Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Syntax of Fine-Grained Permissions Policies

Updated on 2024-06-11 GMT+08:00

In actual services, you may need to grant different operation permissions on resources to users of different roles. The IAM service provides fine-grained access control. An IAM administrator (a user in the admin group) can create a custom policy containing required permissions. After a policy is granted to a user group, users in the group can obtain all permissions defined by the policy. In this way, IAM implements fine-grained permission management.

To control the GaussDB(DWS) operations on resources more precisely, you can use the user management function of IAM to grant different operation permissions to users of different roles for fine-grained permission control.

Policy Structure

A fine-grained policy consists of a Version and a Statement. Each policy can have multiple statements.

Figure 1 Policy structure

Policy Syntax

In the navigation pane on the IAM console, click Policies and then click the name of a policy to view its details. The DWS ReadOnlyAccess policy is used as an example to describe the syntax of fine-grained policies.

Figure 2 Setting the policy
{
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "dws:*:get*",
                                "dws:*:list*",
                                "ecs:*:get*",
                                "ecs:*:list*",
                                "vpc:*:get*",
                                "vpc:*:list*",
                                "evs:*:get*",
                                "evs:*:list*",
                                
                                "bss:*:list*",
                                "bss:*:get*"
                        ]
                }
        ]
}
  • Version: Distinguishes between role-based access control (RBAC) and fine-grained policies.
    • 1.0: RBAC policies. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service.
    • 1.1: Fine-grained policies. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control than RBAC policies. Users granted permissions of such a policy can only perform specific operations on the corresponding service. Fine-grained policies include system and custom policies.
  • Statement: Permissions defined by a policy, including Effect and Action.
    • Effect

      The valid values for Effect are Allow and Deny. System policies contain only Allow statements. For custom policies containing both Allow and Deny statements, the Deny statements take precedence.

    • Action

      Permissions in the format of Service name:Resource type:Operation. A policy can contain one or more permissions. The wildcard (*) is allowed to indicate all of the services, resource types, or operations depending on its location in the action.

      Example: dws:cluster:create, permissions for create data warehouse clusters.

List of Supported Actions

When creating a custom policy on IAM, you can add the operations on GaussDB(DWS) resources or the permissions corresponding to RESTful APIs to the action list of the policy authorization statement so that the policy contains the operation permissions. The following table lists the GaussDB(DWS) permissions.

  • REST API

    For details about RESTful API actions supported by GaussDB(DWS), see "Permissions Policies and Supported Actions in " in Data Warehouse Service API Reference.

  • Management console operations

    Table 1 describes the GaussDB(DWS) operations on resources and corresponding permissions.

    NOTE:

    Some GaussDB(DWS) permissions depend on the actions of ECS, VPC, EVS, ELB, MRS, and OBS. Grant GaussDB(DWS) the required service admin permissions.

Table 1 GaussDB(DWS) permissions

Operation

Permission

Dependent Permission

Scope

Creating a cluster

"dws:cluster:create"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"vpc:securityGroupRules:delete",

"vpc:ports:update",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Scope:
    • Project

Obtaining the cluster list

"dws:cluster:list"

--

  • Scope:
    • Project

Obtaining the details of a cluster

"dws:cluster:getDetail"

"dws:*:get*",

"dws:*:list*",

"vpc:vpcs:list",

"vpc:securityGroups:get"

  • Scope:
    • Project

Setting automated snapshot policy

"dws:cluster:setAutomatedSnapshot"

"dws:backupPolicy:list"

  • Scope:
    • Project

Setting security parameters/parameter groups

"dws:cluster:setSecuritySettings"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Restarting a Cluster

"dws:cluster:restart"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Scaling out clusters

"dws:cluster:scaleOut"

"dws:*:get*",

"dws:*:list*",

"dws:cluster:scaleOutOrOpenAPIResize",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"vpc:*:update*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Scope:
    • Project

Scaling out or resizing a cluster via API

"dws:cluster:scaleOutOrOpenAPIResize"

"dws:*:get*",

"dws:*:list*",

"vpc:vpcs:list",

"vpc:ports:create",

"vpc:ports:get",

"vpc:ports:update",

"vpc:subnets:get",

"vpc:subnets:update",

"vpc:subnets:create",

"vpc:routers:get",

"vpc:routers:update",

"vpc:networks:create",

"vpc:networks:get",

"vpc:networks:update",

"ecs:serverInterfaces:use",

"ecs:serverInterfaces:get",

"ecs:cloudServerFlavors:get"

  • Scope:
    • Project
    • Enterprise project

Resetting Your Password

"dws:cluster:resetPassword"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Deleting a cluster

"dws:cluster:delete"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:delete*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:delete*",

"evs:*:get*",

"evs:*:list*",

"evs:*:delete*",

  • Scope:
    • Project

Configuring maintenance windows

"dws:cluster:setMaintainceWindow"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Binding EIPs

"dws:eip:operate"

"dws:*:get*",

"dws:*:list*",

"eip:*:get*",

"eip:*:list*"

  • Scope:
    • Project

Unbinding EIPs

"dws:eip:operate"

"dws:*:get*",

"dws:*:list*",

"eip:*:get*",

"eip:*:list*"

  • Scope:
    • Project

MRS data source list

"dws:MRSSource:list"

"mrs:cluster:list",

"mrs:tag:listResource",

"mrs:tag:list",

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Adding/Deleting tags

"dws:tag:addAndDelete"

"dws:*:get*",

"dws:*:list*",

"dws:openAPITag:update",

"dws:openAPITag:getResourceTag",

  • Scope:
    • Project

Editing tags

"dws:tag:edit"

"dws:*:get*",

"dws:*:list*",

"dws:openAPITag:update",

"dws:openAPITag:getResourceTag",

  • Scope:
    • Project

Creating a snapshot

"dws:snapshot:create"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Obtaining the snapshot list

"dws:snapshot:list"

--

  • Scope:
    • Project

Viewing the snapshot list of a cluster

"dws:clusterSnapshot:list"

"dws:cluster:list",

"dws:openAPICluster:getDetail"

  • Scope:
    • Project

Deleting snapshots

"dws:snapshot:delete"

"dws:snapshot:list"

  • Scope:
    • Project

Copying snapshots

"dws:snapshot:copy"

"dws:snapshot:list",

"dws:snapshot:create"

  • Scope:
    • Project

Restoring data to a new cluster

"dws:cluster:restore"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*"

  • Scope:
    • Project

Resizing a cluster

"dws:cluster:resize"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"ecs:*:delete*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"vpc:*:delete*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

"evs:*:delete*"

  • Scope:
    • Project

Switchback

"dws:cluster:switchover"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying the ELB list

"dws:elb:list"

"dws:*:get*",

"dws:*:list*",

"elb:*:get*",

"elb:*:list*",

  • Scope:
    • Project

Associating ELB

"dws:elb:bind"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"vpc:*:get*",

"vpc:*:list*",

"evs:*:get*",

"evs:*:list*",

"elb:*:get*",

"elb:*:list*",

"elb:*:delete*",

"elb:*:create*",

  • Scope:
    • Project

Disassociating ELB

"dws:elb:unbind"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"vpc:*:get*",

"vpc:*:list*",

"evs:*:get*",

"evs:*:list*",

"elb:*:get*",

"elb:*:list*",

"elb:*:delete*",

  • Scope:
    • Project

Querying snapshot configurations

"dws:snapshotConfig:list"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Updating a snapshot policy

"dws:backupPolicyDetail:update"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Deleting a snapshot policy

"dws:backupPolicy:delete"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Querying a snapshot policy

"dws:backupPolicy:list"

"dws:cluster:list"

  • Scope:
    • Project

Querying cluster encryption information

"dws:clusterEncryptInfo:list"

"dws:*:get*",

"dws:*:list*",

"KMS Administrator"

  • Scope:
    • Project

Creating an agent

"dws:createAgency:create"

"dws:*:get*",

"dws:*:list*",

"security administrator"

  • Scope:
    • Project

Querying OBS bucket information

"dws:queryBuckets:list"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Adding a node

"dws:expandWithExistedNodes:update"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"vpc:*:update*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Scope:
    • Project

Deleting a DR backup

"dws:disasterRecovery:delete"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:delete*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:delete*",

"evs:*:get*",

"evs:*:list*",

"evs:*:delete*"

  • Scope:
    • Project

Creating a DR backup

"dws:disasterRecovery:create"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*",

  • Scope:
    • Project

Other DR and backup operations

"dws:disasterRecovery:otherOperate"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*",

"vpc:*:get*",

"vpc:*:list*",

"vpc:*:create*",

"evs:*:get*",

"evs:*:list*",

"evs:*:create*"

  • Scope:
    • Project

Querying DR and backup operations

"dws:disasterRecovery:get"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"vpc:*:get*",

"vpc:*:list*",

"evs:*:get*",

"evs:*:list*"

  • Scope:
    • Project

Adding a CN

"dws:module:install"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Deleting a CN

"dws:module:uninstall"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Removing nodes

"dws:clusterNodes:operate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Updating the node alias

dws:instanceAliasName:update

dws:cluster:list

  • Scope:
    • Project

Redistributing data

"dws:redistribution:operate"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Querying redistribution

"dws:redistributionInfo:list"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Stopping redistribution

"dws:redistribution:suspend"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Resuming redistribution

