Permissions

If you need to assign different permissions to personnel in your enterprise to access your EVS resources on Huawei Cloud, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use EVS resources but do not want them to delete EVS resources or perform any other high-risk operations, you can grant permission to use EVS resources but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization. The following table lists their differences.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Authorization Model	Authorization Using	Permissions	Authorization Method	Scenario
Role/Policy-based authorization	User-permissions-authorization scope	System-defined roles System-defined policies Custom policies	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy-based authorization	Policies	System-defined policies Custom policies	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy, configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. It is more flexible than role/policy-based authorization.

Policies and actions in the two authorization models are not interoperable. You are advised to use identity policy-based authorization. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

EVS supports authorization with roles. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

EVS is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for ECSs in the selected projects. If you set Scope to All resources, the users have permissions for ECSs in all region-specific projects. When accessing EVS resources, the users need to switch to the authorized region.

Table 2 lists all the system-defined permissions for EVS. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

**Table 2** System-defined permissions for EVS
Role/Policy Name	Description	Type	Dependencies
EVS FullAccess	Administrator permissions for EVS. Users with these permissions can perform all operations on EVS resources, including creating, expanding capacity, attaching, detaching, querying, and deleting.	System-defined policy	None
EVS ReadOnlyAccess	Read-only permissions for EVS. Users with these permissions can only view EVS resource data.	System-defined policy	None
Server Administrator	Administrator permissions for ECS. Users with these permissions can perform all operations on EVS resources, including creating, expanding capacity, attaching, detaching, querying, and deleting.	System-defined role	Tenant Guest and BSS Administrator roles, which must be attached in the same project as the Server Administrator role

Table 3 lists the common operations supported by system-defined permissions for EVS.

**Table 3** Common operations supported by system-defined permissions
Operation	EVS FullAccess	EVS ReadOnlyAccess	Server Administrator
Creating disks	Supported	Not supported	Supported
Viewing the disk list	Supported	Supported	Supported
Viewing disk details	Supported	Supported	Supported
Attaching disks	Supported	Not supported	Supported
Detaching disks	Supported	Not supported	Supported
Deleting disks	Supported	Not supported	Supported
Batch deleting disks	Supported	Not supported	Supported
Expanding capacities of disks	Supported	Not supported	Supported
Creating snapshots	Supported	Not supported	Supported
Viewing the snapshot list	Supported	Supported	Supported
Checking snapshot details	Supported	Supported	Supported
Deleting snapshots	Supported	Not supported	Supported
Rolling back data from snapshots	Supported	Not supported	Supported
Creating disks from snapshots	Supported	Not supported	Supported
Adding tags for disks	Supported	Not supported	Supported
Querying disk tags	Supported	Supported	Supported
Modifying disk tags	Supported	Not supported	Supported
Deleting disk tags	Supported	Not supported	Supported
Searching for disks by tag	Supported	Supported	Supported
Changing disk names	Supported	Not supported	Supported
Modifying disk descriptions	Supported	Not supported	Supported
Querying disk types	Supported	Supported	Supported

Identity Policy-based Permissions Management

EVS supports authorization with identity policies. Table 4 lists all system-defined identity policies for EVS. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

**Table 4** System-defined identity policies for EVS
Identity Policy Name	Description	Type
EVSFullAccessPolicy	Full permissions for EVS. Users with these permissions can perform all operations on EVS resources, including creating, expanding capacity, attaching, detaching, querying, and deleting.	System-defined identity policy
EVSReadOnlyPolicy	Read-only permissions for EVS. Users with these permissions can only view EVS resource data.	System-defined identity policy

Table 5 lists the common operations supported by system-defined policies for EVS.

**Table 5** Common operations supported by system-defined policies
Operation	EVSFullAccessPolicy	EVSReadOnlyPolicy
Creating disks	Supported	Not supported
Viewing the disk list	Supported	Supported
Viewing disk details	Supported	Supported
Attaching disks	Supported	Not supported
Detaching disks	Supported	Not supported
Deleting disks	Supported	Not supported
Batch deleting disks	Supported	Not supported
Expanding capacities of disks	Supported	Not supported
Creating snapshots	Supported	Not supported
Viewing the snapshot list	Supported	Supported
Checking snapshot details	Supported	Supported
Deleting snapshots	Supported	Not supported
Rolling back data from snapshots	Supported	Not supported
Creating disks from snapshots	Supported	Not supported
Adding tags for disks	Not supported	Not supported
Querying disk tags	Not supported	Supported
Modifying disk tags	Not supported	Not supported
Deleting disk tags	Not supported	Not supported
Searching for disks by tag	Not supported	Supported
Changing disk names	Supported	Not supported
Modifying disk descriptions	Supported	Not supported
Querying disk types	Supported	Supported
Querying detailed quotas of a tenant	Supported	Supported

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

Permissions

Role/Policy-based Permissions Management

Identity Policy-based Permissions Management

Related Links

Feedback

Was this page helpful?