WAF Permissions and Supported Actions
This topic describes fine-grained permissions management for your WAF instances. If your Huawei ID does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.
Supported Actions
WAF provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.
- Permission: A statement in a policy that allows or denies certain operations.
- Action: Specific operations that are allowed or denied.
Permission |
Action |
IAM Project |
Enterprise Project |
---|---|---|---|
Querying an information leakage prevention rule |
waf:antiLeakageRule:get |
√ |
√ |
Querying a web tamper protection rule |
waf:antiTamperRule:get |
√ |
√ |
Querying a CC attack protection rule |
waf:ccRule:get |
√ |
√ |
Querying a precise protection rule |
waf:preciseProtectionRule:get |
√ |
√ |
Querying a global protection whitelist rule |
waf:falseAlarmMaskRule:get |
√ |
√ |
Querying a data masking rule |
waf:privacyRule:get |
√ |
√ |
Querying a blacklist or whitelist rule |
waf:whiteBlackIpRule:get |
√ |
√ |
Querying a geolocation access control rule |
waf:geoIpRule:get |
√ |
√ |
Querying a certificate |
waf:certificate:get |
√ |
√ |
Modifying WAF certificates |
waf:certificate:put |
√ |
√ |
Applying a certificate to a domain name |
waf:certificate:apply |
√ |
√ |
Querying a protection event |
waf:event:get |
√ |
√ |
Querying a protected domain |
waf:instance:get |
√ |
√ |
Querying a protection policy |
waf:policy:get |
√ |
√ |
Querying quota package information |
waf:bundle:get |
√ |
√ |
Querying the protection event download link |
waf:dumpEventLink:get |
√ |
√ |
Querying configurations |
waf:consoleConfig:get |
√ |
√ |
Querying the back-to-source IP address segment |
waf:sourceIp:get |
√ |
√ |
Updating an information leakage prevention rule |
waf:antiLeakageRule:put |
√ |
√ |
Updating a web tamper protection rule |
waf:antiTamperRule:put |
√ |
√ |
Updating a CC attack protection rule |
waf:ccRuleRule:put |
√ |
√ |
Updating a precise protection rule |
waf:preciseProtectionRule:put |
√ |
√ |
Updating a global protection whitelist rule |
waf:falseAlarmMaskRule:put |
√ |
√ |
Updating a data masking rule |
waf:privacyRule:put |
√ |
√ |
Updating an IP address blacklist or whitelist rule |
waf:whiteBlackIpRule:put |
√ |
√ |
Updating a geolocation access control rule |
waf:geoIpRule:put |
√ |
√ |
Updating a protected domain |
waf:instance:put |
√ |
√ |
Updating a protection policy |
waf:policy:put |
√ |
√ |
Deleting an information leakage prevention rule |
waf:antiLeakageRule:delete |
√ |
√ |
Deleting a web tamper protection rule |
waf:antiTamperRule:delete |
√ |
√ |
Deleting a CC attack protection rule |
waf:ccRule:delete |
√ |
√ |
Configuring a precise protection rule |
waf:preciseProtectionRule:delete |
√ |
√ |
Deleting a global protection whitelist rule |
waf:falseAlarmMaskRule:delete |
√ |
√ |
Deleting a data masking rule |
waf:privacyRule:delete |
√ |
√ |
Deleting a blacklist or whitelist rule |
waf:whiteBlackIpRule:delete |
√ |
√ |
Deleting a geolocation access control rule |
waf:geoIpRule:delete |
√ |
√ |
Deleting a protected domain from WAF |
waf:instance:delete |
√ |
√ |
Deleting a protection policy |
waf:policy:delete |
√ |
√ |
Adding an information leakage prevention rule |
waf:antiLeakageRule:create |
√ |
√ |
Adding a web tamper protection rule |
waf:antiTamperRule:create |
√ |
√ |