"dws:redistribution:recover"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Querying product specifications

"dws:specProduct:list"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*"

  • Scope:
    • Project

Binding the management plane IP address

"dws:bindManageIp:operate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Obtaining user authorization

"dws:checkAuthorize:operate"

"dws:*:get*",

"dws:*:list*",

"dws:checkSupport:operate"

  • Scope:
    • Project

Authorizing a user

"dws:authorize:operate"

"dws:*:get*",

"dws:*:list*",

"dws:checkSupport:operate"

  • Scope:
    • Project

Querying user databases

"dws:userDatabase:list"

"dws:*:get*",

"dws:*:list*",

"dws:checkSupport:operate"

  • Scope:
    • Project

Querying user schemas

"dws:schemas:list"

"dws:*:get*",

"dws:*:list*",

"dws:checkSupport:operate"

  • Scope:
    • Project

Querying user tables

"dws:tables:list"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Restoring tables

"dws:tableRestore:operate"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Checking the name of the table to be restored

"dws:tableRestoreCheck:operate"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Checking whether a cluster supports fine-grained backup

"dws:checkSupport:operate"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Querying the list of flavors that can be changed

"dws:supportFlavors:list"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Changing the node flavor

"dws:specResize:operate"

"dws:*:get*",

"dws:*:list*",

"ecs:*:get*",

"ecs:*:list*",

"ecs:*:create*"

  • Scope:
    • Project

Stopping snapshot creation

"dws:snapshot:stop"

"dws:snapshot:list"

  • Scope:
    • Project

Terminating a session

"dws:dmsSession:terminate"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Workload report operations

"dws:dmsWorkloadDiagnosisReport:create"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Modifying an alarm rule

"dws:dmsAlarmRule:update"

"dws:dmsQuery:list"

  • Scope:
    • Project

Enabling an alarm rule

"dws:dmsAlarmRule:enable"

"dws:dmsQuery:list"

  • Scope:
    • Project

Enabling a cluster alarm

"dws:dmsClusterAlarm:enable"

"dws:dmsQuery:list"

  • Scope:
    • Project

Disabling a cluster alarm

"dws:dmsClusterAlarm:disable"

"dws:dmsQuery:list"

  • Scope:
    • Project

gRPC external service

"dws:dmsGrpcOuter:operation"

"dws:dmsQuery:list",

"dws:cluster:setSecuritySettings",

"obs:bucket:ListAllMyBuckets"

  • Scope:
    • Project

Adding a SQL probe

"dws:dmsProbe:add"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Modifying a SQL probe

"dws:dmsProbe:update"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Deleting a SQL probe

"dws:dmsProbe:delete"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Enabling or disabling a SQL probe

"dws:dmsProbe:enable"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Creating a User panel

"dws:dmsUserBoard:create"

"dws:dmsQuery:list"

  • Scope:
    • Project

Modifying a user panel

"dws:dmsUserBoard:update"

"dws:dmsQuery:list"

  • Scope:
    • Project

Deleting a user panel

"dws:dmsUserBoard:delete"

"dws:dmsQuery:list"

  • Scope:
    • Project

Terminating a query

"dws:dmsQuery:terminate"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Enabling or disabling DMS

"dws:dmsService:enableOrDisable"

"dws:dmsQuery:list"

  • Scope:
    • Project

Modifying DMS storage configurations

"dws:dmsStorageConfig:modify"

"dws:dmsQuery:list"

  • Scope:
    • Project

Obtaining, or creating a DDL review

"dws:dmsDdlExamine:getOrCreate"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Workload snapshot operations

"dws:dmsWorkloadDiagnosisSnapshot:create"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Creating an alarm rule

"dws:dmsAlarmRule:add"

"dws:dmsQuery:list"

  • Scope:
    • Project

Deleting an alarm rule

"dws:dmsAlarmRule:delete"

"dws:dmsQuery:list"

  • Scope:
    • Project

Executing a SQL probe

"dws:dmsProbe:execute"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Deleting a monitoring item

"dws:dmsPerformanceMonitor:delete"

"dws:dmsQuery:list"

  • Scope:
    • Project

Enabling or disabling DMS monitoring metrics

"dws:dmsCollectItem:enableOrDisable"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Modifying DMS monitoring configurations

"dws:dmsCollectConfig:modify"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

OpenAPI Conditional Query

"dws:dmsOpenapiQuery:list"

"dws:cluster:list"

  • Scope:
    • Project

Disabling an alarm rule

"dws:dmsAlarmRule:disable"

"dws:dmsQuery:list"

  • Scope:
    • Project

Deleting an alarm record

"dws:dmsAlarmRecord:delete"

"dws:dmsQuery:list"

  • Scope:
    • Project

Checking SQL probes

"dws:dmsProbe:check"

