Permissions Management

If you need to grant your enterprise personnel permission to access your CAE resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud cloud resources.

With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use CAE resources but do not want them to be able to delete CAE resources or perform any other high-risk operations, you can create IAM users and grant permission to use CAE resources but not permission to delete them.

If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

For more information about IAM, see the IAM Service Overview.

CAE Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-east-3) in the specified regions (for example, CN East-Shanghai1), the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.

You can grant permissions by using roles and policies.

Roles: IAM's coarse-grained authorization that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.

Table 1 lists all the system-defined permissions for CAE.

**Table 1** CAE system permissions
Role/Policy Name	Description	Type	Dependent System Permissions	Service Dependency and Scenario
CAE FullAccess	Full permissions for CAE.	System-defined policy	Must be used together with these permissions: OBS Administrator AOM FullAccess SWR Admin BSS Finance VPC ReadOnlyAccess ServiceStage ReadOnlyAccess ELB ReadOnlyAccess	Full permissions for CAE.
CAE ReadOnlyAccess	Read-only permissions for CAE.	System-defined policy	Must be used together with these permissions: ServiceStage ReadOnlyAccess LTS ReadOnlyAccess obs:bucket:GetBucketLocation obs:bucket:GetBucketStorage obs:bucket:GetBucketStoragePolicy	Read-only permissions for CAE.
OBS Administrator	OBS administrator.	System-defined policy	None	Component deployment using OBS software package and cloud storage authorization unbinding
AOM FullAccess	Full permissions for AOM.	System-defined policy	None	CAE environment creation
SWR Admin	SWR administrator, who has full permissions for this service.	System-defined role	None	Component creation, deployment, upgrade, and rollback
DNS Administrator	DNS administrator, who has full permissions for this service.	System-defined role	VPC Administrator Tenant Guest	Domain name query and configuration. This permission allows deletion of VPC Administrator and Tenant Guest roles. Deleting these two roles does not affect domain name configuration.
BSS Finance	Financial administrator of the Billing Center, who has full permissions for financial operations.	System-defined role	None	Package purchase and payment
KMS CMKFullAccess	All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.	System-defined role	None	Permission to access the credential information in Cloud Secret Management Service (CSMS) for credential reference by CAE environment variables
CSMS ReadonlyAccess	Read-only permissions for Cloud Secret Management Service (CSMS) in DEW. Users with these permissions can perform all the operations allowed by policies.	System-defined role	None	Permission to access the credential information in Cloud Secret Management Service (CSMS) for CAE credential configuration

Policies are also customizable beyond permissions listed in Table 1 do not meet your requirements, as shown in Table 2.

**Table 2** Common operations supported by each system policy
Description	CAE ReadOnlyAccess	CAE FullAccess
Buy a package	x	√
Create an environment	x	√
Query all environments	√	√
Query environment information	√	√
Delete an environment	x	√
Create an application	x	√
Query application information	√	√
Query all applications	√	√
Update application information	x	√
Delete an application	x	√
Create a component	x	√
Query component information	√	√
Query component configurations	√	√
Query component events	√	√
Query all components and instances	√	√
View usage data	√	√
Modify component configurations	x	√
Scale, upgrade, roll back, stop, start, restart, and edit components	x	√
Delete a component	x	√
Deploy a demo with a few clicks	x	√
Enable certificate configuration	x	√
View certificate configurations	√	√
Modify certificate configurations	x	√
Disable certificate configuration	x	√
Configure a domain name	x	√
View a domain name	√	√
Cancel domain name configuration	x	√
Authorize cloud storage	x	√
Unbind cloud storage	x	√
Log in remotely	x	√

To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CAE as required. Table 3 describes fine-grained permission dependencies of CAE.

**Table 3** Fine-grained permission dependencies of CAE
Permission Name	Description	Permission Dependency	Scenarios (Actions)
cae:environment:create	Create an environment	vpc:vpcs:get vpc:vpcs:list vpc:vpcs:create vpc:subnets:get vpc:subnets:create vpc:ports:get vpc:ports:create OBS Administrator AOM FullAccess BSS Finance SWR Admin	Create an environment Buy a package Enable certificate configuration Modify certificate configurations Configure a domain name Authorize cloud storage
cae:environment:list	Query all environments	obs:bucket:GetBucketLocation obs:bucket:GetBucketStorage obs:bucket:GetBucketStoragePolicy	Query an environment View cloud storage authorization
cae:environment:get	Query environment information	None	View certificate configurations View a domain name
cae:environment:delete	Delete an environment	vpc:ports:delete OBS Administrator	Delete an environment Disable certificate configuration Cancel domain name configuration Unbind cloud storage
cae:application:create	Create an application	rds:instance:list rds:databaseUser:list rds:database:list cse:engine:get cse:engine:list lts:groups:create lts:topics:create lts::list lts::get OBS Administrator SWR Admin	Create an application Create the components Modify component configurations Deploy a demo with a few clicks
cae:application:get	Query application information	rds:instance:list rds:databaseUser:list rds:database:list cse:engine:get cse:engine:list	View application information View component information View component configuration
cae:application:list	Query all applications	None	View all applications View usage data View all components and instances View component events
cae:application:modify	Update application information	OBS Administrator SWR Admin	Component operations: Scaling Upgrade Rollback Stop Start Restart Modify
cae:application:delete	Delete an application	lts:groups:delete lts:topics:delete OBS Administrator	Delete an application Delete a component Delete component configuration
cae:application:createConsole	Log in remotely	cae:application:delete cae:application:modify cae:application:get	Log in remotely