Permissions Management
If you need to assign different permissions to employees in your enterprise to access your purchased AOM resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use AOM resources but do not want them to delete resources, you can grant permission to use AOM but not permission to delete its resources.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between the two authorization models.
|
Name |
Core Relationship |
Permissions |
Authorization Method |
Description |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permission-authorization scope |
|
Assign roles or policies to principals. |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy-based authorization |
User-policy |
|
|
You can grant permissions directly to a user. A variety of key conditions are available for more fine-grained permissions control. However, this model requires a certain level of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
AOM supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. These users then inherit permissions from the groups and perform specified operations on cloud services.
AOM is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing AOM, the users need to switch to a region where they have been authorized to use this service.
|
Policy Name |
Description |
Type |
Dependency Permissions |
|---|---|---|---|
|
AOM FullAccess |
Administrator permissions for AOM 2.0. Users granted these permissions can operate and use AOM. |
System-defined policy |
CCE FullAccess, DMS ReadOnlyAccess, CCE Namespace-level Permissions, LTS FullAccess For CCE namespaces, users or user groups must be granted the administrator (cluster-admin) or custom permissions. If custom permissions are granted, the get, list, and update permissions must be included and the resources of configmaps, prometheuses, servicemonitors, podmonitors, and namespaces must also be specified. For details, see Namespace Permissions (Kubernetes RBAC-based). |
|
AOM ReadOnlyAccess |
Read-only permissions for AOM 2.0. Users granted these permissions can only view AOM data. |
System-defined policy |
CCE ReadOnlyAccess, DMS ReadOnlyAccess, CCE Namespace-level Permissions, LTS ReadOnlyAccess For CCE namespaces, users or user groups must be granted the administrator (cluster-admin) or custom permissions. If custom permissions are granted, the get and list permissions must be included and the resources of configmaps, prometheuses, servicemonitors, podmonitors, and namespaces must also be specified. For details, see Namespace Permissions (Kubernetes RBAC-based). |
Table 3 lists the common operations supported by each system-defined policy of resource monitoring. Select policies as required.
|
Operation |
AOM FullAccess |
AOM ReadOnlyAccess |
|---|---|---|
|
Creating an alarm rule |
√ |
x |
|
Modifying an alarm rule |
√ |
x |
|
Deleting an alarm rule |
√ |
x |
|
Creating an alarm template |
√ |
x |
|
Modifying an alarm template |
√ |
x |
|
Deleting an alarm template |
√ |
x |
|
Creating an alarm notification rule |
√ |
x |
|
Modifying an alarm notification rule |
√ |
x |
|
Deleting an alarm notification rule |
√ |
x |
|
Creating a message template |
√ |
x |
|
Modifying a message template |
√ |
x |
|
Deleting a message template |
√ |
x |
|
Creating a grouping rule |
√ |
x |
|
Modifying a grouping rule |
√ |
x |
|
Deleting a grouping rule |
√ |
x |
|
Creating a suppression rule |
√ |
x |
|
Modifying a suppression rule |
√ |
x |
|
Deleting a suppression rule |
√ |
x |
|
Creating a silence rule |
√ |
x |
|
Modifying a silence rule |
√ |
x |
|
Deleting a silence rule |
√ |
x |
|
Creating a dashboard |
√ |
x |
|
Modifying a dashboard |
√ |
x |
|
Deleting a dashboard |
√ |
x |
|
Creating a Prometheus instance |
√ |
x |
|
Modifying a Prometheus instance |
√ |
x |
|
Deleting a Prometheus instance |
√ |
x |
|
Creating an application discovery rule |
√ |
x |
|
Modifying an application discovery rule |
√ |
x |
|
Deleting an application discovery rule |
√ |
x |
|
Subscribing to threshold alarms |
√ |
x |
|
Configuring a VM log collection path |
√ |
x |
Table 4 lists the common operations supported by each system-defined policy of collection settings. Select policies as required.
