Permissions

If you need to assign different permissions to employees in your enterprise to access your SFS Turbo resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use SFS Turbo resources but should not be allowed to delete the resources or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using SFS Turbo resources.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

SFS Turbo Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

You can grant permissions by using roles and policies.

Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not ideal for fine-grained authorization and least privilege access.
Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage a certain type of ECSs. Most policies define permissions based on APIs. For the API actions supported by SFS Turbo, see section "Permissions Policies and Supported Actions" in the Scalable File Service API Reference.

Table 1 lists all the system-defined permissions for SFS Turbo.

**Table 1** System-defined permissions for SFS Turbo
Policy/Role Name	Description	Type	Dependencies
SFS Turbo FullAccess	Administrator permissions for SFS Turbo. Users with these permissions can perform any operation on all SFS Turbo resources under the account.	System-defined policy	None
SFS Turbo ReadOnlyAccess	Read-only permissions for SFS Turbo. Users with these permissions can only view SFS Turbo data.	System-defined policy	None

Table 2 lists the common operations supported by system-defined policies for SFS Turbo.

**Table 2** Common operations supported by each system-defined policy of SFS Turbo
Operation	SFS Turbo FullAccess	SFS Turbo ReadOnlyAccess
Grants permission to query SFS Turbo file systems.	√	√
Grants permission to query tags of an SFS Turbo file system.	√	√
Grants permission to query SFS Turbo quotas.	√	√
Grants permission to list SFS Turbo file systems.	√	√
Grants permission to query the SFS Turbo file system types.	√	√
Grants permission to query the AZ information of the current region.	√	√
Grants permission to check SFS Turbo file system names.	√	×
Grants permission to delete tags from an SFS Turbo file system.	√	×
Grants permission to expand capacities of SFS Turbo file systems.	√	×
Grants permission to create SFS Turbo file systems.	√	×
Grants permission to add a tag to an SFS Turbo file system.	√	×
Grants permission to delete SFS Turbo file systems.	√	×
Grants permission to batch add tags to an SFS Turbo file system.	√	×

Role/Policy Dependencies of the SFS Turbo Console

**Table 3** Role/Policy dependencies of the SFS Turbo console
Console Function	Dependent Services	Role/Policy Required
Creating a file system	VPC Billing Center DSS ECS	The permissions of the SFS Turbo FullAccess policy already include the permissions of VPC FullAccess, which are required for creating file systems. An IAM user assigned the SFS Turbo Full Access policy does not need to have the VPC FullAccess policy assigned explicitly. To create yearly/monthly file systems, the BSS Administrator policy is required. To create file systems in dedicated projects, the DSS FullAccess and ECS FullAccess policies are required.
Querying file system details	VPC	The permissions of the SFS Turbo ReadOnlyAccess policy already include the permissions of VPC ReadOnlyAccess, which are required for querying file system details. An IAM user assigned the SFS Turbo ReadOnlyAccess policy does not need to have the VPC ReadOnlyAccess policy assigned explicitly.