Updated on 2023-12-04 GMT+08:00

Workspace Permissions

Related Concepts

IAM can be used free of charge on Huawei Cloud. You pay only for the resources in your account. For details about IAM, see IAM Service Overview.

Account

An account registered upon your first use of Huawei Cloud. You can use this account to pay the bill, access all Huawei Cloud resources and services under the account, and to reset user passwords and assign user permissions. You can use your account to receive and pay all bills generated by your IAM users' use of resources.

You cannot modify or delete your account in IAM, but you can do so in My Account.

IAM user

You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own credentials (password and access keys) and can access resources based on the assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.

User group

You can use user groups to assign permissions to IAM users. By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services. If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.

The default user group admin has all the permissions for using all of the cloud resources. Users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.

Example

For example, you want to isolate permissions of employees in groups a and b. That is, employees in group a use Workspace resources in region 1, and employees in group b use Workspace resources in region 2.

  1. You can create user groups A and B and grant permissions to them. That is, assign the administrator permissions of Workspace in region 1 to user group A, and assign the administrator permissions of Workspace in region 2 to user group B.
  2. Create two IAM users user1 and user2, and add user1 to user group A and user2 to user group B. IAM user user1 has the administrator permissions of Workspace in region 1, and IAM user user2 has the administrator permissions of Workspace in region 2.
  3. The administrator of group a can use the account of user1 to log in to Huawei Cloud and go to the Workspace console of the project in region 1 to purchase desktops for the employees of group a and manage the desktops of the project in region 1. The administrator of group b can use the account of user2 to log in to Huawei Cloud and go to the Workspace console of the project in region 2 to purchase desktops for the employees of group b and manage the desktops of the project in region 2. Figure 1 shows the operation process. For details about how to create an IAM user, see Creating an IAM User and Assigning Permissions.
Figure 1 Operation process

Workspace Administrator Permissions

You can grant users permissions by using roles and policies. Workspace grants administrator permissions to IAM users by using roles.

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and grant Workspace administrator permissions to these groups. Users inherit permissions from their groups. After authorization, IAM users can perform operations on Workspace resources in the corresponding projects.

Table 1 lists all system permissions of Workspace. The Dependency column indicates roles on which a Workspace permission depends to take effect. Workspace roles are dependent on the roles of other services because Huawei Cloud services interact with each other. Therefore, when assigning Workspace permissions to a user group, do not deselect other dependent permissions. Otherwise, Workspace permissions do not take effect.

Table 1 Workspace permissions

System Permission

Description

Details

Workspace FullAccess

All permissions for Workspace

All permissions for Workspace

Workspace DesktopsManager

Desktop administrator permissions for Workspace

Desktop-related operations, including creating and deleting a desktop (general-purpose desktop, dedicated host, rendering desktop, exclusive desktop, and desktop pool), and Internet access, scheduled tasks, App Center, and image management

Workspace UserManager

User administrator permissions for Workspace

User management operations, such as creating users, deleting users, and resetting passwords

Workspace SecurityManager

Security administrator permissions for Workspace

All security-related operations, such as policy management and user connection recording

Workspace TenantManager

Tenant administrator permissions for Workspace

All tenant configuration functions

Workspace ReadOnlyAccess

Read-only permissions for Workspace

Read-only permissions for Workspace

Table 2 lists the permissions to be added for the following operations.

For details about the permissions required for Workspace, see Assigning Permissions to an IAM User or Creating a Custom Policy.

Table 2 Additional permissions

Operation

Dependent System Role, Policy, or Custom Policy

Description

BSS-related permissions: Perform yearly/monthly operations, such as purchasing and changing desktops, and switching from pay-per-use to yearly/monthly billing.

System role: BSS Administrator

Add the following actions to the custom policy:

bss:discount:view

bss:order:update

bss:order:view

Select either a system role or a custom policy.

IAM-related permissions: Perform scheduled tasks, perform operations on desktop pools, and create and query agencies.

Permissions required for creating and querying agencies:

System role: Security Administrator

Add the following actions to the custom policy:

iam:roles:getRole

iam:roles:listRoles

iam:agencies:getAgency

iam:agencies:listAgencies

iam:agencies:createAgency

iam:permissions:listRolesForAgencyOnProject

iam:permissions:grantRoleToAgencyOnProject

Permissions required for querying agencies:

System policy: IAM ReadOnlyAccess

Add the following actions to the custom policy:

iam:agencies:getAgency

iam:agencies:listAgencies

iam:permissions:listRolesForAgencyOnProject

When creating an agency, select either the system role Security Administrator or the custom policy.

For agency query only, select either the system policy IAM ReadOnlyAccess or the custom policy.

TMS-related permissions: Query predefined tags during desktop creation.

System policy: TMS FullAccess

Add the following actions to the custom policy:

tms:predefineTags:list

Select either a system policy or a custom policy.

VPCEP-related permissions: Enable or disable Direct Connect access (required for fine-grained authentication of enterprise projects).

System role: VPCEndpoint Administrator

VPCEP does not support fine-grained authentication of enterprise projects.

VPC-related permissions: Perform desktop-related operations and enable economical Internet access (required for fine-grained authentication of enterprise projects).

IAM project-level permissions

System policy: VPC ReadOnlyAccess

System role: VPC Administrator

You must have the VPC permission of the enterprise project to which the VPC used for enabling Workspace belongs.

IMS-related permissions: Create an image (required for fine-grained authentication of enterprise projects).

Add the following actions to the custom policy:

ims:images:get

ims:images:share

IMS does not support fine-grained authentication of enterprise projects.