Permissions Management
If you need to assign different permissions to employees in your enterprise to access your DEW resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control. If your Huawei account works good for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control the access to Huawei Cloud resources through authorization. For example, some developers in your enterprise need to use DEW but you do not want them have permissions to perform high-risk operations such as deleting DEW. To achieve such purpose, you can use IAM to grant them only the permissions to use DEW, but not delete DEW. With IAM, you can control their usage of DEW resources.
There are two types of IAM authorization: policy/role authorization and identity policy authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Policies/Roles |
Roles |
|
Granting roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity Policies |
Policies |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
For example, if you want to grant an IAM user the permissions to create ECSs in CN North-Beijing4 and OBSs in CN South-Guangzhou, you need to use the administrator role to create two custom policies and assign them to the IAM user. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. ABAC is more flexible than RBAC.
Policies and actions in the two authorization models are not interoperable. You are advised to use the ABAC authorization model. For details about system-defined permissions, see Policies/Roles Permission Management and Identity Policy Permission Management.
For more information about IAM, see What Is IAM?.
Policies/Roles Permission Management
DEW supports the role-based authorization model. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
DEW is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects (such as ap-southeast-2) for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing DEW.
Table 2 lists all the system policies of DEW. System-defined policies in RBAC and ABAC are not interoperable.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
KMS Administrator |
Administrator permissions of KMS in DEW |
System-defined roles |
None |
|
KMS CMKFullAccess |
All permissions for KMS in DEW Users with these permissions can perform all the operations allowed by policies. |
System-defined policies |
None |
|
KMS CMKReadOnlyAccess |
Read-only permissions of KMS in DEW Users with this permission can only view KMS data. |
System-defined policies |
None |
|
CSMS FullAccess |
All permissions of CSMS in DEW Users with these permissions can perform all the operations allowed by policies. |
System-defined policies |
None |
|
CSMS ReadOnlyAccess |
Read-only permissions of CSMS in DEW Users with this permission can only view CSMS data. |
System-defined policies |
None |
|
DEW KeypairFullAccess |
All permissions of KPS in DEW Users with these permissions can perform all the operations allowed by policies. |
System-defined policies |
None |
|
DEW KeypairReadOnlyAccess |
Read-only permissions of KPS in DEW Users with this permission can only view KPS data. |
System-defined policies |
None |
The following tables list the authorization relationships between DEW typical operations and system permissions. You can select proper system permissions according to the tables.
|
Operation |
KMS Administrator |
KMS CMKFullAccess |
KMS CMKReadOnlyAccess |
|---|---|---|---|
|
Create a key |
Supported |
Supported |
× |
|
Query the key list |
Supported |
Supported |
Supported |
|
Enable a key |
Supported |
Supported |
× |
|
Disable a key |
Supported |
Supported |
× |
|
Query details about a key |
Supported |
Supported |
Supported |
|
Create a DEK |
Supported |
Supported |
× |
|
Create a plaintext-free DEK |
Supported |
Supported |
× |
|
Encrypt a DEK |
Supported |
Supported |
× |
|
Decrypt a DEK |
Supported |
Supported |
× |
|
Encrypt data |
Supported |
Supported |
× |
|
Decrypt data |
Supported |
Supported |
× |
|
Generate a random number |
Supported |
Supported |
× |
|
Schedule key deletion |
Supported |
Supported |
× |
|
Cancel scheduled key deletion |
Supported |
Supported |
× |
|
Query the number of key instances of a tenant |
Supported |
Supported |
Supported |
|
Query resource quotas |
Supported |
Supported |
Supported |
|
Modify key information - update a key alias |
Supported |
Supported |
× |
|
Modify key information - update key description |
Supported |
Supported |
× |
|
