Permissions Management

If you need to grant your enterprise personnel permission to access your ServiceStage resources, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use ServiceStage resources but do not want them to delete ServiceStage resources or perform any other high-risk operations, you can grant permission to use ServiceStage resources but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization. The following table describes the differences between these two authorization models.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Authorization Model	Core Relationship	Permissions	Authorization Method	Scenario
Role/Policy	User-permissions-authorization scope	System-defined roles System-defined policies Custom policies	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy	User-policy	System-defined identity policies Custom identity policies	Assigning identity policies to principals Attaching identity policies to principals	Administrators can customize access control policies based on service requirements to implement fine-grained and flexible permission control. It gives you more granular, more flexible control of your resources. There is no need to modify existing rules to accommodate new users. All administrators need to do is assign relevant attributes to the new users. However, this model can be hard to set up. It requires a certain amount of expertise. ABAC is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users the permissions needed to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. ABAC is more flexible than RBAC.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

ServiceStage supports role/policy-based authorization. By default, new IAM users do not have permissions assigned. Add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

ServiceStage is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for ServiceStage resources in the selected projects. If you set Scope to All resources, the users have permissions for ServiceStage resources in all region-specific projects. When accessing ServiceStage, the users need to switch to a region where they have been authorized to use cloud services.

Table 2 lists all the system-defined permissions supported by ServiceStage. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.

**Table 2** System permissions
Role/Policy Name	Description	Type	Dependencies
ServiceStage FullAccess	Full permissions for ServiceStage.	System-defined policy	None
ServiceStage ReadOnlyAccess	Read-only permissions for ServiceStage.	System-defined policy	None
ServiceStage Development	Developer permissions for ServiceStage, including permissions for operating applications, components, and environments, but excluding permissions for approving and for creating infrastructure.	System-defined policy	None
CSE FullAccess	Administrator permissions for microservice engines.	System-defined policy	None
CSE ReadOnlyAccess	View permissions for microservice engines.	System-defined policy	None
ServiceStage Administrator	ServiceStage administrator, who has full permissions for this service.	System-defined role	Permissions to create Tenant Guest, Server Administrator, CCE Administrator, , and APM Administrator.
ServiceStage Operator	ServiceStage operator, who has the read-only permission for this service.	System-defined role	Tenant Guest
ServiceStage Developer	ServiceStage developer, who has full permissions for this service but does not have the permission for creating infrastructure.	System-defined role	Tenant Guest

Table 3 and Table 4 list the common operations supported by each system-defined policy of ServiceStage and CSE. Please choose proper system-defined policies according to this table.

√: supported; x: not supported.

**Table 3** Common ServiceStage operations supported by each system policy
Operation	ServiceStage ReadOnlyAccess	ServiceStage Development	ServiceStage FullAccess
Create an application	x	√	√
Modify an application	x	√	√
Query the application	√	√	√
Delete an application	x	√	√
Create a component	x	√	√
Search for a component	√	√	√
Deploy a component	x	√	√
Maintain a component	x	√	√
Delete a component	x	√	√
Create a build job	x	√	√
Modify a build job	x	√	√
Query a build job	√	√	√
Start a build job	x	√	√
Delete a build job	x	√	√
Create a pipeline	x	√	√
Modify a pipeline	x	√	√
Query a pipeline	√	√	√
Start a pipeline	x	√	√
Clone a pipeline	x	√	√
Delete a pipeline	x	√	√
Create repository authorization	x	√	√
Modify repository authorization	x	√	√
Query repository authorization	√	√	√
Delete repository authorization	x	√	√

**Table 4** Common CSE operations supported by each system policy
Operation	CSE ReadOnlyAccess	CSE FullAccess
Create a microservice engine	x	√
Maintain a microservice engine	x	√
Query a microservice engine	√	√
Delete a microservice engine	x	√
Create a microservice	x	√
Query a microservice	√	√
Maintain a microservice	x	√
Delete a microservice	x	√
Create microservice configurations	x	√
Query microservice configurations	√	√
Edit microservice configurations	x	√
Delete microservice configurations	x	√
Create a microservice governance policy	x	√
Query a microservice governance policy	√	√
Edit a microservice governance policy	x	√
Delete a microservice governance policy	x	√

If the permissions listed in the preceding table cannot meet your service requirements, perform the operation by referring to Using IAM Roles or Policies to Grant Access to ServiceStage. For details about fine-grained permissions supported by ServiceStage and CSE, see Fine-grained Permissions.

