Permissions
If you need to grant your enterprise personnel permission to access your SMS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources of various types.
For example, you can create IAM users for software developers, and assign specific permissions to allow them to use SMS but disallow them to delete any resources or perform any high-risk operations.
If your Huawei Cloud account does not need individual IAM users for permissions management, you can skip this section.
IAM is a free service. You pay only for the resources in your account. For more information about IAM, see What Is IAM?
SMS Permissions
By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to, and then they can perform specified operations on cloud services.
A Huawei Cloud account has all the permissions required for using SMS by default. If you use your Huawei Cloud account to perform a migration, no authorization is required.
SMS is a global service deployed for all physical regions. SMS permissions are assigned to users in the Global project, so the users do not need to switch regions when accessing SMS.
Table 1 lists all the system-defined policies and roles of SMS. Huawei Cloud services interwork with each other, and some SMS policies and roles are dependent on the policies and roles of other services. When assigning SMS permissions to users, you need to also assign dependent roles for the SMS permissions to take effect.
|
Operation |
SMS FullAccess (Global) |
OBS OperateAccess (OBS) |
EVS FullAccess |
ECS FullAccess |
VPC FullAccess |
|---|---|---|---|---|---|
|
Creating migration tasks |
Supported |
Not supported |
Supported |
Supported |
Supported |
|
Viewing migration progresses |
Supported |
Not supported |
Not supported |
Not supported |
Not supported |
IAM supports two types of policies: system-defined policies and custom policies.
- If an IAM user needs all SMS permissions, attach the preceding system-defined policies to the user group to which the IAM user has been added.
- If an IAM user only needs some SMS permissions, you can create custom policies and attach these policies to the user group to which the user has been added.
For details, see Creating a User and Assigning Permissions.
Compared with system-defined policies, custom policies provide more fine-grained and secure permissions control.
Permissions Required for SMS Console Operations
To grant an IAM user the permissions to view or use resources of other cloud services on the SMS console, you must first grant the SMS FullAccess or SMS ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies and roles listed in Table 2.
|
Console Operation |
Dependency |
Role/Policy Required |
|---|---|---|
|
Creating a migration task |
ECS EIP VPC Image Management Service (IMS) EVS |
To create a migration task, an IAM user must be granted SMS FullAccess, ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess. |
|
Encrypting disks |
EVS Data Encryption Workshop (DEW) |
To use the disk encryption function, an IAM user must be granted SMS FullAccess and EVS KMSAccess. |
|
Viewing the migration progress |
/ |
No other roles or policies are required. To view the migration progress, an IAM user must be granted SMS ReadOnlyAccess. |
|
Creating a migration template |
/ |
To create a migration template, an IAM user must be assigned SMS FullAccess. |
|
Creating a server template |
VPC EVS ECS |
To create a server template, an IAM user must be assigned SMS FullAccess, ECSReadOnlyAccess, VPC ReadOnlyAccess, and EVS ReadOnlyAccess. |
|
Configuring the Agent |
ECS EIP VPC IMS EVS |
To configure the Agent, an IAM user must be assigned SMS Full Access, ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