Create a grant |
Supported |
Supported |
× |
|
Query the grant list |
Supported |
Supported |
Supported |
|
Query retirable grants |
Supported |
Supported |
Supported |
|
Retire a grant |
Supported |
Supported |
× |
|
Revoke a grant |
Supported |
Supported |
× |
|
Query parameters for importing a key |
Supported |
Supported |
Supported |
|
Import key materials |
Supported |
Supported |
× |
|
Delete key materials |
Supported |
Supported |
× |
|
Enable key rotation |
Supported |
Supported |
× |
|
Modify key rotation interval |
Supported |
Supported |
× |
|
Disable key rotation |
Supported |
Supported |
× |
|
Query key rotation status |
Supported |
Supported |
Supported |
|
Add tags to a key |
Supported |
Supported |
× |
|
Batch add or delete key tags |
Supported |
Supported |
× |
|
Query key instances |
Supported |
Supported |
Supported |
|
Delete key tags |
Supported |
Supported |
× |
|
Query key tags |
Supported |
Supported |
Supported |
|
Operation |
CSMS FullAccess |
CSMS ReadOnlyAccess |
|---|---|---|
|
Create a secret |
Supported |
× |
|
Download a secret backup |
Supported |
Supported |
|
Restore a secret |
Supported |
× |
|
Delete a secret immediately |
Supported |
× |
|
Update a secret |
Supported |
× |
|
Query a secret |
Supported |
Supported |
|
Query a secret list |
Supported |
Supported |
|
Create a secret version |
Supported |
× |
|
Query the secret version and value |
Supported |
Supported |
|
Query the secret version list |
Supported |
Supported |
|
Create a version status of a secret |
Supported |
× |
|
Query the version status of a secret |
Supported |
Supported |
|
Update the version status of a secret |
Supported |
× |
|
Delete the version status of of a secret |
Supported |
× |
|
Query the secret quota |
Supported |
Supported |
|
Create a scheduled secret deletion task |
Supported |
× |
|
Cancel a scheduled secret deletion task |
Supported |
× |
|
Rotate a secret |
Supported |
× |
|
Query a secret instance |
Supported |
Supported |
|
Add or delete secret tags in batches |
Supported |
× |
|
Add a secret tag |
Supported |
× |
|
Delete a secret tag |
Supported |
× |
|
Query a secret tag |
Supported |
Supported |
|
Query project tags |
Supported |
Supported |
|
Update the validity period of a secret version |
Supported |
× |
|
Create an event |
Supported |
× |
|
Query the event list |
Supported |
Supported |
|
Query event notifications |
Supported |
Supported |
|
Update event notifications |
Supported |
× |
|
Delete an event notification immediately |
Supported |
× |
|
Query the record of triggered event notifications |
Supported |
Supported |
|
Operation |
DEW KeypairFullAccess |
DEW KeypairReadOnlyAccess |
|---|---|---|
|
Create and import an SSH key pair |
Supported |
× |
|
Delete an SSH key pair |
Supported |
× |
|
Query the detailed information about an SSH key pair |
Supported |
Supported |
|
Query the list of SSH key pairs |
Supported |
Supported |
|
Update the description of SSH key pairs |
Supported |
× |
|
Bind an SSH key pair |
Supported |
× |
|
Delete all failed tasks |
Supported |
× |
|
Delete a failed task |
Supported |
× |
|
Unbind an SSH key pair |
Supported |
× |
|
Query the information about failed tasks |
Supported |
Supported |
|
Query the task information |
Supported |
Supported |
|
Query the information about a task that is being processed |
Supported |
Supported |
|
Import a private key |
Supported |
× |
|
Export a private key |
Supported |
× |
|
Bind key pairs to VMs in batches |
Supported |
× |
|
Clear private keys |
Supported |
× |
Identity Policy Permission Management
DEW supports identity policy authorization. The following table lists all identity policies in DEW. The identity policy for roles/policies and identity policies are different.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
KMSFullAccessPolicy |
All permission policies of KMS |
System-defined |
|
KMSReadOnlyPolicy |
Read-only permission policies of KMS |
System-defined |
|
CSMSFullAccessPolicy |
All permissions of CSMS |
System-defined |
|
CSMSReadOnlyPolicy |
Read-only permissions of CSMS |
System-defined |
|
CSMSServiceLinkedAgencyPolicy |
Agency policies linked with cross-account CSMS |
System-defined |
|
KPSFullAccessPolicy |
All permissions of KPS |
System-defined |
|
KPSReadOnlyPolicy |
Read-only permissions of KPS |
System-defined |
Choose proper system policies by referring to Common operations supported by each system policy.
