Creating a User and Authorizing the User the Permission to Access DEW
This section describes how to use IAM to implement fine-grained permissions control for your DEW resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
- Grant users only the permissions required to perform a task.
- Delegate a trusted Huawei Cloud account or cloud service to perform professional, efficient O&M on your DEW resources.
If your Huawei Cloud account does not require individual IAM users, skip this chapter.
This section describes the procedure for granting permissions (see Figure 1).
Prerequisites
Before authorizing permissions to a user group, you need to know which DEW permissions can be added to the user group. Table 1 lists the DEW system policies.
For the system policies of other services, see System Permissions.
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
KMS Administrator |
Administrator permissions for KMS |
System role |
None |
KMS CMKFullAccess |
Full permissions for KMS. Users with these permissions can perform all the operations allowed by policies. |
System policy |
None |
DEW KeypairFullAccess |
Full permissions for KPS. Users with these permissions can perform all the operations allowed by policies. |
System policy |
None |
DEW KeypairReadOnlyAccess |
Read-only permissions for KPS. Users with this permission can only view KPS data. |
System policy |
None |
Table 2 describes the common operations supported by each system-defined permission of DEW. Select the permissions as needed.
Operation |
KMS Administrator |
KMS CMKFullAccess |
DEW KeypairFullAccess |
DEW KeypairReadOnlyAccess |
|---|---|---|---|---|
Creating a key |
√ |
√ |
x |
x |
Enable a key |
√ |
√ |
x |
x |
Disable a key |
√ |
√ |
x |
x |
Schedule key deletion |
√ |
√ |
x |
x |
Cancel scheduled key deletion |
√ |
√ |
x |
x |
Modify a key alias |
√ |
√ |
x |
x |
Modify key description |
√ |
√ |
x |
x |
Generate a random number |
√ |
√ |
x |
x |
Create a DEK |
√ |
√ |
x |
x |
Create a plaintext-free DEK |
√ |
√ |
x |
x |
Encrypt a DEK |
√ |
√ |
x |
x |
Decrypt a DEK |
√ |
√ |
x |
x |
Obtain parameters for importing a key |
√ |
√ |
x |
x |
Import key materials |
√ |
√ |
x |
x |
Delete key materials |
√ |
√ |
x |
x |
Create a grant |
√ |
√ |
x |
x |
Revoke a grant |
√ |
√ |
x |
x |
Retire a grant |
√ |
√ |
x |
x |
Query the grant list |
√ |
√ |
x |
x |
Query retirable grants |
√ |
√ |
x |
x |
Encrypt data |
√ |
√ |
x |
x |
Decrypt data |
√ |
√ |
x |
x |
Send signature messages |
√ |
√ |
x |
x |
Authenticate signature |
√ |
√ |
x |
x |
Enabling key rotation |
√ |
√ |
x |
x |
Modify key rotation interval |
√ |
√ |
x |
x |
Disabling key rotation |
√ |
√ |
x |
x |
Query key rotation status |
√ |
√ |
x |
x |
Query CMK instances |
√ |
√ |
x |
x |
Query key tags |
√ |
√ |
x |
x |
Query project tags |
√ |
√ |
x |
x |
Batch add or delete key tags |
√ |
√ |
x |
x |
Add tags to a key |
√ |
√ |
x |
x |
Delete key tags |
√ |
√ |
x |
x |
Query the key list |
√ |
√ |
x |
x |
Query key details |
√ |
√ |
x |
x |
Query public key |
√ |
√ |
x |
x |
Query instance quantity |
√ |
√ |
x |
x |
Query quotas |
√ |
√ |
x |
x |
Query the key pair list |
x |
x |
√ |
√ |
Create or import a key pair |
x |
x |
√ |
x |
Query key pairs |
x |
x |
√ |
√ |
Delete a key pair |
x |
x |
√ |
x |
Update key pair description |
x |
x |
√ |
x |
Bind a key pair |
x |
x |
√ |
x |
Unbind a key pair |
x |
x |
√ |
x |
Query a binding task |
x |
x |
√ |
√ |
Query failed tasks |
x |
x |
√ |
√ |
Delete all failed tasks |
x |
x |
√ |
x |
Delete a failed task |
x |
x |
√ |
x |
Query running tasks |
x |
x |
√ |
√ |
Authorization Process
- Create a user group and assign permissions.
Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the user group created in 1.
- Log in and verify permissions.
Log in to the console as newly created user, and verify that the user only has read permissions for DEW.
- Choose Service List > Data Encryption Workshop. In the navigation pane, choose Key Pair Service. If a message appears indicating lack of permissions, the KMS CMKFullAccess policy has taken effect.
- Click Service List and select a service other than DEW. If a message is displayed indicating that you do not have permission to access the service, the KMS CMKFullAccess policy has taken effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
