Updated on 2025-08-11 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your Huawei Cloud Astro Zero resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you want your software developers to use Huawei Cloud Astro Zero resources but not delete them or perform any high-risk operations, you can create IAM users for these software developers and assign them only the permissions required for using Huawei Cloud Astro Zero resources.

If your Huawei Cloud account does not need individual IAM users for permissions management, skip this chapter.

IAM is free of charge. You pay only for the resources you use. For more information about IAM, see What Is IAM.

Huawei Cloud Astro Zero Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to user groups and attach policies or roles to these groups. The users then inherit permissions from their user groups and can perform specified operations on cloud services based on those permissions.

Huawei Cloud Astro Zero is a project-level service deployed in specific physical regions. When assigning permissions, set the scope to regional-level projects and set permissions in the project corresponding to the specified region (for example, the cn-north-4 project for the CN North-Beijing4 region). The permissions take effect only for this project. If you set permissions for All projects, the permissions will take effect for all region-specific projects. When accessing Huawei Cloud Astro Zero, switch to the region where you are authorized.

You can assign permissions by using roles and policies.

  • Roles: A coarse-grained authorization that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.

Table 1 lists all system permissions of Huawei Cloud Astro Zero.

Table 1 System permissions

Role/Policy

Description

Type

Dependency

Astro Zero Instance ManageAccess

Subscribe, unsubscribe, view, and upgrade Huawei Cloud Astro Zero instances.

System policy

None

Astro Zero Instance ViewAccess

View Huawei Cloud Astro Zero instances only; cannot unsubscribe or upgrade them.

If you cannot view the Huawei Cloud Astro Zero instances after logging in to the Huawei Cloud Astro Zero console as an IAM user, perform either of the following operations:

  • Add the Astro Zero Instance ViewAccess permission to the user group to which the IAM user belongs.
  • Do not add the IAM user to any user group.

System policy

None

Astro Zero IAM User QueryAccess

Only a Huawei Cloud account or an IAM user with the Astro Zero IAM User QueryAccess permission can create a Huawei Cloud Astro Zero developer account.

System policy

None

Table 2 lists the common operations supported by each Huawei Cloud Astro Zero system policy. Select the policies as required.

Table 2 Common operations supported by each system policy

Operation

Astro Zero Instance ManageAccess

Astro Zero Instance ViewAccess

Astro Zero IAM User QueryAccess

Checking Huawei Cloud Astro Zero instance list and details

x

Subscribing to Huawei Cloud Astro Zero instances

x

x

Unsubscribing from Huawei Cloud Astro Zero instances

x

x

Changing the specifications of Huawei Cloud Astro Zero instances

x

x

Modifying Huawei Cloud Astro Zero instance details

x

x

Creating a Huawei Cloud Astro Zero developer account

x

x

In addition to this permission, select user management and user permissions in the profile.

Querying Huawei Cloud Astro Zero IAM users

x

x

In addition to IAM's authentication and authorization, Huawei Cloud Astro Zero provides user management and permission configurations (profiles) to manage users, including portal users, and control their operational permissions.