Updated on 2024-05-09 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use OA resources but should not be allowed to perform any high-risk operations, such as deleting ECSs. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using OA resources.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

IAM can be used for free. You pay only for the resources in your account. For more information about IAM, see What Is IAM?

OA Service Permissions

By default, new IAM users do not have any permissions assigned. You need to add the users to certain user groups and grant the user groups policies, so that the users in the groups can inherit the permissions.

  • Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant ECS users only the permissions for managing a certain type of ECSs.

    Most fine-grained policies divide permissions by API.

As shown in Table 1, all system policies for OA are included.

Table 1 OA system policies

Policy

Description

Dependencies

Policy Type

OA FullAccessPolicy

Has all permissions of OA.

None

System-defined policies

OA AdvancedOperationsPolicy

Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, the cross-account availability check function is available.

None

System-defined policies

OA CommonOperationsPolicy

Has the permissions to perform regular operations using OA, such as performing availability check. The cross-account availability check function is unavailable for users with this policy.

None

System-defined policies

OA ReadOnlyAccessPolicy

Has the read-only permissions for OA. Users that are assigned this policy can only view check results and resource groups, but cannot create or execute tasks.

None

System-defined policies

Table 2 lists the regular operations supported by each system policy of OA. Select the system policies as required.

Table 2 Authorization relationships

Function

Operation

OA FullAccessPolicy

OA AdvancedOperationsPolicy

OA CommonOperationsPolicy

OA ReadOnlyAccessPolicy

Risk check overview

View the risk check result overview.

Enable or disable automatic check.

×

View a notification topic.

Select accounts.

×

×

Execute check tasks.

×

Download the risk check result report.

Risk check dimensions

View risk check dimensions.

View the check result details of a single check Item.

Perform a check that covers only one check item.

×

Download the result report of the check that covers only one check item.

Architecture design

View the architecture diagrams.

View architecture diagrams in the recycle bin.

Viewing details about the architecture diagrams in the recycle bin.

Restore architecture diagrams from the recycle bin.

×

Delete architecture diagrams from the recycle bin.

×

Create architecture diagrams.

×

Rename architecture diagrams.

×

Export architecture diagrams.

Replicate architecture diagrams.

×

Delete architecture diagrams.

×

Enable capacity risk monitoring.

×

View details of an architecture diagram.

Edit an architecture diagram.

×

View the historical editing records of an architecture diagram.

View the historical editing details of an architecture diagram.

Restore a historical architecture diagram.

×

Delete the historical editing records of an architecture diagram.

×

View all links of a diagram element.

View the list of selected resources.

Export selected resources.

Capacity optimization

View the summary of capacity optimization analysis results.

View the details of capacity optimization analysis results.

Delete capacity optimization analysis results.

×

View monitoring details of a capacity optimization analysis result.

Perform re-identification.

×

Stop analysis.

×

Export the capacity optimization analysis report.

Query configurations for capacity optimization analysis.

Modify configurations for capacity optimization analysis.

×

Query the list of capacity optimization analysis reports.

Delete a capacity optimization analysis report.

×

Resource groups

View resource groups.

View resource group details.

Modify a resource group.

×

Delete a resource group.

×

Add a resource group.

×

View the resource list.

Monthly service reports

View the monthly report list.

View monthly report details.

Export a monthly report.

Risk check history

View risk check reports.

View risk check result details.

Export a risk check report.

Custom rules

View the check item list.

Enable check items.

×

Disable check items.

×

Restore initial configurations.

×

Customize configurations.

×

Authorization

View the user authorization list.

Disable or enable authorization.

×

×

×

Disable services.

×

×

×

Related Links