|
Operation |
AOM FullAccess |
AOM ReadOnlyAccess |
|---|---|---|
|
Querying a proxy area |
√ |
√ |
|
Editing a proxy area |
√ |
× |
|
Deleting a proxy area |
√ |
× |
|
Creating a proxy area |
√ |
× |
|
Querying all proxies in a proxy area |
√ |
√ |
|
Querying all proxy areas |
√ |
√ |
|
Querying the Agent installation result |
√ |
√ |
|
Obtaining the Agent installation command of a host |
√ |
√ |
|
Obtaining the host heartbeat and checking whether the host is connected with the server |
√ |
√ |
|
Uninstalling running Agents in batches |
√ |
× |
|
Querying the Agent home page |
√ |
√ |
|
Testing the connectivity between the installation host and the target host |
√ |
× |
|
Installing Agents in batches |
√ |
× |
|
Obtaining the latest operation log of the Agent |
√ |
√ |
|
Obtaining the list of versions that can be selected during Agent installation |
√ |
√ |
|
Obtaining the list of all Agent versions under the current project ID |
√ |
√ |
|
Deleting hosts with Agents installed |
√ |
× |
|
Querying Agent information based on the ECS ID |
√ |
√ |
|
Deleting a host with an Agent installed |
√ |
× |
|
Setting an installation host |
√ |
× |
|
Resetting installation host parameters |
√ |
× |
|
Querying the list of hosts that can be set to installation hosts |
√ |
√ |
|
Querying the list of Agent installation hosts |
√ |
√ |
|
Deleting an installation host |
√ |
× |
|
Upgrading Agents in batches |
√ |
× |
|
Querying historical task logs |
√ |
√ |
|
Querying historical task details |
√ |
√ |
|
Querying all historical tasks |
√ |
√ |
|
Querying all execution statuses and task types |
√ |
√ |
|
Querying the Agent execution statuses in historical task details |
√ |
√ |
|
Modifying a proxy |
√ |
× |
|
Deleting a proxy |
√ |
× |
|
Setting a proxy |
√ |
× |
|
Querying the list of hosts that can be set to proxies |
√ |
√ |
|
Updating plug-ins in batches |
√ |
× |
|
Uninstalling plug-ins in batches |
√ |
× |
|
Installing plug-ins in batches |
√ |
× |
|
Querying historical task logs of a plug-in |
√ |
√ |
|
Querying all plug-in execution records |
√ |
√ |
|
Querying plug-in execution records based on the task ID |
√ |
√ |
|
Querying the plug-in execution statuses in historical task details |
√ |
√ |
|
Obtaining the plug-in list |
√ |
√ |
|
Querying the plug-in version |
√ |
√ |
|
Querying the list of supported plug-ins |
√ |
√ |
|
Obtaining the CCE cluster list |
√ |
√ |
|
Obtaining the Agent list of a CCE cluster |
√ |
√ |
|
Installing ICAgent on a CCE cluster |
√ |
× |
|
Upgrading ICAgent for a CCE cluster |
√ |
× |
|
Uninstalling ICAgent from a CCE cluster |
√ |
× |
|
Obtaining the CCE cluster list |
√ |
√ |
|
Obtaining the list of hosts where the ICAgent has been installed |
√ |
√ |
|
Installing ICAgent on CCE cluster hosts |
√ |
× |
|
Upgrading ICAgent on CCE cluster hosts |
√ |
× |
|
Uninstalling ICAgent from CCE cluster hosts |
√ |
× |
Roles/Policies Required by AOM Dependency Services
If an IAM user needs to view data or use functions on the AOM console, grant the AOM FullAccess or AOM ReadOnlyAccess policy to the user group to which the user belongs and then add the roles or policies required by dependency services by referring to Table 5. When a user subscribes to AOM for the first time, AOM creates an agency for the user. In addition to AOM FullAccess, the user also needs to be granted the Security Administrator permission to create and delete agencies.
|
Console Function |
Dependency Service |
Policy/Role Required |
|---|---|---|
|
CCE |
To use workload and cluster monitoring and Prometheus for CCE, you need to set the CCE FullAccess and CCE Namespace permissions. |
|
Data subscription |
Distributed Message Service (DMS) for Kafka |
To use data subscription, you need to set the DMS ReadOnlyAccess permission. |
|
Log Tank Service (LTS) |
To use log management, log transfer, log jobs, log ingestion rules, host group management, and log alarm rules, you need to set the LTS FullAccess permission. For details about the fine-grained policy permissions, see Permissions. |
|
Enterprise project |
Enterprise Project Management Service (EPS) |
To use enterprise projects, you need to set the EPS ReadOnlyAccess permission. For details about the fine-grained policy permissions, see Permissions. |
Identity Policy-based Authorization
AOM supports authorization with identity policies. Table 6 lists all the system-defined identity policies for AOM. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Policy Name |
Description |
Policy Type |
Dependency Permissions |
Remarks |
|---|---|---|---|---|
|
AOMReadOnlyPolicy |
Read-only permissions for AOM. |
System-defined identity policy |
- |
After IAM5 functions are enabled, authorization for AOM will be effected. Some pages may fail to be authenticated. To solve the problem, configure AOMFullAccessPolicy or AOMReadOnlyPolicy. |
|
AOMFullAccessPolicy |
Full permissions for AOM. |
System-defined identity policy |
iam:agencies:createAgency and iam:agencies:deleteAgency |
|
|
AOMServiceLinkedAgencyPolicy |
Agency permissions required for performing AOM cross-account operations. |
System-defined identity policy |
- |
Table 7 lists the common operations supported by each system-defined identity policy of resource monitoring. Select policies as required.
|
Operation |
AOMFullAccessPolicy |
AOMReadOnlyPolicy |
AOMServiceLinkedAgencyPolicy |
|---|---|---|---|
|
Creating an alarm rule |
√ |
x |
√ |
|
Modifying an alarm rule |
√ |
x |
√ |
|
Deleting an alarm rule |
√ |
x |
√ |
|
Creating an alarm template |
√ |
x |
x |
|
Modifying an alarm template |
√ |
x |
x |
|
Deleting an alarm template |
√ |
x |
x |
|
Creating an alarm action rule |
√ |
x |
√ |
|
Modifying an alarm action rule |
√ |
x |
√ |
|
Deleting an alarm action rule |
√ |
x |
√ |
|
Creating a message template |
√ |
x |
x |
|
Modifying a message template |
√ |
x |
x |
|
Deleting a message template |
√ |
x |
x |
|
Creating a grouping rule |
√ |
x |
x |
|
Modifying a grouping rule |
√ |
x |
x |
|
Deleting a grouping rule |
√ |
x |
x |
|
Creating a suppression rule |
√ |
x |
x |
|
Modifying a suppression rule |
√ |
x |
x |
|
Deleting a suppression rule |
√ |
x |
x |
|
Creating a silence rule |
√ |
x |
√ |
|
Modifying a silence rule |
√ |
x |
√ |
|
Deleting a silence rule |
√ |
x |
√ |
|
Creating a dashboard |
√ |
x |
x |
|
Modifying a dashboard |
√ |
x |
x |
|
Deleting a dashboard |
√ |
x |
x |
|
Creating a Prometheus instance |
√ |
x |
√ |
|
Modifying a Prometheus instance |
√ |
x |
√ |
|
Deleting a Prometheus instance |
√ |
x |
√ |
|
Creating an application discovery rule |
√ |
x |
√ |
|
Modifying an application discovery rule |
√ |
x |
√ |
|
Deleting an application discovery rule |
√ |
x |
√ |
|
Subscribing to threshold alarms |
√ |
x |
x |
|
Configuring a VM log collection path |
√ |
x |
x |
Table 8 lists the common operations supported by each system-defined identity policy of collection management.
