Permissions Management

You can use IAM for free to manage SMS permissions and grant your employees different permissions, to ensure secure access to your resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources of various types.

For example, you can create IAM users for software developers, and assign specific permissions to allow them to use SMS but disallow them to delete any resources or perform any high-risk operations.

If your Huawei Cloud account does not need individual IAM users for permissions management, you can skip this section.

For more information about IAM, see the IAM Service Overview.

SMS Permissions

By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to, and then they can perform specified operations on cloud services.

A Huawei Cloud account has all the permissions required for using SMS by default. If you use your Huawei Cloud account to perform a migration, no authorization is required.

SMS is a global service deployed for all physical regions. SMS permissions are assigned to users in the Global project, so the users do not need to switch regions when accessing SMS.

Table 1 lists all the system-defined policies and roles of SMS. Huawei Cloud services interwork with each other, and some SMS policies and roles are dependent on the policies and roles of other services. When assigning SMS permissions to users, you need to also assign dependent roles for the SMS permissions to take effect.

**Table 1** Common operations supported by each system-defined policy or role
Operation	SMS FullAccess (Global)	OBS OperateAccess (OBS)	EVS FullAccess	ECS FullAccess	VPC FullAccess
Creating migration tasks	√	x	√	√	√
Viewing migration progresses	√	x	x	x	x

IAM supports two types of policies: system-defined policies and custom policies.

If an IAM user needs all SMS permissions, attach the preceding system-defined policies to the user group to which the user has been added.
If an IAM user only needs some SMS permissions, you can create custom policies and attach these policies to the user group to which the user has been added.

For details, see Creating a User and Assigning Permissions.

Compared with system-defined policies, custom policies provide more fine-grained and secure permissions control.

Dependent Policy Configuration

To grant an IAM user the permissions to view or use resources of other cloud services on the SMS console, you must first grant the SMS FullAccess or SMS ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies and roles listed in Table 2.

**Table 2** Roles and policies of other services that the SMS Console depends on
Console Function	Dependent Services	Roles or Policies Required
Creating a migration task	ECS EIP VPC Image Management Service (IMS) EVS	An IAM user with the SMS FullAccess permissions assigned can use this function only after the ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess permissions are assigned.
Viewing the migration progress	/	No other roles or policies are required. An IAM user with the SMS ReadOnlyAccess permissions can use this function directly.
Creating a migration template	/	No other permissions are required. An IAM user with the SMS FullAccess permissions can use this function directly.
Creating a server template	VPC EVS ECS	An IAM user with the SMS FullAccess permissions assigned can use this function only after the ECSReadOnlyAccess, VPC ReadOnlyAccess, and EVS ReadOnlyAccess permissions are assigned.
Configuring the Agent	ECS EIP VPC IMS EVS	An IAM user with the SMS Full Access permissions assigned can use this function only after the ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess permissions are assigned.