosql:task:list	Supported: IAM projects Enterprise projects	-
Deleting an instance	nosql:instance:delete	Supported: IAM projects Enterprise projects	When deleting an instance, you need to delete the IP address on the data side.
Restarting an instance	nosql:instance:restart	Supported: IAM projects Enterprise projects	-
Resetting a password	nosql:instance:modifyPasswd	Supported: IAM projects Enterprise projects	-
Changing a security group	nosql:instance:modifySecurityGroup	Supported: IAM projects Enterprise projects	-
Binding an EIP	nosql:instance:bindPublicIp	Supported: IAM projects	When binding an EIP, you need to query the created EIP. Enterprise projects are not supported. Fine-grained authorization is not supported. For details, see Floating IP Address.
Unbinding an EIP	nosql:instance:unbindPublicIp	Supported: IAM projects	Enterprise projects are not supported. Fine-grained authorization is not supported. For details, see Floating IP Address.
Scaling up storage space	nosql:instance:modifyStorageSize	Supported: IAM projects Enterprise projects	-
Changing specifications	nosql:instance:modifySpecification	Supported: IAM projects Enterprise projects	-
Adding nodes	nosql:instance:extendNode vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get	Supported: IAM projects Enterprise projects	-
Deleting nodes	nosql:instance:reduceNode	Supported: IAM projects Enterprise projects	Deleting nodes from a cluster
Modifying a backup policy	nosql:instance:modifyBackupPolicy	Supported: IAM projects Enterprise projects	-
Renaming an instance	nosql:instance:rename	Supported: IAM projects Enterprise projects	-
Creating a manual backup	nosql:backup:create	Supported: IAM projects Enterprise projects	-
Querying backups	nosql:backup:list	Supported: IAM projects Enterprise projects	-
Downloading a backup file	nosql:backup:download	Supported: IAM projects Enterprise projects	-
Restoring data to a new instance	nosql:backup:restoreToNewInstance vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get	Supported: IAM projects Enterprise projects	The KMS Administrator permission needs to be configured for the encrypted instance in the project.
Restoring data to an existing instance	nosql:backup:restoreToExistInstance	Supported: IAM projects Enterprise projects	-
Deleting a backup	nosql:backup:delete	Supported: IAM projects Enterprise projects	-
Creating a parameter template	nosql:param:create	Supported: IAM projects Enterprise projects	-
Querying parameter templates	nosql:param:list	Supported: IAM projects Enterprise projects	-
Changing parameter values in a parameter template	nosql:param:modify	Supported: IAM projects Enterprise projects	-
Changing parameter settings of an instance node	nosql:instance:modifyParameter	Supported: IAM projects Enterprise projects	-
Deleting a parameter template	nosql:param:delete	Supported: IAM projects Enterprise projects	-
Performing an operation on tags	nosql:instance:tag tms:resourceTags:list	Supported: IAM projects Enterprise projects	-
Tag list	nosql:tag:list tms:resourceTags:list	Supported: IAM projects Enterprise projects	-
Querying enterprise project quotas	nosql:quota:list	Supported: IAM projects Enterprise projects	-
Modifying enterprise project quotas	nosql:quota:modify	Supported: IAM projects Enterprise projects	-
Enabling or disabling SSL	nosql:instance:switchSSL	Supported: IAM projects	-
Changing a private IP address	nosql:instance:modifyPrivateIp	Supported: IAM projects Enterprise projects	-
Switching between primary and standby instances	nosql:instance:switchover	Supported: IAM projects Enterprise projects	-
Querying a log group	lts:groups:get	Supported: IAM projects Enterprise projects	-
Querying a log stream	lts:topics:get	Supported: IAM projects Enterprise projects	-