Updated on 2025-07-25 GMT+08:00

Introduction

You can use Identity and Access Management (IAM) for fine-grained permissions management of your CloudDC resources. If your Huawei Cloud account does not need individual IAM users, you can skip this section.

With IAM, you can control access to specific Huawei Cloud resources from principals (IAM users, user groups, agencies, or trust agencies). IAM supports role/policy-based authorization and identity policy-based authorization.

Table 1 Differences between role/policy-based and identity policy-based authorization

Authorization Model

Core Relationship

Permissions

Authorization Method

Description

Role/Policy

User-permission-authorization scope

  • System-defined roles
  • System-defined policies
  • Custom policies

Assigning roles or policies to principals

To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small and medium enterprises.

Identity policy

User-policy

  • System-defined policies
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium and large enterprises.

Assume that you want to grant IAM users permission to create CloudDC resources in CN North-Beijing4 and CN South-Guangzhou. With policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestTag for the policy, and then attaches the policy to the users or grants the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than policy-based authorization.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model.

If you use IAM users in your account to call an API, the IAM users must be granted the required permissions. The required permissions are determined by the actions supported by the API. Only users with the policies allowing for those actions can call the API successfully.

Assume that an IAM user wants to call an API to query iMetal servers. With policy-based authorization, the IAM user must be granted the permissions allowing for action clouddc:imetal:list. With identity policy-based authorization, the IAM user must be granted the permissions allowing for action clouddc:imetal:list.

Actions

CloudDC provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permissions: statements in a policy that allow or deny certain operations.
  • APIs: REST APIs that can be called in a custom policy.
  • Actions: added to a custom policy to control permissions for specific operations.
  • Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
  • IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?

CloudDC supports the following actions that can be defined in custom policies.

Table 2 Rack management

Permission

API

Action

IAM Project

Enterprise Project

Updating an intelligent rack

PUT /api/v1/{project_id}/iracks/{irack_id}

clouddc:irack:update

Supported

Not supported

Querying the intelligent rack list

GET /api//v1/{project_id}/iracks

clouddc:irack:list

Supported

Not supported

Table 3 Equipment room management

Permission

API

Action

IAM Project

Enterprise Project

Modifying the IDC description

PUT /api/v1/{project_id}/idcs

clouddc:idc:update

Supported

Not supported

Querying the IDC list

GET /api/v1/{project_id}/idcs

clouddc:idc:list

Supported

Not supported

Table 4 Physical server management

Permission

API

Action

IAM Project

Enterprise Project

Batch querying physical servers

GET /v1/{project_id}/physicalservers

clouddc:imetal:listServer

Supported

Not supported

Querying information about physical servers

GET /v1/{project_id}/physicalservers/{id}

clouddc:imetal:getServer

Supported

Not supported

Obtaining the console address

GET /v1/{project_id}/physicalservers/{id}/remote-console-address

clouddc:imetal:createRemoteConsoleLink

Supported

Not supported

Querying the server hardware details

GET /v1/{project_id}/physicalservers/{id}/hardware-attributes

clouddc:imetal:getHardwareAttribute

Supported

Not supported

Querying the firmware details

GET /v1/{project_id}/physicalservers/{id}/firmware-attributes

clouddc:imetal:getFirmwareAttribute

Supported

Not supported

Batch modifying the power statuses of physical servers

PUT /v1/{project_id}/physicalservers/power-state

clouddc:imetal:updatePowerStatus

Supported

Not supported

Exporting server logs

POST /v1/{project_id}/physicalservers/{id}/logs/exports

clouddc:imetal:createDumpLog

Supported

Not supported

Querying the export status of logs

GET /v1/{project_id}/physicalservers/{id}/logs/exports/{export_id}

clouddc:imetal:getDumpLogProgress

Supported

Not supported

Downloading a log file

GET /v1/{project_id}/physicalservers/{id}/logs/exports/{export_id}/content

clouddc:imetal:createDownloadLog

Supported

Not supported

Table 5 iMetal instance management

Permission

API

Action

IAM Project

Enterprise Project

Batch creating instances

POST /v1/{project_id}/instances/batch-create

clouddc:instance:createBatch

Supported

Not supported

Creating an instance

POST /v1/{project_id}/instances

clouddc:instance:create

Supported

Not supported

Batch querying instances

GET /v1/{project_id}/instances

clouddc:instance:list

Supported

Not supported

Batch deleting instances

POST /v1/{project_id}/instances/batch-delete

clouddc:instance:deleteBatch

Supported

Not supported

Querying instance status

GET /v1/{project_id}/instances/{id}/status

clouddc:instance:get

Supported

Not supported

Batch reinstalling OSs

PUT /v1/{project_id}/instances/reinstall

clouddc:instance:reinstallOS

Supported

Not supported

Batch changing instance passwords

PUT /v1/{project_id}/instances/password

clouddc:instance:changePassword

Supported

Not supported

Deleting instances

DELETE /v1/{project_id}/instances/{id}

clouddc:instance:delete

Supported

Not supported

Changing the IP address of an instance

PUT /v1/{project_id}/instances/{id}/ip

clouddc:imetal:updateIP

Supported

Not supported

Table 6 Physical server diagnosis

Permission

API

Action

IAM Project

Enterprise Project

Obtaining server overview

GET /v1/{project_id}/physicalservers/status

clouddc::listStatus

Supported

Not supported

Obtaining server alarm overview

GET /v1/{project_id}/physicalservers/alarms/summary

clouddc::listAlarmStat

Supported

Not supported

Obtaining server alarm trend

GET /v1/{project_id}/physicalservers/alarms/trend

clouddc::listAlarmTrend

Supported

Not supported

Obtaining server alarm list

GET /v1/{project_id}/physicalservers/alarms

clouddc::listAlarm

Supported

Not supported

The server event list is returned.

GET /v1/{project_id}/physicalservers/events

clouddc::listEvent

Supported

Not supported

Querying event definitions

GET /v1/{project_id}/physicalservers/events/{event_id}

clouddc::listIEventDicts

Supported

Not supported

Table 7 Tag management

Permission

API

Action

IAM Project

Enterprise Project

Batch creating rack tags

POST https://www.example.com/v1/{project_id}/iracks/{id}/tags/create

clouddc:irack:tagResource

Supported

Not supported

Batch deleting rack tags

POST https://www.example.com/v1/{project_id}/iracks/{id}/tags/delete

clouddc:irack:unTagResource

Supported

Not supported

Batch creating resource tags

POST /v1/{project_id}/{resource_type}/{resource_id}/tags/create

clouddc::tagResource

Supported

Not supported

Batch deleting tags from a resource

POST /v1/{project_id}/{resource_type}/{resource_id}/tags/delete

clouddc::unTagResource

Supported

Not supported