AAD Permissions
If you need to assign different permissions to employees in your enterprise to access your AAD resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your AAD resources.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use AAD resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using AAD resources.
If your HUAWEI CLOUD account does not need individual IAM users for permissions management, skip this section.
AAD Permissions
By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
AAD is a global service and can be deployed in any region. AAD permissions are assigned to IAM users in the global project, so IAM users can access AAD in any region without having to switch over among regions.
- Roles: Role-based permission management is a coarse-grained authorization mechanism that defines permissions based on users' job responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing AAD, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: Policy-based permission management is a type of fine-grained authorization mechanism that grants permissions to perform operations on specific cloud resources. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant AAD users the permissions to manage only a certain type of resources.
Table 1 lists all the system roles supported by AAD.
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
CAD Administrator |
Administrator permissions for AAD |
System role |
Either the CAD Administrator and BSS Administrator roles or the Tenant Administrator role is required for purchasing an AAD instance or upgrading the specifications of an AAD instance.
NOTICE:
The CAD Administrator system role is about to go offline. To ensure the normal use of AAD, grant the AAD FullAccess or AAD ReadOnlyAccess system policy to users as soon as possible. |
AAD FullAccess |
All permissions for AAD |
Policy |
Either the AAD FullAccess and BSS Administrator roles or the Tenant Administrator role is required for purchasing an AAD instance or upgrading the specifications of an AAD instance.
|
AAD ReadOnlyAccess |
Read-only permissions for AAD. Users granted these permissions can only view AAD information. |
Policy |
None. |
AAD FullAccess Policy Content
{
"Version": "1.1",
"Statement": [{
"Action": [
"aad::"
],
"Effect": "Allow"
}]
}
AAD ReadOnlyAccess Policy Content
{
"Version": "1.1",
"Statement": [{
"Action": [
"aad:*:get",
"aad:*:list"
],
"Effect": "Allow"
}]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
