Permissions Management
If you need to assign different permissions to employees in your enterprise to access your resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use OA resources but should not be allowed to perform any high-risk operations, such as deleting ECSs. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using OA resources.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.
IAM can be used for free. You pay only for the resources in your account. For more information about IAM, see What Is IAM?
OA Service Permissions
By default, new IAM users do not have any permissions assigned. You need to add the users to certain user groups and grant the user groups policies, so that the users in the groups can inherit the permissions.
- Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant ECS users only the permissions for managing a certain type of ECSs.
As shown in Table 1, all system policies for OA are included.
Policy |
Description |
Dependencies |
Policy Type |
|---|---|---|---|
OA FullAccessPolicy |
Has all permissions of OA. |
None |
System-defined policies |
OA AdvancedOperationsPolicy |
Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, the cross-account availability check function is available. |
None |
System-defined policies |
OA CommonOperationsPolicy |
Has the permissions to perform regular operations using OA, such as performing availability check. The cross-account availability check function is unavailable for users with this policy. |
None |
System-defined policies |
OA ReadOnlyAccessPolicy |
Has the read-only permissions for OA. Users that are assigned this policy can only view check results and resource groups, but cannot create or execute tasks. |
None |
System-defined policies |
Table 2 lists the regular operations supported by each system policy of OA. Select the system policies as required.
Function |
Operation |
OA FullAccessPolicy |
OA AdvancedOperationsPolicy |
OA CommonOperationsPolicy |
OA ReadOnlyAccessPolicy |
|---|---|---|---|---|---|
| Risk check overview |
View the risk check result overview. |
√ |
√ |
√ |
√ |
Enable or disable automatic check. |
√ |
√ |
√ |
× |
|
View a notification topic. |
√ |
√ |
√ |
√ |
|
Select accounts. |
√ |
√ |
× |
× |
|
Execute check tasks. |
√ |
√ |
√ |
× |
|
Download the risk check result report. |
√ |
√ |
√ |
√ |
|
| Risk check dimensions |
View risk check dimensions. |
√ |
√ |
√ |
√ |
View the check result details of a single check Item. |
√ |
√ |
√ |
√ |
|
Perform a check that covers only one check item. |
√ |
√ |
√ |
× |
|
Download the result report of the check that covers only one check item. |
√ |
√ |
√ |
√ |
|
| Architecture design |
View the architecture diagrams. |
√ |
√ |
√ |
√ |
View architecture diagrams in the recycle bin. |
√ |
√ |
√ |
√ |
|
Viewing details about the architecture diagrams in the recycle bin. |
√ |
√ |
√ |
√ |
|
Restore architecture diagrams from the recycle bin. |
√ |
√ |
√ |
× |
|
Delete architecture diagrams from the recycle bin. |
√ |
√ |
√ |
× |
|
Create architecture diagrams. |
√ |
√ |
√ |
× |
|
Rename architecture diagrams. |
√ |
√ |
√ |
× |
|
Export architecture diagrams. |
√ |
√ |
√ |
√ |
|
Replicate architecture diagrams. |
√ |
√ |
√ |
× |
|
Delete architecture diagrams. |
√ |
√ |
√ |
× |
|
Enable capacity risk monitoring. |
√ |
√ |
√ |
× |
|
View details of an architecture diagram. |
√ |
√ |
√ |
√ |
|
Edit an architecture diagram. |
√ |
√ |
√ |
× |
|
View the historical editing records of an architecture diagram. |
√ |
√ |
√ |
√ |
|
View the historical editing details of an architecture diagram. |
√ |
√ |
√ |
√ |
|
Restore a historical architecture diagram. |
√ |
√ |
√ |
× |
|
Delete the historical editing records of an architecture diagram. |
√ |
√ |
√ |
× |
|
View all links of a diagram element. |
√ |
√ |
√ |
√ |
|
View the list of selected resources. |
√ |
√ |
√ |
√ |
|
Export selected resources. |
√ |
√ |
√ |
√ |
|
| Capacity optimization |
View the summary of capacity optimization analysis results. |
√ |
√ |
√ |
√ |
View the details of capacity optimization analysis results. |
√ |
√ |
√ |
√ |
|
Delete capacity optimization analysis results. |
√ |
√ |
√ |
× |
|
View monitoring details of a capacity optimization analysis result. |
√ |
√ |
√ |
√ |
|
Perform re-identification. |
√ |
√ |
√ |
× |
|
Stop analysis. |
√ |
√ |
√ |
× |
|
Export the capacity optimization analysis report. |
√ |
√ |
√ |
√ |
|
Query configurations for capacity optimization analysis. |
√ |
√ |
√ |
√ |
|
Modify configurations for capacity optimization analysis. |
√ |
√ |
√ |
× |
|
Query the list of capacity optimization analysis reports. |
√ |
√ |
√ |
√ |
|
Delete a capacity optimization analysis report. |
√ |
√ |
√ |
× |
|
| Resource groups |
View resource groups. |
√ |
√ |
√ |
√ |
View resource group details. |
√ |
√ |
√ |
√ |
|
Modify a resource group. |
√ |
√ |
√ |
× |
|
Delete a resource group. |
√ |
√ |
√ |
× |
|
Add a resource group. |
√ |
√ |
√ |
× |
|
View the resource list. |
√ |
√ |
√ |
√ |
|
| Monthly service reports |
View the monthly report list. |
√ |
√ |
√ |
√ |
View monthly report details. |
√ |
√ |
√ |
√ |
|
Export a monthly report. |
√ |
√ |
√ |
√ |
|
| Risk check history |
View risk check reports. |
√ |
√ |
√ |
√ |
View risk check result details. |
√ |
√ |
√ |
√ |
|
Export a risk check report. |
√ |
√ |
√ |
√ |
|
| Custom rules |
View the check item list. |
√ |
√ |
√ |
√ |
Enable check items. |
√ |
√ |
√ |
× |
|
Disable check items. |
√ |
√ |
√ |
× |
|
Restore initial configurations. |
√ |
√ |
√ |
× |
|
Customize configurations. |
√ |
√ |
√ |
× |
|
| Authorization |
View the user authorization list. |
√ |
√ |
√ |
√ |
Disable or enable authorization. |
√ |
× |
× |
× |
|
Disable services. |
√ |
× |
× |
× |
Related Links
- IAM Service Overview
- For details about how to create a user group or user and grant OA permissions, see Creating a User and Granting OA Permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