Adding a CC attack protection rules |
waf:ccRule:create |
√ |
√ |
Adding a precise protection rule |
waf:preciseProtectionRule:create |
√ |
√ |
Creating a global protection whitelist rule |
waf:falseAlarmMaskRule:create |
√ |
√ |
Adding a data masking rule |
waf:privacyRule:create |
√ |
√ |
Adding a blacklist or whitelist rule |
waf:whiteBlackIpRule:create |
√ |
√ |
Adding a geolocation access control rule |
waf:geoIpRule:create |
√ |
√ |
Adding a certificate |
waf:certificate:create |
√ |
√ |
Adding a domain |
waf:instance:create |
√ |
√ |
Adding a policy |
waf:policy:create |
√ |
x |
Querying information leakage prevention rules |
waf:antiLeakageRule:list |
√ |
√ |
Querying web tamper protection rules |
waf:antiTamperRule:list |
√ |
√ |
Querying CC attack protection rules |
waf:ccRuleRule:list |
√ |
√ |
Querying precise protection rules |
waf:preciseProtectionRule:list |
√ |
√ |
Querying the global protection whitelist rule list |
waf:falseAlarmMaskRule:list |
√ |
√ |
Querying data masking rules |
waf:privacyRule:list |
√ |
√ |
Querying blacklist and whitelist rules |
waf:whiteBlackIpRule:list |
√ |
√ |
Querying geolocation access control rules |
waf:geoIpRule:list |
√ |
√ |
Querying the protection domains |
waf:instance:list |
√ |
√ |
Querying protection policies |
waf:policy:list |
√ |
√ |
Querying cloud-mode billing items |
waf:subscription:get |
√ |
√ |
Querying alarm notification configuration |
waf:alert:get |
√ |
√ |
Updating alarm notification configuration |
waf:alert:put |
√ |
√ |
Querying log quotas |
waf:ltsConfig:get |
√ |
√ |
Updating log quotas |
waf:ltsConfig:put |
√ |
√ |
Creating a yearly/monthly order for a cloud-mode instance |
waf:prepaid:create |
√ |
√ |
Enabling the pay-per-use billing for a WAF cloud-mode instance |
waf:postpaid:create |
√ |
√ |
Disabling the pay-per-use billing for a WAF cloud-mode instance |
waf:postpaid:delete |
√ |
√ |
Viewing details of a WAF instance group |
waf:pool:get |
√ |
√ |
Modifying WAF instance group configuration |
waf:pool:put |
√ |
√ |
Creating a WAF instance group |
waf:pool:create |
√ |
√ |
Deleting a WAF instance group |
waf:pool:delete |
√ |
√ |
Viewing the WAF instance group list |
waf:pool:list |
√ |
√ |
Querying binding details of a WAF instance group |
waf:poolBinding:get |
√ |
√ |
Binding a WAF instance group |
waf:poolBinding:create |
√ |
√ |
Unbinding a WAF instance group |
waf:poolBinding:delete |
√ |
√ |
Querying binding details of a WAF instance group |
waf:poolBinding:list |
√ |
√ |
Querying health check configurations of a WAF instance group |
waf:poolHealthMonitor:get |
√ |
√ |
Modifying the health check configuration of a WAF instance group |
waf:poolHealthMonitor:put |
√ |
√ |
Configuring health check for a WAF instance group |
waf:poolHealthMonitor:create |
√ |
√ |
Deleting health check configuration for a WAF instance group |
waf:poolHealthMonitor:delete |
√ |
√ |
Querying health check configurations for WAF instance groups |
waf:poolHealthMonitor:list |
√ |
√ |
Modifying a shared IP address group |
waf:ipGroupShare:put |
√ |
√ |
Batch updating known attack source rules |
waf:punishmentRule:batch-delete |
√ |
√ |
Querying DNS domain names |
waf:dnsDomain:get |
√ |
√ |
Querying IP address groups with the same names |
waf:duplicateIpGroup:list |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.