Permissions
If you need to assign different permissions to employees in your enterprise to access your Optimization Advisor (OA) resources purchased on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. It helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, some software developers in your enterprise need to use OA resources but are not allowed to perform any high-risk operations, such as deleting OA resources. To this end, you can create IAM users for software developers and grant them only the permissions to use OA but not permission to delete it.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
OA supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
OA is a global service deployed for all regions. When the authorization scope is set to Global services, you have the permission to access OA resources in all regions.
Table 2 lists all system-defined permissions for OA. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
OA FullAccessPolicy |
Has all permissions of OA. |
System-defined policies |
None |
|
OA AdvancedOperationsPolicy |
Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, the cross-account availability check function is available. |
System-defined policies |
None |
|
OA CommonOperationsPolicy |
Has the permissions to perform regular operations using OA, such as performing availability check. The cross-account availability check function is unavailable for users with this policy. |
System-defined policies |
None |
|
OA ReadOnlyAccessPolicy |
Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks. |
System-defined policies |
None |
Table 3 lists the common operations supported by system-defined policies for OA.
|
Function |
Operation |
OA FullAccessPolicy |
OA AdvancedOperationsPolicy |
OA CommonOperationsPolicy |
OA ReadOnlyAccessPolicy |
|---|---|---|---|---|---|
|
Risk check overview |
View the risk check result overview. |
Supported |
Supported |
Supported |
Supported |
|
Enable or disable automatic check. |
Supported |
Supported |
Supported |
Not supported |
|
|
View a notification topic. |
Supported |
Supported |
Supported |
Supported |
|
|
Select accounts. |
Supported |
Supported |
Not supported |
Not supported |
|
|
Execute check tasks. |
Supported |
Supported |
Supported |
Not supported |
|
|
Download the risk check result report. |
Supported |
Supported |
Supported |
Supported |
|
|
Risk check dimensions |
View risk check dimensions. |
Supported |
Supported |
Supported |
Supported |
|
View the check result details of a single check Item. |
Supported |
Supported |
Supported |
Supported |
|
|
Perform a check for a single item. |
Supported |
Supported |
Supported |
Not supported |
|
|
Download the check report of a single check item. |
Supported |
Supported |
Supported |
Supported |
|
|
Architecture design |
View the architecture diagrams. |
Supported |
Supported |
Supported |
Supported |
|
View architecture diagrams in the recycle bin. |
Supported |
Supported |
Supported |
Supported |
|
|
View details about the architecture diagrams in the recycle bin. |
Supported |
Supported |
Supported |
Supported |
|
|
Restore architecture diagrams from the recycle bin. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete architecture diagrams from the recycle bin. |
Supported |
Supported |
Supported |
Not supported |
|
|
Create an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Rename an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Export an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Copy an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Enable capacity risk monitoring. |
Supported |
Supported |
Supported |
Not supported |
|
|
View details of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Edit an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
View the historical editing records of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
View the historical editing details of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Restore a historical architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete the historical editing records of an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
View all links of a diagram element. |
Supported |
Supported |
Supported |
Supported |
|
|
View the list of selected resources. |
Supported |
Supported |
Supported |
Supported |
|
|
Export selected resources. |
Supported |
Supported |
Supported |
Supported |
|
|
Associate resources to a diagram element. |
Supported |
Supported |
Supported |
Not supported |
|
|
Capacity optimization |
View the summary of capacity optimization analysis results. |
Supported |
Supported |
Supported |
Supported |
|
View the details of capacity optimization analysis results. |
Supported |
Supported |
Supported |
Supported |
|
|
Delete capacity optimization analysis results. |
Supported |
Supported |
Supported |
Not supported |
|
|
View monitoring details of a capacity optimization analysis result. |
Supported |
Supported |
Supported |
Supported |
|
|
Perform re-identification. |
Supported |
Supported |
Supported |
Not supported |
|
|
Stop analysis. |
Supported |
Supported |
Supported |
Not supported |
|
|
Export the capacity optimization analysis report. |
Supported |
Supported |
Supported |
Supported |
|
|
Query configurations for capacity optimization analysis. |
Supported |
Supported |
Supported |
Supported |
|
|
Modify configurations for capacity optimization analysis. |
Supported |
Supported |
Supported |
Not supported |
|
|
Query the list of capacity optimization analysis reports. |
Supported |
Supported |
Supported |
Supported |
|
|
Delete a capacity optimization analysis report. |
Supported |
Supported |
Supported |
Not supported |
|
|
Resource groups |
View resource groups. |
Supported |
Supported |
Supported |
Supported |
|
View resource group details. |
Supported |
Supported |
Supported |
Supported |
|
|
Modify a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
Add a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
View the resource list. |
Supported |
Supported |
Supported |
Supported |
|
|
Monthly service reports |
View the monthly report list. |
Supported |
Supported |
Supported |
Supported |
|
View monthly report details. |
Supported |
Supported |
Supported |
Supported |
|
|
Export a monthly report. |
Supported |
Supported |
Supported |
Supported |
|
|
Risk check history |
View risk check reports. |
Supported |
Supported |
Supported |
Supported |
|
View risk check result details. |
Supported |
Supported |
Supported |
Supported |
|
|
Export a risk check report. |
Supported |
Supported |
Supported |
Supported |
|
|
Custom rules |
View the check item list. |
Supported |
Supported |
Supported |
Supported |
|
Enable check items. |
Supported |
Supported |
Supported |
Not supported |
|
|
Disable check items. |
Supported |
Supported |
Supported |
Not supported |
|
|
Restore initial configurations. |
Supported |
Supported |
Supported |
Not supported |
|
|
Customize configurations. |
Supported |
Supported |
Supported |
Not supported |
|
|
Authorization |
View the user authorization list. |
Supported |
Supported |
Supported |
Supported |
|
Disable or enable authorization. |
Supported |
Not supported |
Not supported |
Not supported |
|
|
Disable services. |
Supported |
Not supported |
Not supported |
Not supported |
Identity Policy-based Authorization
OA supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for OA. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
OA FullAccessPolicy |
Has all permissions of OA. |
System-defined identity policies |
|
OA AdvancedOperationsPolicy |
Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, the cross-account availability check function is available. |
System-defined identity policies |
|
OA CommonOperationsPolicy |
Has the permissions to perform regular operations using OA, such as performing availability check. The cross-account availability check function is unavailable for users with this policy. |
System-defined identity policies |
|
OA ReadOnlyAccessPolicy |
Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks. |
System-defined identity policies |
Table 5 lists the common operations supported by system-defined identity policies for OA.
|
Function |
Operation |
OA FullAccessPolicy |
OA AdvancedOperationsPolicy |
OA CommonOperationsPolicy |
OA ReadOnlyAccessPolicy |
|---|---|---|---|---|---|
|
Risk check overview |
View the risk check result overview. |
Supported |
Supported |
Supported |
Supported |
|
Enable or disable automatic check. |
Supported |
Supported |
Supported |
Not supported |
|
|
View a notification topic. |
Supported |
Supported |
Supported |
Supported |
|
|
Select accounts. |
Supported |
Supported |
Not supported |
Not supported |
|
|
Execute check tasks. |
Supported |
Supported |
Supported |
Not supported |
|
|
Download the risk check result report. |
Supported |
Supported |
Supported |
Supported |
|
|
Risk check dimensions |
View risk check dimensions. |
Supported |
Supported |
Supported |
Supported |
|
View the check result details of a single check Item. |
Supported |
Supported |
Supported |
Supported |
|
|
Perform a check for a single item. |
Supported |
Supported |
Supported |
Not supported |
|
|
Download the check report of a single check item. |
Supported |
Supported |
Supported |
Supported |
|
|
Architecture design |
View the architecture diagrams. |
Supported |
Supported |
Supported |
Supported |
|
View architecture diagrams in the recycle bin. |
Supported |
Supported |
Supported |
Supported |
|
|
View details about the architecture diagrams in the recycle bin. |
Supported |
Supported |
Supported |
Supported |
|
|
Restore architecture diagrams from the recycle bin. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete architecture diagrams from the recycle bin. |
Supported |
Supported |
Supported |
Not supported |
|
|
Create an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Rename an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Export an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Copy an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Enable capacity risk monitoring. |
Supported |
Supported |
Supported |
Not supported |
|
|
View details of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Edit an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
View the historical editing records of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
View the historical editing details of an architecture diagram. |
Supported |
Supported |
Supported |
Supported |
|
|
Restore a historical architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete the historical editing records of an architecture diagram. |
Supported |
Supported |
Supported |
Not supported |
|
|
View all links of a diagram element. |
Supported |
Supported |
Supported |
Supported |
|
|
View the list of selected resources. |
Supported |
Supported |
Supported |
Supported |
|
|
Export selected resources. |
Supported |
Supported |
Supported |
Supported |
|
|
Associate resources to a diagram element. |
Supported |
Supported |
Supported |
Not supported |
|
|
Capacity optimization |
View the summary of capacity optimization analysis results. |
Supported |
Supported |
Supported |
Supported |
|
View the details of capacity optimization analysis results. |
Supported |
Supported |
Supported |
Supported |
|
|
Delete capacity optimization analysis results. |
Supported |
Supported |
Supported |
Not supported |
|
|
View monitoring details of a capacity optimization analysis result. |
Supported |
Supported |
Supported |
Supported |
|
|
Perform re-identification. |
Supported |
Supported |
Supported |
Not supported |
|
|
Stop analysis. |
Supported |
Supported |
Supported |
Not supported |
|
|
Export the capacity optimization analysis report. |
Supported |
Supported |
Supported |
Supported |
|
|
Query configurations for capacity optimization analysis. |
Supported |
Supported |
Supported |
Supported |
|
|
Modify configurations for capacity optimization analysis. |
Supported |
Supported |
Supported |
Not supported |
|
|
Query the list of capacity optimization analysis reports. |
Supported |
Supported |
Supported |
Supported |
|
|
Delete a capacity optimization analysis report. |
Supported |
Supported |
Supported |
Not supported |
|
|
Resource groups |
View resource groups. |
Supported |
Supported |
Supported |
Supported |
|
View resource group details. |
Supported |
Supported |
Supported |
Supported |
|
|
Modify a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
Delete a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
Add a resource group. |
Supported |
Supported |
Supported |
Not supported |
|
|
View the resource list. |
Supported |
Supported |
Supported |
Supported |
|
|
Monthly service reports |
View the monthly report list. |
Supported |
Supported |
Supported |
Supported |
|
View monthly report details. |
Supported |
Supported |
Supported |
Supported |
|
|
Export a monthly report. |
Supported |
Supported |
Supported |
Supported |
|
|
Risk check history |
View risk check reports. |
Supported |
Supported |
Supported |
Supported |
|
View risk check result details. |
Supported |
Supported |
Supported |
Supported |
|
|
Export a risk check report. |
Supported |
Supported |
Supported |
Supported |
|
|
Custom rules |
View the check item list. |
Supported |
Supported |
Supported |
Supported |
|
Enable check items. |
Supported |
Supported |
Supported |
Not supported |
|
|
Disable check items. |
Supported |
Supported |
Supported |
Not supported |
|
|
Restore initial configurations. |
Supported |
Supported |
Supported |
Not supported |
|
|
Customize configurations. |
Supported |
Supported |
Supported |
Not supported |
|
|
Authorization |
View the user authorization list. |
Supported |
Supported |
Supported |
Supported |
|
Disable or enable authorization. |
Supported |
Not supported |
Not supported |
Not supported |
|
|
Disable services. |
Supported |
Not supported |
Not supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
