Updated on 2024-12-19 GMT+08:00

Permission Policy Configuration Examples

You can configure permission policies for different IAM users based on service requirements.

Example 1: Allowing an IAM User Who Is Not in Any Enterprise Projects to Have All Cloud Connection Permissions

An IAM user who is not in any enterprise projects wants to have all Cloud Connect permissions, for example, performing operations on Cloud Connect resources such as network instances, bandwidth packages, inter-region bandwidths, and routes, and operations such as cross-border permit application and cross-account authorization.

To grant the permissions to this IAM user, perform the following operations:

  1. Log in to the management console.
  2. On the homepage, hover over the username in the upper right corner and choose Identity and Access Management from the drop-down list.
    Figure 1 Identity and Access Management
  3. In the navigation pane on the left, choose User Groups.
  4. In the upper right corner, click Create User Group.
    Figure 2 Creating a user group
  5. Configure the parameters and click OK.
    Figure 3 Configuring user group parameters
  6. Locate the created user group and click its name.
  7. Click By IAM Project on the right and then click Authorize.
    Figure 4 Authorizing a user group
  8. Enter Cross Connect Administrator in the text box and click the search icon.
  9. In the search result, select Cross Connect Administrator and click Next.
    Figure 5 Selecting a system-defined role
  10. Click Show More.
    Figure 6 Scope
  11. Select Global services and click OK.
    Figure 7 Global services
    If "Authorization successful" is displayed, the authorization is complete. The authorization will take effect about 15 to 30 minutes later.
    Figure 8 Authorization successful
  12. Go back to the user group list, locate the created user group, and click Manage User in the Operation column.
    Figure 9 Manage User
  13. Select the IAM user you want to add to the user group and click OK.

Example 2: Authorizing an IAM User to Use Cloud Connect in All Enterprise Projects

An IAM user needs to perform operations on Cloud Connect resources, such as network instances, bandwidth packages, inter-region bandwidths, and routes, in all enterprise projects. You can perform the operations below to grant the corresponding permissions to this IAM user.

To grant the permissions on cross-account authorization and cross-border permit application, perform the operations in Example 1: Allowing an IAM User Who Is Not in Any Enterprise Projects to Have All Cloud Connection Permissions.

  1. Log in to the management console.
  2. On the homepage, hover over the username in the upper right corner and choose Identity and Access Management from the drop-down list.
    Figure 10 Identity and Access Management
  3. In the navigation pane on the left, choose User Groups.
  4. In the upper right corner, click Create User Group.
    Figure 11 Creating a user group
  5. Configure the parameters and click OK.
    Figure 12 Configuring user group parameters
  6. Locate the created user group and click its name.
  7. Click By IAM Project on the right and then click Authorize.
    Figure 13 Authorizing a user group
  8. Enter CC FullAccess in the text box and click the search icon.
  9. In the search result, select CC FullAccess and click Next.
    Figure 14 Selecting a system-defined policy
  10. Click Show More.
    Figure 15 Scope
  11. Select Global services and click OK.
    Figure 16 Global services
  12. Go back to the user group list, locate the created user group, and click Manage User in the Operation column.
    Figure 17 Manage User
  13. Select the IAM user you want to add to the user group and click OK.

    If the IAM user does not have VPC-related permissions, you can grant the CC Network Depend QueryAccess permissions for the user group that the IAM user belongs to and select All resources for Scope.

    You can view the authorization in the Permissions tab.
    Figure 18 Permissions

Example 3: Authorizing an IAM User to Use Cloud Connect in a Specific Enterprise Project

An IAM user needs to perform operations on Cloud Connect resources such as network instances, bandwidth packages, inter-region bandwidths, and routes, in specific enterprise projects. You can perform the operations below to grant the corresponding permissions to this IAM user.

To grant the permissions on cross-account authorization and cross-border permit application, perform the operations in Example 1: Allowing an IAM User Who Is Not in Any Enterprise Projects to Have All Cloud Connection Permissions.

  1. Log in to the management console.
  2. On the homepage, hover over the username in the upper right corner and choose Identity and Access Management from the drop-down list.
    Figure 19 Identity and Access Management
  3. In the navigation pane on the left, choose User Groups.
  4. In the upper right corner, click Create User Group.
    Figure 20 Creating a user group
  5. Configure the parameters and click OK.
    Figure 21 Configuring user group parameters
  6. Locate the created user group and click its name.
  7. Click By IAM Project on the right and then click Authorize.
    Figure 22 Authorizing a user group
  8. Enter CC FullAccess in the text box and click the search icon.
  9. In the search result, select CC FullAccess and click Next.
    Figure 23 Selecting a system-defined policy
  10. Click Show More.
    Figure 24 Scope
  11. Select Enterprise projects.
  12. Select an enterprise project and click OK.
    Figure 25 Enterprise projects
  13. In the navigation pane on the left, choose Permissions > Policies/Roles.
    Figure 26 Policies/Roles
  14. Click Create Custom Policy.
    Figure 27 Creating a custom policy
  15. Configure the parameters based on Table 1.
    Table 1 Custom policy parameters

    Parameter

    Description

    Policy Name

    Specifies the name of the custom policy.

    Policy View

    • (Recommended) Visual editor
    • JSON

    Policy Content

    • Select Allow.
    • Cloud service: Cloud Connect
    • Actions:
      • ReadOnly: Select cc:networkInstances:get, cc:interRegionBandwidths:get, and cc:cloudConnectionRoutes:get.
      • ReadWrite: Select the following:

        cc:networkInstances:create

        cc:interRegionBandwidths:update

        cc:networkInstances:delete

        cc:interRegionBandwidths:create

        cc:interRegionBandwidths:delete

        cc:networkInstances:update

      • ListOnly: Select cc:cloudConnectionRoutes:list, cc:networkInstances:list, and cc:interRegionBandwidths:list.
  16. Configure other parameters and click OK.
  17. Repeat steps 3 to 7.
  18. Search for the created custom policy by name.
  19. Select the custom policy and click Next.
  20. Click Show More.
  21. Select Global services and click OK.

    If the IAM user does not have VPC-related permissions, you can grant the CC Network Depend QueryAccess permissions for the user group that the IAM user belongs to and select All resources for Scope.

    You can view the authorization in the Permissions tab.
    Figure 28 Authorization records in the IAM project view
    Figure 29 Authorization records in the enterprise project view