Permissions Policies and Supported Actions
If you need to assign different permissions to employees in your enterprise to access your APM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use APM resources but do not want them to delete APM resources or perform any other high-risk operations, you can grant permission to use APM resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy-based authorization |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model is hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/Identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Constraints
Traces and Agent statistics do not involve your entity resources. To ensure statistics integrity, authorized users can check the trace and Agent statistics in all enterprise projects of a tenant.
Role/Policy-based Authorization
APM supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the user group and can perform specified operations on cloud services.
APM is a global service. By default, the APM permissions granted to a user take effect in all regions supported by APM. APM resources are isolated by tenant. All users under a tenant share resources. To isolate resources, use enterprise projects.
APM is a global service and can be accessed without specifying a physical region. During authorization, choose Enterprise > Project Management to set permissions.
Table 2 lists all the system permissions supported by APM.
|
Role |
Description |
Category |
Dependencies |
|---|---|---|---|
|
APM FullAccess |
Full permissions for APM |
System-defined policy |
None |
|
APM ReadOnlyAccess |
Read-only permissions for APM |
System-defined policy |
None |
Table 3 lists the common operations supported by each system-defined policy or role of APM. Choose policies or roles as required.
|
Operation |
APM FullAccess |
APM ReadOnlyAccess |
|---|---|---|
|
Querying the alarm list |
√ |
√ |
|
Querying alarm details |
√ |
√ |
|
Querying alarm notification details |
√ |
√ |
|
Obtaining application configuration |
√ |
√ |
|
Creating application configuration |
√ |
x |
|
Deleting application configuration |
√ |
x |
|
Modifying application configuration |
√ |
x |
|
Querying a tag |
√ |
√ |
|
Adding a tag |
√ |
x |
|
Deleting a tag |
√ |
x |
|
Modifying a tag |
√ |
x |
|
Querying a resource tag |
√ |
√ |
|
Adding a resource tag |
√ |
x |
|
Deleting a resource tag |
√ |
x |
|
Modifying a resource tag |
√ |
x |
|
Querying an alarm template |
√ |
√ |
|
Adding an alarm template |
√ |
x |
|
Deleting an alarm template |
√ |
x |
|
Modifying an alarm template |
√ |
x |
|
Obtaining a notification |
√ |
√ |
|
Deleting a notification |
√ |
x |
|
Adding a notification |
√ |
x |
|
Modifying a notification |
√ |
x |
|
Obtaining URL tracing configuration |
√ |
√ |
|
Deleting URL tracing configuration |
√ |
x |
|
Adding a URL for tracing |
√ |
x |
|
Modifying URL tracing configuration |
√ |
x |
|
Querying a URL tracing view |
√ |
√ |
|
Obtaining the URL tracing list |
√ |
√ |
|
Obtaining the global topology |
√ |
√ |
|
Querying a sub-application |
√ |
√ |
|
Querying environment configuration |
√ |
√ |
|
Adding environment configuration |
√ |
x |
|
Deleting environment configuration |
√ |
x |
|
Modifying environment configuration |
√ |
x |
|
Obtaining an instance |
√ |
√ |
|
Deleting an instance |
√ |
x |
|
Modifying an instance |
√ |
x |
|
Querying a monitoring item |
√ |
√ |
|
Modifying a monitoring item |
√ |
x |
|
Obtaining collection status |
√ |
√ |
|
Obtaining a custom alarm policy |
√ |
√ |
|
Deleting a custom alarm policy |
√ |
x |
|
Modifying a custom alarm policy |
√ |
x |
|
Creating a custom alarm policy |
√ |
x |
|
Obtaining the environment topology |
√ |
√ |
|
Obtaining a metric view |
√ |
√ |
|
Obtaining the trace list |
√ |
√ |
|
Obtaining trace details |
√ |
√ |
|
Obtaining collector information |
√ |
√ |
|
Obtaining an access key |
√ |
x |
|
Modifying an access key |
√ |
x |
|
Deleting an access key |
√ |
x |
|
Adding an access key |
√ |
x |
|
Obtaining general configuration |
√ |
√ |
|
Modifying general configuration |
√ |
x |
|
Checking Agent statistics |
√ |
√ |
|
Associating traces with logs |
√ |
x |
Roles/Policies Required by APM Dependency Services
|
Console Function |
Dependency Service |
Policy/Role Required |
|---|---|---|
|
CCE |
To use workload and cluster monitoring and Prometheus for CCE, you need to set the CCE FullAccess and CCE Namespace permissions. |
|
Data subscription |
DMS for Kafka |
To use data subscription, you need to set the DMS ReadOnlyAccess permission. |
|
APM |
To use application monitoring, performance monitoring, open tracing, web monitoring, app monitoring, and alarm rule functions, you need to set the APM FullAccess permission. For details about fine-grained policies, see section "Permissions Management." |
|
Enterprise projects |
Enterprise Project Management Service (EPS) |
To use enterprise projects, you need to set the EPS ReadOnlyAccess permission. For details about the fine-grained policy permissions, see Permissions. |
Identity Policy-based Authorization
APM supports identity policy-based authorization. Table 5 lists all the system-defined identity policies for APM. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
APMAdministratorPolicy |
Full permissions for APM |
System-defined identity policy |
|
APMFullPolicy |
Full permissions for APM |
System-defined identity policy |
|
APMReadOnlyPolicy |
Read-only permissions for APM |
System-defined identity policy |
Table 6 lists the common operations supported by system-defined identity policies for APM.