"dws:dmsGrpcOuter:operation"

  • Scope:
    • Project

Adding a monitoring item

"dws:dmsPerformanceMonitor:add"

"dws:dmsQuery:list"

  • Scope:
    • Project

Modifying monitoring metrics

"dws:dmsPerformanceMonitor:update"

"dws:dmsQuery:list"

  • Scope:
    • Project

Downloading historical monitoring trend

"dws:dmsTrendHistory:down"

"dws:dmsQuery:list"

  • Scope:
    • Project

Obtaining cluster ring information

"dws:ring:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Obtaining the cluster process topology

"dws:processTopo:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying intelligent O&M information

"dws:operationalTask:get"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Intelligent O&M Operations

"dws:operationalTask:operate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Creating an endpoint service

"dws:vpcEndpointService:create"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying the resource management list

"dws:workLoadManager:get"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Resource management operations

"dws:workLoadManager:operate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

LTS operations

"dws:ltsAccess:operate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying LTS Information

"dws:ltsAccess:get"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying events

"dws:event:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying event specifications

"dws:event:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying event subscriptions

"dws:eventSub:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Creating an event subscription

"dws:eventSub:create"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Updating an event subscription

"dws:eventSub:update"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Deleting an event subscription

"dws:eventSub:delete"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying alarm statistics

"dws:alarmStatistic:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying alarm details

"dws:alarmDetail:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying alarm configurations

"dws:alarmConfig:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying alarm subscriptions

"dws:alarmSub:list"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Creating an alarm subscription

"dws:alarmSub:create"

"dws:*:get*",

"dws:*:list*",

  • Scope:
    • Project

Updating an alarm subscription

"dws:alarmSub:update"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Deleting an alarm subscription

"dws:alarmSub:delete"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Delivering cluster upgrade operations (upgrade, rollback, submission, and retry)

"dws:cluster:doUpdate"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying the available upgrade paths of a cluster

"dws:cluster:getUpgradePaths"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Querying cluster upgrade records

"dws:cluster:getUpgradeRecords"

"dws:*:get*",

"dws:*:list*"

  • Scope:
    • Project

Authorization Using the Fine-Grained Permission Policy

  1. Log in to the IAM console and create a custom policy.

    For details, see "Fine-Grained Policy Management > Creating a Custom Policy" in the Identity and Access Management User Guide.

    Refer to the following to create the policy:

    • Use the IAM administrator account, that is, the user in the admin user group, because only the IAM administrator has the permissions to create users and user groups and modify user group permissions.
    • GaussDB(DWS) is a project-level service, so its Scope must be set to Project-level services. If this policy is required to take effect for multiple projects, authorization is required to each project.
    • Two GaussDB(DWS) policy templates are preconfigured on IAM. When creating a custom policy, you can select either of the following templates and modify the policy authorization statement based on the template:
      • DWS Admin: has all execution permissions on GaussDB(DWS).
      • DWS Viewer: has the read-only permission on GaussDB(DWS).
    • You can add permissions corresponding to GaussDB(DWS) operations or RESTful APIs listed in List of Supported Actions to the action list in the policy authorization statement, so that the policy can obtain the permissions.

      For example, if dws:cluster:create is added to the action list of a policy statement, the policy has the permission to create or restore clusters.

    • If you want to use other services, grant related operation permissions on these services. For details, see the help documents of related services.

      For example, when creating a data warehouse cluster, you need to configure the VPC to which the cluster belongs. To obtain the VPC list, add permission vpc:*:get* to the policy statement.

  2. Create a user group.

    For details, see "User and User Group Management > Viewing or Modifying User Group Information > Creating a User Group" in the Identity and Access Management User Guide.

  3. Add users to the user group and grant the new custom policy to the user group so that users in it can obtain the permissions defined by the policy.

    For details, see "User and User Group Management > Viewing or Modifying User Group Information" in the Identity and Access Management User Guide.

Authentication Logic

If a user is granted permissions of multiple policies or of only one policy containing both Allow and Deny statements, then authentication starts from the Deny statements. The following figure shows the authentication logic for resource access.

Figure 3 Authentication logic
NOTE:

The actions in each policy bear the OR relationship.

  1. A user accesses the system and makes an operation request.
  2. The system evaluates all the permissions policies assigned to the user.
  3. In these policies, the system looks for explicit deny permissions. If the system finds an explicit deny that applies, it returns a decision of Deny, and the authentication ends.
  4. If no explicit deny is found, the system looks for allow permissions that would apply to the request. If the system finds an explicit allow permission that applies, it returns a decision of Allow, and the authentication ends.
  5. If no explicit allow permission is found, IAM returns a decision of Deny, and the authentication ends.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback