Permission Management
- The Identity and Access Management (IAM) service is used to manage the permissions for accessing cloud services and resources.
- Workspace Application Streaming is a regional project. You can create multiple IAM user groups and grant them the Workspace Application Streaming administrator permissions of different projects to manage users' access to Workspace Application Streaming resources.
- If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.
Related Concepts
IAM is a free service. You only pay for the resources in your account.
Account
An account is created after you successfully sign up for Huawei Cloud, and you can use it to purchase Huawei Cloud resources. The account has full access permissions for your cloud resources and can be used to make payments for them. You can use the account to reset user passwords, assign permissions, and receive and pay all bills generated by your IAM users for their usage of resources.
You cannot modify or delete your account in IAM, but you can do so in My Account.
IAM user
You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (passwords or access keys) and uses cloud resources based on assigned permissions. IAM users cannot make payments themselves. You can use your account to pay their bills.
User group
You can use user groups to assign permissions to IAM users. New IAM users do not have any permissions assigned by default. You need to add them to one or more groups. The users then inherit permissions from the groups and can perform specified operations on resources or cloud services based on the permissions they have been assigned. If you add a user to multiple user groups, the user inherits all the permissions that are assigned to these groups.
The default user group admin has all the permissions for using all of the cloud resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.
Enterprise project permissions
For details, see Enterprise Project Permissions.
Workspace Application Streaming Administrator Permissions
You can grant users permissions by using roles and policies. Workspace Application Streaming grants administrator permissions to IAM users by using roles. If Workspace Application Streaming and Workspace use the same project, they share one user list. When a user group of Workspace Application Streaming is granted permissions, a user group of Workspace also has these permissions.
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and grant Workspace Application Streaming administrator permissions to these groups. Users inherit permissions from their groups. After being granted permissions, IAM users can perform operations on Workspace Application Streaming resources in the corresponding projects.
See Table 1. In Table 2, the Dependent System-defined Role, Policy, or Custom Policy column indicates roles on which a Workspace Application Streaming permission depends to take effect. Workspace Application Streaming roles are dependent on the roles of other services because Huawei Cloud services interact with each other. Therefore, when assigning Workspace Application Streaming permissions to a user group, do not deselect other dependent permissions. Otherwise, Workspace Application Streaming permissions do not take effect.
System-defined Permission |
Description |
Detail |
---|---|---|
Workspace FullAccess |
All permissions for Workspace Application Streaming |
All permissions for Workspace Application Streaming |
Workspace AppManager |
Application administrator permissions for Workspace Application Streaming |
Cloud application-related operations, including creating and deleting an application, and operations such as accessing the Internet and performing scheduled tasks |
Workspace UserManager |
User administrator permissions for Workspace Application Streaming |
User management operations, such as creating users, deleting users, and resetting passwords |
Workspace SecurityManager |
Security administrator permissions for Workspace Application Streaming |
All security-related operations, such as policy management and user connection recording |
Workspace TenantManager |
Tenant administrator permissions for Workspace Application Streaming |
All tenant configuration functions |
Workspace ReadOnlyAccess |
Read-only permissions for Workspace Application Streaming |
Read-only permissions for Workspace Application Streaming |
Table 2 lists the permissions to be added for the following operations.
For details about the dependent permissions of Workspace Application Streaming, see Assigning Permissions to an IAM User or Creating a Custom Policy.
Operation |
Dependent System-defined Role, Policy, or Custom Policy |
Description |
---|---|---|
BSS-related permissions: for yearly/monthly operations, such as purchasing and changing resources, and switching from pay-per-use to yearly/monthly. You need to view the renewal information management permission when querying the number of applications to be renewed on the Overview page. |
System-defined role: BSS Administrator Add the following actions to the custom policy: bss:discount:view bss:order:update bss:order:view bss:order:pay bss:renewal:view |
Select either the system-defined role or the custom policy. |
IAM-related permissions: for creating and querying agencies in a scheduled task |
Permissions required for creating and querying agencies: System-defined role: Security Administrator Add the following actions to the custom policy: iam:roles:getRole iam:roles:listRoles iam:agencies:getAgency iam:agencies:listAgencies iam:agencies:createAgency iam:permissions:listRolesForAgencyOnProject iam:permissions:grantRoleToAgencyOnProject Permissions required for querying agencies: System-defined policy: IAM ReadOnlyAccess Add the following actions to the custom policy: iam:agencies:getAgency iam:agencies:listAgencies iam:permissions:listRolesForAgencyOnProject |
When creating an agency, select either the system-defined role Security Administrator or the custom policy. For agency query, select either the system-defined policy IAM ReadOnlyAccess or the custom policy. |
TMS-related permissions: for querying predefined tags during application creation |
System-defined policy: TMS FullAccess Add the following actions to the custom policy: tms:predefineTags:list |
Select either the system-defined policy or the custom policy. |
VPCEP-related permissions: for enabling or disabling Direct Connect |
System-defined role: VPCEndpoint Administrator |
VPCEP does not support fine-grained authentication of enterprise projects. |
VPC-related permissions: for application-related operations such as creating applications and enabling economical Internet access (required for fine-grained authentication of enterprise projects) |
IAM project-level permissions System-defined policy: VPC ReadOnlyAccess System-defined role: VPC Administrator |
You must have the VPC permission of the enterprise project to which the VPC used for enabling Workspace Application Streaming belongs. |
IMS-related permissions: for creating images (required for fine-grained authentication of enterprise projects) |
Add the following actions to the custom policy: ims:images:get ims:images:share |
IMS does not support fine-grained authentication of enterprise projects. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot