Help Center/ Config/ Service Overview/ Permissions Management
Updated on 2023-09-28 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access Config, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access to your Huawei Cloud resources.

With IAM, you can create IAM users and grant permissions to the users to implement access control for your Huawei Cloud resources. For example, if you want some of your employees to have the permission for configuring the resource recorder, you can create IAM users for them and grant them with the required permission.

If your Huawei Cloudaccount does not need individual IAM users for permissions management, skip this chapter.

IAM is free. You pay only for the resources in your account. For more details, see IAM Service Overview.

Config Permissions

All users have the permissions to access the My Resources page. The resources displayed depend on the resource permissions of the users. For details about resource permissions of users, see Resource Permissions.

By default, new IAM users do not have permissions assigned. You need to add the users to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added.

After authorization, the users can perform specified operations based on the permissions.

Table 1 lists all roles and permissions supported by Config.

Table 1 System-defined permissions supported by Config

Role

Description

RMS FullAccess

All permissions for Config: viewing resources, resource details, relationships between resources

Table 2 lists the common operations supported by system-defined permissions for Config.

Table 2 Common operations supported by system-defined permissions

Operation

RMS FullAccess

Querying all resources

Query details about a resource.

Viewing relationships of a resource

Resource Permissions

The resources displayed on the My Resources page depend on the resource permissions of the users.

When cloud service permissions have been granted to users, the users can view cloud service resources on the My Resources page.

Otherwise, they cannot view any cloud service resources. In this case, you need to grant the users the permissions to access the cloud service resources.

User permission policies can be defined in IAM and Enterprise Management.

When you attempt to query the resource list, the system checks whether you belong to the admin user group first. If yes, you have the administrator permissions for all resources. If no, only the policies in IAM take effect if policies you set for the admin user group in IAM and Enterprise Management conflict. In a policy that contains both Allow and Deny statements, the Deny statements take precedence.

If cloud resources under an account have been grouped by enterprise project, you can grant IAM users only the permissions to view resources within the enterprise project scope to meet resource isolation requirements.