CNAD Permissions
If you need to assign different permissions to employees in your enterprise to access your CNAD Pro resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your CNAD Pro resources.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use CNAD Pro but must not delete CNAD Pro resources or perform any high-risk operations. To achieve this purpose, you can create IAM users for the software developers and grant them only the permissions required for using CNAD Pro resources.
If your Huawei Cloud account does not need individual IAM users for permissions management, skip this section.
CNAD Pro Permissions
By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
CNAD is a global service and can be deployed in any region. CNAD permissions are assigned to IAM users in the global project, so IAM users can access CNAD in any region without having to switch over among regions.
- Roles: Role-based permission management is a coarse-grained authorization mechanism that defines permissions based on users' job responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing CNAD Pro, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: Policy-based permission management is a type of fine-grained authorization mechanism that grants permissions to perform operations on specific cloud resources. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CNAD Pro users the permissions to manage only a certain type of resources.
Table 1 lists all the system roles supported by CNAD Pro.
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
CNAD FullAccess |
Full permissions for CNAD |
Policy |
Either the CNAD FullAccess and BSS Administrator roles or the Tenant Administrator role is required for purchasing a CNAD instance. |
CNAD ReadOnlyAccess |
Read-only permissions for CNAD |
Policy |
None. |
CNAD FullAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cnad:*:*"
]
}
]
}
CNAD ReadOnlyAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cnad:*:get*",
"cnad:*:list*"
]
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
