Updated on 2024-11-18 GMT+08:00

Permissions Management

If you need to grant your enterprise personnel permission to access your CAE resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud cloud resources.

With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use CAE resources but do not want them to be able to delete CAE resources or perform any other high-risk operations, you can create IAM users and grant permission to use CAE resources but not permission to delete them.

If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

For more information about IAM, see the IAM Service Overview.

CAE Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-east-3) in the specified regions (for example, CN East-Shanghai1), the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.

You can grant permissions by using roles and policies.

  • Roles: IAM's coarse-grained authorization that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.

Table 1 lists all the system-defined permissions for CAE.

Table 1 CAE system permissions

Role/Policy Name

Description

Type

Dependent System Permissions

Service Dependency and Scenario

CAE FullAccess

Full permissions for CAE.

System-defined policy

Must be used together with these permissions:

  • OBS Administrator
  • AOM FullAccess
  • SWR Admin
  • BSS Finance
  • VPC ReadOnlyAccess
  • ServiceStage ReadOnlyAccess
  • ELB FullAccess

Full permissions for CAE.

CAE ReadOnlyAccess

Read-only permissions for CAE.

System-defined policy

Must be used together with these permissions:

  • ServiceStage ReadOnlyAccess
  • LTS ReadOnlyAccess
  • obs:bucket:GetBucketLocation
  • obs:bucket:GetBucketStorage
  • obs:bucket:GetBucketStoragePolicy

Read-only permissions for CAE.

OBS Administrator

OBS administrator.

System-defined policy

None

Component deployment using OBS software package and cloud storage authorization unbinding

AOM FullAccess

Full permissions for AOM.

System-defined policy

None

CAE environment creation

SWR Admin

SWR administrator, who has full permissions for this service.

System-defined role

None

Component creation, deployment, upgrade, and rollback

DNS Administrator

DNS administrator, who has full permissions for this service.

System-defined role

  • VPC Administrator
  • Tenant Guest

Domain name query and configuration. This permission allows deletion of VPC Administrator and Tenant Guest roles. Deleting these two roles does not affect domain name configuration.

BSS Finance

Financial administrator of the Billing Center, who has full permissions for financial operations.

System-defined role

None

Package purchase and payment

KMS CMKFullAccess

All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

System-defined role

None

Permission to access the credential information in Cloud Secret Management Service (CSMS) for credential reference by CAE environment variables

CSMS ReadonlyAccess

Read-only permissions for Cloud Secret Management Service (CSMS) in DEW. Users with these permissions can perform all the operations allowed by policies.

System-defined role

None

Permission to access the credential information in Cloud Secret Management Service (CSMS) for CAE credential configuration

Policies are also customizable beyond permissions listed in Table 1 do not meet your requirements, as shown in Table 2.

Table 2 Common operations supported by each system policy

Description

CAE ReadOnlyAccess

CAE FullAccess

Buy a package

x

Create an environment

x

Query all environments

Query environment information

Delete an environment

x

Create an application

x

Query application information

Query all applications

Update application information

x

Delete an application

x

Create a component

x

Query component information

Query component configurations

Query component events

Query all components and instances

View usage data

Modify component configurations

x

Scale, upgrade, roll back, stop, start, restart, and edit components

x

Delete a component

x

Deploy a demo with a few clicks

x

Enable certificate configuration

x

View certificate configurations

Modify certificate configurations

x

Disable certificate configuration

x

Configure a domain name

x

View a domain name

Cancel domain name configuration

x

Authorize cloud storage

x

Unbind cloud storage

x

Log in remotely

x

To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CAE as required. Table 3 describes fine-grained permission dependencies of CAE.

On the IAM console, choose Permissions > Policies/Roles > Create Custom Policy > Select service > CAE > Policy Content. Only the permissions (cae:environment:* and cae:application:*) listed in the following table apply to Huawei Cloud regions.

Table 3 Fine-grained permission dependencies of CAE

Permission Name

Description

Permission Dependency

Scenarios (Actions)

cae:environment:create

Create an environment

  • vpc:vpcs:get
  • vpc:vpcs:list
  • vpc:vpcs:create
  • vpc:subnets:get
  • vpc:subnets:create
  • vpc:ports:get
  • vpc:ports:create
  • OBS Administrator
  • AOM FullAccess
  • BSS Finance
  • SWR Admin
  • Create an environment
  • Buy a package
  • Enable certificate configuration
  • Modify certificate configurations
  • Configure a domain name
  • Authorize cloud storage

cae:environment:list

Query all environments

  • obs:bucket:GetBucketLocation
  • obs:bucket:GetBucketStorage
  • obs:bucket:GetBucketStoragePolicy
  • Query an environment
  • View cloud storage authorization

cae:environment:get

Query environment information

None

  • View certificate configurations
  • View a domain name

cae:environment:delete

Delete an environment

  • vpc:ports:delete
  • OBS Administrator
  • Delete an environment
  • Disable certificate configuration
  • Cancel domain name configuration
  • Unbind cloud storage

cae:application:create

Create an application

  • rds:instance:list
  • rds:databaseUser:list
  • rds:database:list
  • cse:engine:get
  • cse:engine:list
  • lts:groups:create
  • lts:topics:create
  • lts:*:list
  • lts:*:get
  • OBS Administrator
  • SWR Admin
  • Create an application
  • Create the components
  • Modify component configurations
  • Deploy a demo with a few clicks

cae:application:get

Query application information

  • rds:instance:list
  • rds:databaseUser:list
  • rds:database:list
  • cse:engine:get
  • cse:engine:list
  • View application information
  • View component information
  • View component configuration

cae:application:list

Query all applications

None

  • View all applications
  • View usage data
  • View all components and instances
  • View component events

cae:application:modify

Update application information

  • OBS Administrator
  • SWR Admin

Component operations:

  • Scaling
  • Upgrade
  • Rollback
  • Stop
  • Start
  • Restart
  • Modify

cae:application:delete

Delete an application

  • lts:groups:delete
  • lts:topics:delete
  • OBS Administrator
  • Delete an application
  • Delete a component
  • Delete component configuration

cae:application:createConsole

Log in remotely

  • cae:application:delete
  • cae:application:modify
  • cae:application:get

Log in remotely