Fine-grained Permissions

SWR does not support fine-grained permissions. Related permissions need to be authorized separately.
When an exclusive microservice engine is created and its Billing Mode is set to Yearly/monthly:
- If you do not pay for orders, you must have the BSS Operator permission (queries cost analysis, budget details, and cost tags in the Cost Center).
- If you pay for orders, you must have the BSS Administrator permission (performs all operations in the Cost Center).

To use a custom fine-grained policy, log in to the IAM console as an administrator and select the desired fine-grained permissions for ServiceStage and CSE.

Table 5 describes fine-grained permission dependencies of CSE.
Table 6 describes fine-grained permission dependencies of ServiceStage.

**Table 5** Fine-grained permission dependencies of CSE
Permission Name	Description	Dependencies	Scenario
cse:engine:list	List all microservice engines	None	Query the exclusive microservice engine list
cse:engine:get	View engine information	cse:engine:list	Query details about an exclusive microservice engine
cse:engine:modify	Modify an engine	cse:engine:list cse:engine:get	Enable or disable public network access for an exclusive microservice engine Enable or manage security authentication for an exclusive microservice engine NOTE: This action applies only to role/policy-based authorization.
cse:engine:upgrade	Upgrade an engine	cse:engine:list cse:engine:get	Upgrade an exclusive microservice engine
cse:engine:delete	Delete an engine	cse:engine:list cse:engine:get vpc:ports:get vpc:ports:delete	Delete an exclusive microservice engine
cse:engine:create	Create an engine	cse:engine:get cse:engine:list ecs:cloudServerFlavors:get vpc:vpcs:get vpc:vpcs:list vpc:subnets:get vpc:ports:get vpc:ports:create elb:loadbalancers:list elb:listeners:list elb:loadbalancers:get elb:listeners:get	Create an exclusive microservice engine Create a backup or restoration task for an exclusive microservice engine
cse:config:modify	Modify ServiceComb engine configuration management	cse:engine:list cse:engine:get cse:config:get	Modify the global configuration and governance configurations of an exclusive microservice engine
cse:config:get	View ServiceComb engine configuration management	cse:engine:list cse:engine:get	View the service configuration of an exclusive microservice engine
cse:governance:modify	Modify the governance center of a ServiceComb engine	cse:engine:list cse:engine:get cse:config:get cse:config:modify cse:registry:get cse:registry:modify cse:governance:get	Create and modify service governance of an exclusive microservice engine
cse:governance:get	View the governance center of a ServiceComb engine	cse:engine:list cse:engine:get cse:config:get cse:registry:get	View the governance center of an exclusive microservice engine
cse:registry:modify	Modify service registry and management of a ServiceComb engine	cse:engine:list cse:engine:get cse:registry:get	Modify the governance center of an exclusive microservice engine
cse:registry:get	View service registry and management of a ServiceComb engine	cse:engine:list cse:engine:get	View the service catalog of an exclusive microservice engine
cse:engine:backupRecover	Assign permissions to back up and restore ServiceComb engine data and change backup policies	cse:engine:get	Back up and restore an exclusive microservice engine NOTE: This action applies only to policy-based authorization.
cse:engine:associatePublicips	Assign permissions to bind or unbind a ServiceComb engine to or from a public network	cse:engine:get	Bind or unbind an EIP to or from an exclusive microservice engine NOTE: This action applies only to policy-based authorization.
cse:engine:update	Assign permissions to modify the ServiceComb engine configuration and system management	cse:engine:get	Modify the configuration, user, and role-based permissions of an exclusive microservice engine NOTE: This action applies only to policy-based authorization.

The dashboard does not need to be authenticated but requires registry permissions, because it uses the service catalog function to distinguish services.

**Table 6** Fine-grained permission dependencies of ServiceStage
Permission Name	Description	Dependencies	Scenario
servicestage:app:get	View application information	servicestage:app:list	View application information
servicestage:app:create	Create an application	servicestage:app:get servicestage:app:list servicestage:assembling:get servicestage:assembling:list servicestage:assembling:create	Create an application
servicestage:app:modify	Update an application	servicestage:app:get servicestage:app:list servicestage:assembling:get servicestage:assembling:list servicestage:assembling:modify	Update an application
servicestage:app:delete	Delete an application	servicestage:app:get servicestage:app:list servicestage:assembling:delete	Delete an application
servicestage:app:list	View the environment and application list	None	View the environment and application list
servicestage:environment:create	Create an environment	servicestage:app:get servicestage:app:list	Create an environment
servicestage:environment:modify	Update an environment	servicestage:app:get servicestage:app:list	Update an environment
servicestage:environment:delete	Delete an environment	servicestage:app:get servicestage:app:list	Delete an environment
servicestage:pipeline:get	View pipeline information	servicestage:pipeline:list servicestage:assembling:get servicestage:assembling:list	View pipeline information
servicestage:pipeline:create	Create a pipeline	servicestage:pipeline:list servicestage:pipeline:get servicestage:assembling:create servicestage:assembling:get servicestage:assembling:list	Create a pipeline
servicestage:pipeline:modify	Modify a pipeline	servicestage:pipeline:get servicestage:pipeline:list servicestage:assembling:modify servicestage:assembling:get servicestage:assembling:list	Modify a pipeline
servicestage:pipeline:delete	Delete a pipeline	servicestage:pipeline:get servicestage:pipeline:list servicestage:assembling:get servicestage:assembling:list servicestage:assembling:delete	Delete a pipeline
servicestage:pipeline:list	View the pipeline list	servicestage:assembling:get servicestage:assembling:list	View the pipeline list
servicestage:pipeline:execute	Execute a pipeline	servicestage:pipeline:get servicestage:pipeline:list servicestage:assembling:modify servicestage:assembling:get servicestage:assembling:list servicestage:app:get servicestage:app:list servicestage:app:modify	Execute a pipeline
servicestage:assembling:get	View the build information	servicestage:assembling:list	View the build information
servicestage:assembling:create	Create a build job	servicestage:assembling:get servicestage:assembling:list	Create a build job
servicestage:assembling:modify	Modify a build job	servicestage:assembling:get servicestage:assembling:list	Modify a build job
servicestage:assembling:delete	Delete a build job	servicestage:assembling:get servicestage:assembling:list	Delete a build job
servicestage:assembling:list	View the build list	None	View the build list

Roles/Policies Dependencies of ServiceStage Console

To grant an IAM user the permissions to view or use resources of other cloud services on the ServiceStage console, you must first grant the ServiceStage Administrator, ServiceStage FullAccess, or ServiceStage ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies listed in Table 7 to the user. These dependency policies will allow the IAM user to access resources of other cloud services.

**Table 7** Roles/Policies dependencies of ServiceStage console
Console Function	Dependent Services	Policy/Role Required
Dashboard Alarms O&M and monitoring	Application Operations Management (AOM)	An IAM user with the ServiceStage Administrator, ServiceStage FullAccess, or ServiceStage ReadOnlyAccess permission assigned can use this function only after the AOM FullAccess permission is assigned. IAM users with IAM ReadOnlyAccess, ServiceStage FullAccess, or ServiceStage ReadOnlyAccess assigned can directly use this function.
Performance management	Application Performance Management (APM)	To use a Java probe, you must have the AOM FullAccess and APM FullAccess permissions assigned.
Component management	Auto Scaling (AS)	To use AS resources to deploy components in the VM environment, you must have the AutoScaling FullAccess permissions assigned.
	Cloud Container Engine (CCE)	To use CCE resources to deploy components in the container environment, you must have the CCE FullAccess permissions assigned.
	Elastic Cloud Server (ECS)	To use ECS resources to deploy components in the VM environment, you must have the ECS ReadOnlyAccess permissions assigned.
	Object Storage Service (OBS)	If the component to be deployed comes from the software package stored in OBS, you must have the OBS ReadOnlyAccess permissions assigned.
Microservice engine	Cloud Service Engine (CSE)	To bind CSE to microservice components for service registration, service governance, and configuration management, you must have the CSE FullAccess permissions assigned.
Distributed cache	Distributed Cache Service (DCS)	To bind DCS to a component deployed in a container environment to read environment variables to obtain distributed cache information during application running, you must have the DCS ReadOnlyAccess permissions assigned.
Data storage	Elastic Volume Service (EVS)	If the components deployed in the container environment need to use EVS disks to store data, you must have the EVS ReadOnlyAccess permissions assigned.
	Scalable File Service (SFS)	If components deployed in a container environment need to use SFS to store data, you must have the SFS ReadOnlyAccess permissions assigned. If components deployed in a container environment need to use SFS to store data, you must have the SFS Turbo ReadOnlyAccess permissions assigned.
	Object Storage Service (OBS)	If components deployed in a container environment need to store data in object storage mode, you must have the OBS ReadOnlyAccess permissions assigned.
Cloud database	Relational Database Service (RDS)	To bind RDS to components deployed in a container environment for persistent storage of application data, you must have the RDS ReadOnlyAccess permissions assigned.
Intra-VPC access of components Domain name access of components	Elastic Load Balance (ELB)	To set intra-VPC access or domain name access for a component to use its services, you must have the ELB ReadOnlyAccess permissions assigned.
Public network access of components	NAT Gateway	To set NAT public network access for a component to use its services, you must have the NAT ReadOnlyAccess permissions assigned.
	Elastic IP (EIP)	To set EIP public network access for a component to use its services, you must have the EIP ReadOnlyAccess permissions assigned.
	Elastic Load Balance (ELB)	To set ELB public network access for a component to use its services, you must have the ELB ReadOnlyAccess permissions assigned.
Component logs	Log Tank Service (LTS)	To interconnect with LTS to view, search for, and export LTS logs for troubleshooting and resolving problems that occur during component running, you must have the LTS FullAccess permissions assigned.
Threshold rules	Simple Message Notification (SMN)	To enable SMN to send threshold alarm messages generated by components deployed in a container environment to users, you must have the SMN ReadOnlyAccess permissions assigned.
Image repositories	SoftWare Repository for Container (SWR)	If the components deployed in the container environment come from the image package stored in SWR, you must have the SWR FullAccess permissions assigned.
Tag management	Tag Management Service (TMS)	To use TMS to set tags for managed objects such as components for management and selection, you must have the TMS ReadOnlyAccess permissions assigned.
Environment management	Virtual Private Cloud (VPC)	A VPC is used to isolate basic resources, such as computing, network, and middleware resources, used for component deployment and running in the same virtual network environment during environment creation. The VPC ReadOnlyAccess permission needs to be set.

