Configuring Read-Only Permissions
Context
If you need to assign different permissions to employees in your company to access your GaussDB(DWS) resources on Huawei Cloud, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your cloud resources. You can use your cloud account to create IAM users, and assign permissions to the users to control their access to specific resources.
- Scenario 1: Allow software developers in your enterprise to use GaussDB(DWS) resources, but do not allow them to delete the resources or perform any high-risk operations. To this end, you can create IAM users for these developers and grant them only the permissions required for using GaussDB(DWS) resources.
- Scenario 2: Allow employees to use only GaussDB (DWS) resources, but not the resources of other services. To this end, grant them only the permissions for GaussDB(DWS).
You can use IAM to control cloud resource access and prevents misoperations on cloud resources. This section describes how to configure the read-only permission for an IAM user.
Tutorial 1: Read-Only Operations on IAM Project View
- Create a user group and assign permissions to it.
Use the Huawei Cloud account to log in to the IAM console, create a user group, and attach the DWS ReadOnlyAccess policy to the group.
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the console by using the user created and verify the user permissions.
- Choose Service List > Data Warehouse Service to access the GaussDB(DWS) console, and click Create GaussDB(DWS) Cluster to create a GaussDB(DWS) cluster. If you cannot create one, DWS ReadOnlyAccess has taken effect.
- Choose any other service in Service List. If only the DWS ReadOnlyAccess policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWS ReadOnlyAccess has taken effect.
Tutorial 2: Read-Only Operations in an Enterprise Project
- Create a user group and assign permissions to it.
Use the Huawei Cloud account to log in to the IAM console, create a user group, and attach the DWS ReadOnlyAccess policy to the group.
- In the enterprise project view, the system still displays a message indicating that you lack the fine-grained permissions if you perform read-only operations irrelevant to resources. For example, fine-grained permissions related to events and alarms.
- Configure read-only permissions for events and alarms in the IAM project view.
- Create the following custom policy readonly_event_alarm:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:alarm*:list*", "dws:cluster*:list*", "dws:dms*:get*", "dws:event*:list*" ] } ] } - Log in to the IAM console and create a user group, and assign the newly created policy to the user group.
- Create the following custom policy readonly_event_alarm:
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the console by using the user created and verify the user permissions.
- Choose Service List > Data Warehouse Service to access the GaussDB(DWS) console, and click Create GaussDB(DWS) Cluster to create a GaussDB(DWS) cluster. If you cannot create one, DWS ReadOnlyAccess has taken effect.
- Choose any other service in Service List. If only the DWS ReadOnlyAccess policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWS ReadOnlyAccess has taken effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