|
Operation |
KMSFullAccessPolicy |
KMSReadOnlyPolicy |
|---|---|---|
|
Query the key list |
Supported |
Supported |
|
Enable a key |
Supported |
× |
|
Disable a key |
Supported |
× |
|
Query details about a key |
Supported |
Supported |
|
Create a DEK |
Supported |
× |
|
Create a plaintext-free DEK |
Supported |
× |
|
Encrypt a DEK |
Supported |
× |
|
Decrypt a DEK |
Supported |
× |
|
Encrypt data |
Supported |
× |
|
Decrypt data |
Supported |
× |
|
Generate a random number |
Supported |
× |
|
Sign data |
Supported |
× |
|
Authenticate a signature |
Supported |
× |
|
Query a public key |
Supported |
Supported |
|
Query versions |
Supported |
Supported |
|
Query key API version |
Supported |
Supported |
|
Schedule key deletion |
Supported |
× |
|
Cancel scheduled key deletion |
Supported |
× |
|
Query the number of key instances of a tenant |
Supported |
Supported |
|
Query resource quotas |
Supported |
Supported |
|
Modify key information - update a key alias |
Supported |
× |
|
Modify key information - update key description |
Supported |
× |
|
Create a grant |
Supported |
× |
|
Query the grant list |
Supported |
Supported |
|
Query retirable grants |
Supported |
Supported |
|
Retire a grant |
Supported |
× |
|
Revoke a grant |
Supported |
× |
|
Obtain parameters for importing a key |
Supported |
Supported |
|
Import key materials |
Supported |
× |
|
Delete key materials |
Supported |
× |
|
Enable key rotation |
Supported |
× |
|
Modify key rotation interval |
Supported |
× |
|
Disable key rotation |
Supported |
× |
|
Query key rotation status |
Supported |
Supported |
|
Delete a dedicated keystore |
Supported |
× |
|
Enable a dedicated keystore |
Supported |
× |
|
Disable a dedicated keystore |
Supported |
× |
|
Query the list of dedicated keystores |
Supported |
Supported |
|
Obtain a dedicated keystore |
Supported |
Supported |
|
Add tags to a key |
Supported |
× |
|
Batch add or delete key tags |
Supported |
× |
|
Query key instances |
Supported |
Supported |
|
Delete key tags |
Supported |
× |
|
Query key tags |
Supported |
Supported |
|
Query project tags |
Supported |
Supported |
|
Operation |
CSMSFullAccessPolicy |
CSMSReadOnlyPolicy |
|---|---|---|
|
Create a secret |
Supported |
× |
|
Download a secret backup |
Supported |
Supported |
|
Restore a secret |
Supported |
× |
|
Delete a secret immediately |
Supported |
× |
|
Update a secret |
Supported |
× |
|
Query a secret |
Supported |
Supported |
|
Query a secret list |
Supported |
Supported |
|
Create a secret version |
Supported |
× |
|
Query the secret version and value |
Supported |
Supported |
|
Query the secret version list |
Supported |
Supported |
|
Create a version status of a secret |
Supported |
× |
|
Query the version status of a secret |
Supported |
Supported |
|
Update the version status of a secret |
Supported |
× |
|
Delete the version status of of a secret |
Supported |
× |
|
Query the secret quotas |
Supported |
Supported |
|
Create a scheduled secret deletion task |
Supported |
× |
|
Cancel a scheduled secret deletion task |
Supported |
× |
|
Rotate a secret |
Supported |
× |
|
Query a secret instance |
Supported |
Supported |
|
Add or delete secret tags in batches |
Supported |
× |
|
Add a secret tag |
Supported |
× |
|
Delete a secret tag |
Supported |
× |
|
Query a secret tag |
Supported |
Supported |
|
Query project tags |
Supported |
Supported |
|
Update the validity period of a secret version |
Supported |
× |
|
Create an event |
Supported |
× |
|
Obtain the event list |
Supported |
Supported |
|
Query event notifications |
Supported |
Supported |
|
Update event notifications |
Supported |
× |
|
Delete an event notification immediately |
Supported |
× |
|
Query the record of triggered event notifications |
Supported |
Supported |
|
Operation |
KPSFullAccessPolicy |
KPSReadOnlyPolicy |
|---|---|---|
|
Create and import an SSH key pair |
Supported |
× |
|
Delete an SSH key pair |
Supported |
× |
|
Query the detailed information about an SSH key pair |
Supported |
Supported |
|
Query the list of SSH key pairs |
Supported |
Supported |
|
Update the description of SSH key pairs |
Supported |
× |
|
Bind an SSH key pair |
Supported |
× |
|
Delete all failed tasks |
Supported |
× |
|
Delete a failed task |
Supported |
× |
|
Unbind an SSH key pair |
Supported |
× |
|
Query the information about failed tasks |
Supported |
Supported |
|
Query the task information |
Supported |
Supported |
|
Query the information about a task that is being processed |
Supported |
Supported |
|
Import a private key |
Supported |
× |
|
Export a private key |
Supported |
× |
|
Bind key pairs to VMs in batches |
Supported |
× |
|
Clear private keys |
Supported |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