|
Operation |
APMAdministratorPolicy |
APMFullPolicy |
APMReadOnlyPolicy |
|---|---|---|---|
|
Querying the alarm list |
x |
√ |
√ |
|
Querying alarm details |
x |
√ |
√ |
|
Querying alarm notification details |
x |
√ |
√ |
|
Obtaining application configuration |
x |
√ |
√ |
|
Creating application configuration |
√ |
√ |
x |
|
Deleting application configuration |
√ |
√ |
x |
|
Modifying application configuration |
√ |
√ |
x |
|
Querying a tag |
x |
√ |
√ |
|
Adding a tag |
√ |
√ |
x |
|
Deleting a tag |
√ |
√ |
x |
|
Modifying a tag |
√ |
√ |
x |
|
Querying a resource tag |
x |
√ |
√ |
|
Adding a resource tag |
√ |
√ |
x |
|
Deleting a resource tag |
√ |
√ |
x |
|
Modifying a resource tag |
√ |
√ |
x |
|
Querying an alarm template |
x |
√ |
√ |
|
Adding an alarm template |
√ |
√ |
x |
|
Deleting an alarm template |
√ |
√ |
x |
|
Modifying an alarm template |
√ |
√ |
x |
|
Obtaining a notification |
x |
√ |
√ |
|
Deleting a notification |
√ |
√ |
x |
|
Adding a notification |
√ |
√ |
x |
|
Modifying a notification |
√ |
√ |
x |
|
Obtaining URL tracing configuration |
x |
√ |
√ |
|
Deleting URL tracing configuration |
√ |
√ |
x |
|
Adding a URL for tracing |
√ |
√ |
x |
|
Modifying URL tracing configuration |
√ |
√ |
x |
|
Querying a URL tracing view |
x |
√ |
√ |
|
Obtaining the URL tracing list |
x |
√ |
√ |
|
Obtaining the global topology |
x |
√ |
√ |
|
Querying a sub-application |
x |
√ |
√ |
|
Querying environment configuration |
x |
√ |
√ |
|
Adding environment configuration |
√ |
√ |
x |
|
Deleting environment configuration |
√ |
√ |
x |
|
Modifying environment configuration |
√ |
√ |
x |
|
Obtaining an instance |
x |
√ |
√ |
|
Deleting an instance |
√ |
√ |
x |
|
Modifying an instance |
√ |
√ |
x |
|
Querying a monitoring item |
x |
√ |
√ |
|
Modifying a monitoring item |
√ |
√ |
x |
|
Obtaining collection status |
x |
√ |
√ |
|
Obtaining a custom alarm policy |
x |
√ |
√ |
|
Deleting a custom alarm policy |
√ |
√ |
x |
|
Modifying a custom alarm policy |
√ |
√ |
x |
|
Creating a custom alarm policy |
√ |
√ |
x |
|
Obtaining the environment topology |
x |
√ |
√ |
|
Obtaining a metric view |
x |
√ |
√ |
|
Obtaining the trace list |
x |
√ |
√ |
|
Obtaining trace details |
x |
√ |
√ |
|
Obtaining collector information |
x |
√ |
√ |
|
Obtaining an access key |
x |
√ |
x |
|
Modifying an access key |
√ |
√ |
x |
|
Deleting an access key |
√ |
√ |
x |
|
Adding an access key |
√ |
√ |
x |
|
Obtaining general configuration |
x |
√ |
√ |
|
Modifying general configuration |
√ |
√ |
x |
|
Checking Agent statistics |
√ |
√ |
√ |
|
Associating traces with logs |
√ |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