Identity Policy-based Permissions Management

ServiceStage supports identity policy-based authorization. Table 8 lists all the system-defined identity policies for ServiceStage. System-defined identity policies in identity policy-based authorization and role/policy-based authorization are not interoperable.

**Table 8** System-defined identity policies for ServiceStage
Policy Name	Description	Policy Type
ServiceStageDeveloperPolicy	Developer permissions for ServiceStage, including permissions for performing operations on applications, components, and environments, but excluding approval permissions and permissions for creating infrastructure.	System-defined identity policy
ServiceStageReadOnlyPolicy	Read-only permissions for ServiceStage.	System-defined identity policy
ServiceStageFullAccessPolicy	Full permissions for ServiceStage.	System-defined identity policy
CSEReadOnlyPolicy	Permissions for viewing microservice engines.	System-defined identity policy
CSEFullAccessPolicy	All permissions for microservice engines.	System-defined identity policy
CSEServiceLinkedAgencyPolicy	Agency permissions required for creating and maintaining microservice engine instances.	System-defined identity policy

Table 9 and Table 10 list the common operations supported by each system-defined policy of ServiceStage and CSE. Please choose proper system-defined policies according to this table. √: supported; x: not supported.

**Table 9** Common operations supported by system-defined identity policies
Operation	ServiceStageDeveloperPolicy	ServiceStageReadOnlyPolicy	ServiceStageFullAccessPolicy
Create an application	√	x	√
Modify an application	√	x	√
Query the application	√	√	√
Delete an application	√	x	√
Create a component	√	x	√
Search for a component	√	√	√
Deploy a component	√	x	√
Maintain a component	√	x	√
Delete a component	√	x	√
Create a build job	√	x	√
Modify a build job	√	x	√
Query a build job	√	√	√
Start a build job	√	x	√
Delete a build job	√	x	√
Create a pipeline	√	x	√
Modify a pipeline	√	x	√
Query a pipeline	√	√	√
Start a pipeline	√	x	√
Clone a pipeline	√	x	√
Delete a pipeline	√	x	√
Create repository authorization	√	x	√
Modify repository authorization	√	x	√
Query repository authorization	√	√	√
Delete repository authorization	√	x	√

**Table 10** Common CSE operations supported by system-defined permissions
Operation	CSEReadOnlyPolicy	CSEFullAccessPolicy	CSEServiceLinkedAgencyPolicy
Create a microservice engine	√	√	x
Delete a microservice engine	√	√	x
Query a microservice engine	√	x	x
Expand a microservice engine	√	√	x
Query dashboard	√	x	x
Query an application	√	x	x
Query an instance	√	x	x
Query a microservice	√	x	x
Create a microservice	√	√	x
Delete a microservice	√	√	x
Clean versions without instances	√	√	x
Query a governance policy	√	x	x
Create a governance policy	√	√	x
Delete a governance policy	√	√	x
Query a service scenario	√	x	x
Create a service scenario	√	√	x
Delete a service scenario	√	√	x
Query a microservice governance policy	√	x	x
Add a microservice governance policy	√	√	x
Delete a microservice governance policy	√	√	x
Create a configuration item	√	√	x
Modify configurations	√	√	x
Export configurations	√	√	x
Enable security authentication	√	√	x

