Updated on 2024-11-14 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your AOM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your AOM resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific types of resources. For example, some software developers in your enterprise need to use AOM resources but are not allowed to delete them or perform any high-risk operations such as deleting application discovery rules. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using AOM resources.

If your account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information, see IAM Service Overview.

AOM Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on AOM.

AOM is a project-level service deployed and accessed in specific physical regions. To assign AOM permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing AOM, the users need to switch to a region where they have been authorized to use this service.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on users' job responsibilities. This mechanism provides only a limited number of service-level roles for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you may also need to attach dependent roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant Elastic Cloud Server (ECS) users only the permissions for managing a certain type of ECSs. Most policies define permissions based on APIs. For the API actions supported by AOM, see Permissions Policies and Supported Actions.
Table 1 lists all the system permissions supported by AOM.
Table 1 System permissions supported by AOM

Subservice Name

Policy Name

Description

Type

Dependent System Permissions

Monitoring center/collection management/CMDB

AOM FullAccess

Administrator permissions for AOM 2.0. Users granted these permissions can operate and use AOM.

System-defined policy

CCE FullAccess and DMS ReadOnlyAccess

AOM ReadOnlyAccess

Read-only permissions for AOM 2.0. Users granted these permissions can only view AOM data.

System-defined policy

CCE ReadOnlyAccess and DMS ReadOnlyAccess

Automation

CMS FullAccess

Administrator permissions for Automation. Users granted these permissions can operate and use Automation.

System-defined policy

-

CMS ReadOnlyAccess

Read-only permissions for Automation. Users granted these permissions can only view Automation data.

System-defined policy

Common Operations and System-defined Policies of CMDB

Table 2 lists the common operations supported by each system-defined policy of CMDB. Select policies as required.

Table 2 Common operations supported by each system-defined policy of CMDB

Operation

AOM FullAccess

AOM ReadOnlyAccess

Querying the details of an application

Querying the details of a sub-application

Querying the details of a component

Querying the details of an environment

Querying environment tags

Querying the details of a resource

Creating an application

x

Updating an application

x

Deleting an application

x

Creating a sub-application

x

Updating a sub-application

x

Deleting a sub-application

x

Transferring a sub-application

x

Creating a component

x

Updating a component

x

Deleting a component

x

Transferring a component

x

Creating an environment

x

Updating an environment

x

Deleting an environment

x

Creating an environment tag

x

Updating an environment tag

x

Deleting an environment tag

x

Importing a resource

x

Updating a resource

x

Deleting a resource

x

Transferring a resource

x

Synchronizing a resource

x

Binding a resource

x

Unbinding a resource

x

Enabling resource authorization

x

Canceling resource authorization

x

Obtaining the application list

Obtaining the sub-application list

Obtaining the component list

Obtaining the tag list of an application

Obtaining the resource list

Querying the node topology

Querying operation records

Common Operations and System Permissions for Resource Monitoring

Table 3 lists the common operations supported by each system-defined policy of resource monitoring. Select policies as required.

Table 3 Common operations supported by each system-defined policy

Operation

AOM FullAccess

AOM ReadOnlyAccess

Creating an alarm rule

x

Modifying an alarm rule

x

Deleting an alarm rule

x

Creating an alarm template

x

Modifying an alarm template

x

Deleting an alarm template

x

Creating an alarm action rule

x

Modifying an alarm action rule

x

Deleting an alarm action rule

x

Creating a message template

x

Modifying a message template

x

Deleting a message template

x

Creating a grouping rule

x

Modifying a grouping rule

x

Deleting a grouping rule

x

Creating a suppression rule

x

Modifying a suppression rule

x

Deleting a suppression rule

x

Creating a silence rule

x

Modifying a silence rule

x

Deleting a silence rule

x

Creating a dashboard

x

Modifying a dashboard

x

Deleting a dashboard

x

Creating a Prometheus instance

x

Modifying a Prometheus instance

x

Deleting a Prometheus instance

x

Creating an application discovery rule

x

Modifying an application discovery rule

x

Deleting an application discovery rule

x

Subscribing to threshold alarms

x

Configuring a VM log collection path

x

Common Operations and System Permissions of Automation

Table 4 lists the common operations supported by each system-defined policy of Automation. Select policies as required.

Table 4 Common operations supported by each system-defined policy of Automation

Operation

CMS FullAccess

CMS ReadOnlyAccess

Creating a script

x

Editing a script

x

Copying and creating a script

x

Editing a version

x

Viewing a script version

Creating a package

x

Viewing a package

Editing a package

x

Viewing the package version list

Modifying a package version

x

Deleting a package

x

Creating a task

x

Editing a task

x

Deleting a task

x

Viewing the task list

Viewing the task details

Executing a task

x

Common Operations Supported by Each System-defined Policy of Collection Management

Table 5 lists the common operations supported by each system-defined policy of collection management. Select policies as required.

Table 5 Common operations supported by each system-defined policy of collection management

Operation

AOM FullAccess

AOM ReadOnlyAccess

Querying a proxy area

Editing a proxy area

x

Deleting a proxy area

x

Creating a proxy area

x

Querying all proxies in a proxy area

Querying all proxy areas

Querying the Agent installation result

Obtaining the Agent installation command of a host

Obtaining the host heartbeat and checking whether the host is connected with the server

Uninstalling running Agents in batches

x

Querying the Agent home page

Testing the connectivity between the installation host and the target host

x

Installing Agents in batches

x

Obtaining the latest operation log of the Agent

Obtaining the list of versions that can be selected during Agent installation

Obtaining the list of all Agent versions under the current project ID

Deleting hosts with Agents installed

x

Querying Agent information based on the ECS ID

Deleting a host with an Agent installed

x

Setting an installation host

x

Resetting installation host parameters

x

Querying the list of hosts that can be set to installation hosts

Querying the list of Agent installation hosts

Deleting an installation host

x

Upgrading Agents in batches

x

Querying historical task logs

Querying historical task details

Querying all historical tasks

Querying all execution statuses and task types

Querying the Agent execution statuses in historical task details

Modifying a proxy

x

Deleting a proxy

x

Setting a proxy

x

Querying the list of hosts that can be set to proxies

Updating plug-ins in batches

x

Uninstalling plug-ins in batches

x

Installing plug-ins in batches

x

Querying historical task logs of a plug-in

Querying all plug-in execution records

Querying plug-in execution records based on the task ID

Querying the plug-in execution statuses in historical task details

Obtaining the plug-in list

Querying the plug-in version

Querying the list of supported plug-ins

Obtaining the CCE cluster list

Obtaining the Agent list of a CCE cluster

Installing ICAgent on a CCE cluster

x

Upgrading ICAgent for a CCE cluster

x

Uninstalling ICAgent from a CCE cluster

x

Obtaining the CCE cluster list

Obtaining the list of hosts where the ICAgent has been installed

Installing ICAgent on CCE cluster hosts

x

Upgrading ICAgent on CCE cluster hosts

x

Uninstalling ICAgent from CCE cluster hosts

x

Fine-grained Permissions

To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of AOM as required. For details about fine-grained permissions of AOM, see Table 6.

Table 6 Fine-grained permissions of AOM

Permission

Description

Permission Dependency

Application Scenario

cms:workflow:create

Creating a task

  • ecs:cloudServers:list
  • ecs:cloudServers:listServerInterfaces
  • rds:instance:list

Creating a task

cms:workflow:update

Modifying a task

  • functiongraph:function:create
  • functiongraph:function:updateCode

Modifying a task

cms:workflow:list

Obtaining the task list

N/A

Obtaining the task list

cms:execution:get

Obtaining the execution details about a task

Obtaining the execution details about a task

cms:execution:create

Executing a task

  • functiongraph:function:create
  • functiongraph:function:invoke
  • functiongraph:function:list

Executing a task (such as script/job execution and package installation/uninstall)

cms:template:get

Querying the details of a template

N/A

Querying template details or execution plan details

cms:template:list

Obtaining the template list

Obtaining the list of execution plans or the list of templates that can be used to create tasks

cms:script:get

Querying the details of a script

Querying the details of a script

cms:script:list

Querying the script list

Querying the script list

cms:job:list

Querying the job list

Querying the job list

aom:cmdbApplication:get

Obtaining the details of an application

N/A

Obtaining the details of an application based on the application ID or name

aom:cmdbApplication:update

Modifying an application

Modifying an application

aom:cmdbApplication:delete

Deleting an application

Deleting an application

aom:cmdbApplication:get

Obtaining the details of an application

Obtaining the details of an application

aom:cmdbComponent:get

Querying the details of a component

Querying the details of a component based on the component ID or name

aom:cmdbComponent:create

Adding a component

Adding a component

aom:cmdbComponent:update

Updating a component

Updating a component

aom:cmdbComponent:delete

Deleting a component

Deleting a component

aom:cmdbComponent:move

Transferring a component

Transferring a component

aom:cmdbComponent:list

Querying the component list

Querying the component list

aom:cmdbEnvironment:create

Creating an environment

Creating an environment

aom:cmdbEnvironment:update

Modifying an environment

Modifying an environment

aom:cmdbEnvironment:get

Obtaining the details of an environment

Obtaining the details of an environment based on the environment name+region+component ID, or environment ID

aom:cmdbEnvironment:delete

Deleting an environment

Deleting an environment

aom:cmdbSubApplication:get

Querying the details of a sub-application

Querying the details of a sub-application

aom:cmdbSubApplication:update

Modifying a sub-application

Modifying a sub-application

aom:cmdbSubApplication:move

Transferring a sub-application

Transferring a sub-application

aom:cmdbSubApplication:delete

Deleting a sub-application

Deleting a sub-application

aom:cmdbSubApplication:create

Adding a sub-application

Adding a sub-application

aom:cmdbSubApplication:list

Querying the sub-application list

Querying the sub-application list

aom:cmdbResources:unbind

Unbinding a resource

Unbinding a resource

aom:cmdbResources:bind

Binding a resource

Binding a resource

aom:cmdbResources:move

Transferring a resource

Transferring a resource

aom:cmdbResources:get

Querying the details of a resource

Querying the details of a resource

aom:alarm:put

Reporting an alarm

N/A

Reporting a custom alarm

aom:event2AlarmRule:create

Adding an event alarm rule

Adding an event alarm rule

aom:event2AlarmRule:set

Modifying an event alarm rule

Modifying an event alarm rule

aom:event2AlarmRule:delete

Deleting an event alarm rule

Deleting an event alarm rule

aom:event2AlarmRule:list

Querying all event alarm rules

Querying all event alarm rules

aom:actionRule:create

Adding an alarm action rule

Adding an alarm action rule

aom:actionRule:delete

Deleting an alarm action rule

Deleting an alarm action rule

aom:actionRule:list

Querying the alarm action rule list

Querying the alarm action rule list

aom:actionRule:update

Modifying an alarm action rule

Modifying an alarm action rule

aom:actionRule:get

Querying an alarm action rule by name

Querying an alarm action rule by name

aom:alarm:list

Obtaining the sent alarm content

Obtaining the sent alarm content

aom:alarmRule:create

Creating a threshold rule

Creating a threshold rule

aom:alarmRule:set

Modifying a threshold rule

Modifying a threshold rule

aom:alarmRule:get

Querying threshold rules

Querying all threshold rules or a single threshold rule by rule ID

aom:alarmRule:delete

Deleting a threshold rule

Deleting threshold rules in batches or a single threshold rule by rule ID

aom:discoveryRule:list

Querying application discovery rules

Querying existing application discovery rules

aom:discoveryRule:delete

Deleting an application discovery rule

Deleting an application discovery rule

aom:discoveryRule:set

Adding an application discovery rule

Adding an application discovery rule

aom:metric:list

Querying time series objects

Querying time series objects

aom:metric:list

Querying time series data

Querying time series data

aom:metric:get

Querying metrics

Querying metrics

aom:metric:get

Querying monitoring data

Querying monitoring data

aom:muteRule:delete

Deleting a silence rule

N/A

Deleting a silence rule

aom:muteRule:create

Adding a silence rule

Adding a silence rule

aom:muteRule:update

Modifying a silence rule

Modifying a silence rule

aom:muteRule:list

Querying the silence rule list

Querying the silence rule list

Roles/Policies Required by AOM Dependent Services

If an IAM user needs to view data or use functions on the AOM console, grant the AOM FullAccess or AOM ReadOnlyAccess policy to the user group to which the user belongs and then add the roles or policies required by AOM dependent services by referring to Table 7.

When a user subscribes to AOM for the first time, AOM will automatically create a service agency. In addition to the AOM FullAccess permission, the user must be granted the Security Administrator permission.

Table 7 Roles/Policies required by AOM dependent services

Console Function

Dependent Service

Policy/Role Required

  • Workload monitoring
  • Cluster monitoring
  • Prometheus for CCE

CCE

To use workload and cluster monitoring and Prometheus for CCE, you need to set the CCE FullAccess permission.

Data subscription

Distributed Message Service (DMS) for Kafka

To use data subscription, you need to set the DMS ReadOnlyAccess permission.