|
Operation |
AOMFullAccessPolicy |
AOMReadOnlyPolicy |
|---|---|---|
|
Querying a proxy area |
√ |
√ |
|
Editing a proxy area |
√ |
× |
|
Deleting a proxy area |
√ |
× |
|
Creating a proxy area |
√ |
× |
|
Querying all proxies in a proxy area |
√ |
√ |
|
Querying all proxy areas |
√ |
√ |
|
Querying the Agent installation result |
√ |
√ |
|
Obtaining the Agent installation command of a host |
√ |
√ |
|
Obtaining the host heartbeat and checking whether the host is connected with the server |
√ |
√ |
|
Uninstalling running Agents in batches |
√ |
× |
|
Querying the Agent home page |
√ |
√ |
|
Testing the connectivity between the installation host and the target host |
√ |
× |
|
Installing Agents in batches |
√ |
× |
|
Obtaining the latest operation log of the Agent |
√ |
√ |
|
Obtaining the list of versions that can be selected during Agent installation |
√ |
√ |
|
Obtaining the list of all Agent versions under the current project ID |
√ |
√ |
|
Deleting hosts with Agents installed |
√ |
× |
|
Querying Agent information based on the ECS ID |
√ |
√ |
|
Deleting a host with an Agent installed |
√ |
× |
|
Setting an installation host |
√ |
× |
|
Resetting installation host parameters |
√ |
× |
|
Querying the list of hosts that can be set to installation hosts |
√ |
√ |
|
Querying the list of Agent installation hosts |
√ |
√ |
|
Deleting an installation host |
√ |
× |
|
Upgrading Agents in batches |
√ |
× |
|
Querying historical task logs |
√ |
√ |
|
Querying historical task details |
√ |
√ |
|
Querying all historical tasks |
√ |
√ |
|
Querying all execution statuses and task types |
√ |
√ |
|
Querying the Agent execution statuses in historical task details |
√ |
√ |
|
Modifying a proxy |
√ |
× |
|
Deleting a proxy |
√ |
× |
|
Setting a proxy |
√ |
× |
|
Querying the list of hosts that can be set to proxies |
√ |
√ |
|
Updating plug-ins in batches |
√ |
× |
|
Uninstalling plug-ins in batches |
√ |
× |
|
Installing plug-ins in batches |
√ |
× |
|
Querying historical task logs of a plug-in |
√ |
√ |
|
Querying all plug-in execution records |
√ |
√ |
|
Querying plug-in execution records based on the task ID |
√ |
√ |
|
Querying the plug-in execution statuses in historical task details |
√ |
√ |
|
Obtaining the plug-in list |
√ |
√ |
|
Querying the plug-in version |
√ |
√ |
|
Querying the list of supported plug-ins |
√ |
√ |
|
Obtaining the CCE cluster list |
√ |
√ |
|
Obtaining the Agent list of a CCE cluster |
√ |
√ |
|
Installing ICAgent on a CCE cluster |
√ |
× |
|
Upgrading ICAgent for a CCE cluster |
√ |
× |
|
Uninstalling ICAgent from a CCE cluster |
√ |
× |
|
Obtaining the CCE cluster list |
√ |
√ |
|
Obtaining the list of hosts where the ICAgent has been installed |
√ |
√ |
|
Installing ICAgent on CCE cluster hosts |
√ |
× |
|
Upgrading ICAgent on CCE cluster hosts |
√ |
× |
|
Uninstalling ICAgent from CCE cluster hosts |
√ |
× |
Identity Policy Dependencies of the AOM Console
If an IAM user needs to view data or use functions on the AOM console, grant the AOMFullAccessPolicy or AOMReadOnlyAccessPolicy permission to the user group to which the user belongs and then add the identity policies required by dependency services by referring to Table 9.
When a user subscribes to AOM for the first time, AOM creates an agency for the user. In addition to AOMFullAccessPolicy or AOMReadOnlyAccessPolicy, the user also needs to be granted the iam:agencies:createAgency and iam:agencies:deleteAgency permissions to create and delete agencies.
|
Console Function |
Dependency Service |
Identity Policy Required |
|---|---|---|
|
CCE |
To use workload and cluster monitoring, you need to set the CCEReadOnlyAccessPolicy permission. |
|
Data subscription |
Distributed Message Service (DMS) for Kafka |
To use data subscription, you need to set the DMSReadOnlyAccess permission. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