Policies Dependencies of ServiceStage Console

To grant an IAM user the permissions to view or use resources of other cloud services on the ServiceStage console, you must first grant the ServiceStageFullAccessPolicy or ServiceStageReadOnlyPolicy policy to the user group to which the user belongs and then grant the dependency policies listed in Table 7 to the user. These dependency policies will allow the IAM user to access resources of other cloud services.

**Table 11** Policies dependencies of ServiceStage console
Console Function	Dependent Services	Identity Policies
Dashboard Alarms O&M and monitoring	Application Operations Management (AOM)	An IAM user with the ServiceStageFullAccessPolicy or ServiceStageReadOnlyPolicy assigned can use this function. IAM users with IAMReadOnlyPolicy, and ServiceStageFullAccessPolicy or ServiceStageReadOnlyPolicy assigned can directly use this function.
Performance management	Application Performance Management (APM)	To use Java probes, you must have the AOMFullAccessPolicy and APMFullAccessPolicy assigned.
Component management	Auto Scaling (AS)	To use AS resources to deploy components in the VM environment, you must have the ASFullPolicy assigned.
	Cloud Container Engine (CCE)	To use CCE resources to deploy components in the container environment, you must have the CCEFullPolicy assigned.
	Elastic Cloud Server (ECS)	To use ECS resources to deploy components in the VM environment, you must have the ECSReadOnlyPolicy assigned.
	Object Storage Service (OBS)	If the component to be deployed comes from the software package stored in OBS, you must have the OBSReadOnlyPolicy assigned.
Microservice engine	Cloud Service Engine (CSE)	To bind CSE to microservice components for service registration, service governance, and configuration management, you must have the CSEFullAccessPolicy assigned.
Distributed cache	Distributed Cache Service (DCS)	To bind DCS to a component deployed in a container environment to read environment variables to obtain distributed cache information during application running, you must have the DCSReadOnlyAccessPolicy assigned.
Data storage	Elastic Volume Service (EVS)	If the components deployed in the container environment need to use EVS disks to store data, you must have the EVSReadOnlyPolicy assigned.
	Scalable File Service (SFS)	If the components deployed in the container environment need to use SVS disks to store data, you must have the SFSTurboReadOnlyPolicy assigned.
	Object Storage Service (OBS)	If components deployed in a container environment need to store data in object storage mode, you must have the OBSReadOnlyPolicy assigned.
Cloud database	Relational Database Service (RDS)	To bind RDS to components deployed in a container environment for persistent storage of application data, you must have the RDSReadOnlyPolicy assigned.
Intra-VPC access of components Domain name access of components	Elastic Load Balance (ELB)	To set intra-VPC access or domain name access for a component to use its services, you must have the ELBReadOnlyAccessPolicy assigned.
Public network access of components	NAT Gateway	To set NAT public network access for a component to use its services, you must have the NATReadOnlyPolicy assigned.
	Elastic IP (EIP)	To set EIP public network access for a component to use its services, you must have the EIPReadOnlyAccessPolicy assigned.
	Elastic Load Balance (ELB)	To set ELB public network access for a component to use its services, you must have the ELBReadOnlyAccessPolicy assigned.
Component logs	Log Tank Service (LTS)	To interconnect with LTS to view, search for, and export LTS logs for troubleshooting and resolving problems that occur during component running, you must have the LTSFullAccessPolicy assigned.
Threshold rules	Simple Message Notification (SMN)	To enable SMN to send threshold alarm messages generated by components deployed in a container environment to users, you must have the SMNReadOnlyPolicy assigned.
Image repositories	SoftWare Repository for Container (SWR)	If the components deployed in the container environment come from the image package stored in SWR, you must have the SWRFullAccessPolicy assigned.
Tag management	Tag Management Service (TMS)	To use TMS to set tags for managed objects such as components for management and selection, you must have the TMSReadOnlyPolicy assigned.
Environment management	Virtual Private Cloud (VPC)	A VPC is used to isolate basic resources, such as computing, network, and middleware resources, used for component deployment and running in the same virtual network environment during environment creation. The VPCReadOnlyPolicy policy needs to be set.