Permissions
If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you flexibly manage resource access.
You can create users using IAM and grant users permissions to implement access control. For example, if you want some of your employees to have the permissions for configuring the resource recorder, you can create IAM users for them and grant them with the required permissions.
If your Huawei Cloudaccount does not need individual IAM users for permissions management, skip this chapter.
IAM can be used free of charge. You pay only for the resources in your account. For more details, see What is IAM?.
Config Permissions
By default, new IAM users do not have permissions. You need to add a user to one or more groups and attach policies or roles to the user groups. Users in a group inherit permissions from the group, so that they can perform operations on cloud services based on the permissions.
Config is a global service. You do not need to repeat Config authorization for different regions or switch regions for accessing Config.
A user with Config read-only permissions can view all resources on the Resource List page.
You can grant permissions by using roles or policies.
- Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you must also assign other roles which the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policy: A type of fine-grained authorization method that defines permissions required to perform operations on specific cloud resources under certain conditions. Authorization using policies is more flexible and help you implement least privilege. Most policies define permissions based on APIs. API actions are the minimum granularity of permissions. For API actions supported by Config, see the Permissions Policies and Supported Actions section in Config API Reference.
Table 1 Config system-defined permissions lists all the system-defined permissions supported by Config.
|
Policy |
Description |
Dependencies |
|---|---|---|
|
RMS ConsoleFullAccess |
Grants full access to Config console. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages. |
RF FullAccess |
|
RMS FullAccess |
Grants full access to Config. This policy grants you the permissions to perform all actions on the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages. |
RF FullAccess |
|
RMS ReadOnlyAccess |
Grants read-only access to Config. This policy grants you read access to the resource list, resource recorder, resource compliance, advanced queries, aggregators, and conformance packages. |
None |
An IAM user or IAM Identity Center user may still be denied specific operations on resource recorders, rules, or conformance packages even if they have been granted the RMS ConsoleFullAccess permission. This is because specific operations require IAM agencies. To perform these operations, you need related IAM agencies. The following lists the details.
To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions. To grant the permission iam:permissions:grantRoleToAgency, specific actions need to be specified.
Table 2 lists the common operations and the system-defined permissions of Config. √ indicates that an operation is supported, and × indicates not supported.
|
Operation |
RMS ConsoleFullAccess |
RMS FullAccess |
RMS ReadOnlyAccess |
|---|---|---|---|
|
Querying all resources |
√ |
√ |
√ |
|
Query details about a resource. |
√ |
√ |
√ |
|
Filtering resources |
√ |
√ |
√ |
|
Exporting resources |
√ |
√ |
√ |
|
Viewing resource compliance data |
√ |
√ |
√ |
|
Viewing relationships of a resource |
√ |
√ |
√ |
|
Viewing resource change history |
√ |
√ |
√ |
|
Querying the resource recorder |
√ |
√ |
√ |
|
Enabling, configuring, or modifying the resource recorder |
√ |
√ |
x |
|
Disabling the resource recorder |
√ |
√ |
x |
|
Querying a compliance policy |
√ |
√ |
√ |
|
Modifying rules |
√ |
√ |
x |
|
Adding rules |
√ |
√ |
x |
|
Querying rules |
√ |
√ |
√ |
|
Deleting rules |
√ |
√ |
x |
|
Creating organization rules |
√ |
√ |
x |
|
Modifying organization rules |
√ |
√ |
x |
|
Viewing organization rules |
√ |
√ |
√ |
|
Deleting organization rules |
√ |
√ |
x |
|
Viewing resource compliance evaluation results |
√ |
√ |
√ |
|
Triggering a resource compliance evaluation |
√ |
√ |
x |
|
Updating compliance evaluation results |
√ |
√ |
x |
|
Creating remediation configurations |
√ |
√ |
x |
|
Viewing remediation configurations |
√ |
√ |
√ |
|
Modifying remediation configurations |
√ |
√ |
x |
|
Deleting remediation configurations |
√ |
√ |
x |
|
Viewing remediation execution status |
√ |
√ |
√ |
|
Applying remediation actions |
√ |
√ |
x |
|
Adding remediation exceptions |
√ |
√ |
x |
|
Deleting remediation exceptions |
√ |
√ |
x |
|
Viewing remediation exceptions |
√ |
√ |
√ |
|
Running advanced queries |
√ |
√ |
x |
|
Creating advanced queries |
√ |
√ |
x |
|
Querying advanced queries |
√ |
√ |
√ |
|
Listing advanced queries |
√ |
√ |
√ |
|
Updating advanced queries |
√ |
√ |
x |
|
Deleting advanced queries |
√ |
√ |
x |
|
Creating a resource aggregator |
√ |
√ |
x |
|
Viewing a resource aggregator |
√ |
√ |
√ |
|
Modifying a resource aggregator |
√ |
√ |
x |
|
Deleting a resource aggregator |
√ |
√ |
x |
|
Viewing aggregated rules |
√ |
√ |
√ |
|
Viewing aggregated resources |
√ |
√ |
√ |
|
Authorizing a resource aggregator account |
√ |
√ |
x |
|
Deleting authorization for an aggregator account |
√ |
√ |
x |
|
Deleting resource aggregation requests |
√ |
√ |
x |
|
Viewing resource aggregation requests |
√ |
√ |
√ |
|
Running advanced queries to aggregators |
√ |
√ |
x |
|
Viewing an authorization list |
√ |
√ |
√ |
|
Creating conformance packages |
√ (depends on RF FullAccess) |
√ (depends on RF FullAccess) |
x |
|
Viewing conformance packages |
√ |
√ |
√ |
|
Listing conformance packages |
√ |
√ |
√ |
|
Deleting conformance packages |
√ (depends on RF FullAccess) |
√ (depends on RF FullAccess) |
x |
|
Updating conformance packages |
√ (depends on RF FullAccess) |
√ (depends on RF FullAccess) |
x |
|
Listing conformance package sample templates |
√ |
√ |
√ |
|
Creating organization conformance packages |
√ |
√ |
x |
|
Viewing organization conformance packages |
√ |
√ |
√ |
|
Listing organization conformance packages |
√ |
√ |
√ |
|
Deleting organization conformance packages |
√ |
√ |
x |
|
Updating organization conformance packages |
√ |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
