Updated on 2025-08-27 GMT+08:00

Permissions Management

If you need to grant your enterprise personnel permission to access your CAE resources, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use CAE resources but do not want them to be able to delete CAE resources or perform any other high-risk operations, you can create IAM users and grant permission to use CAE resources but not permission to delete them.

If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

For more information about IAM, see IAM Service Overview.

CAE Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-east-3) in the specified regions (for example, CN East-Shanghai1), the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.

You can grant permissions by using roles and policies.

  • Roles: IAM's coarse-grained authorization that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.

Table 1 lists all the system-defined permissions for CAE.

Table 1 CAE system permissions

Role/Policy Name

Description

Type

Dependent System Permissions

Service Dependency and Scenario

CAE FullAccess

Full permissions for CAE.

System-defined policy

Must be used together with these permissions:

  • OBS Administrator
  • AOM FullAccess
  • SWR Admin
  • BSS FinanceAccess
  • VPC ReadOnlyAccess
  • ELB FullAccess
  • ServiceStage FullAccess

Full permissions for CAE.

CAE ReadOnlyAccess

Read-only permissions for CAE.

System-defined policy

Must be used together with these permissions:

  • ServiceStage ReadOnlyAccess
  • LTS ReadOnlyAccess
  • obs:bucket:GetBucketLocation
  • obs:bucket:GetBucketStorage
  • obs:bucket:GetBucketStoragePolicy

Read-only permissions for CAE.

Policies are also customizable beyond permissions listed in Table 1 do not meet your requirements, as shown in Table 2.

Table 2 Common operations supported by each system policy

Description

CAE ReadOnlyAccess

CAE FullAccess

Buy a package

x

Create an environment

x

Query all environments

Query environment information

Delete an environment

x

Create an application

x

Query application information

Query all applications

Update application information

x

Delete an application

x

Create a component

x

Query component information

Query component configurations

Query component events

Query all components and instances

View usage data

Modify component configurations

x

Scale, upgrade, roll back, stop, start, restart, and edit components

x

Delete a component

x

Enable certificate configuration

x

View certificate configurations

Modify certificate configurations

x

Disable certificate configuration

x

Configure a domain name

x

View a domain name

Cancel domain name configuration

x

Authorize cloud storage

x

Unbind cloud storage

x

Log in remotely

x

Role/Policy Dependencies of the CAE Console

Table 3 Role/Policy dependencies of the CAE console

Console Function

Dependency

Role/Policy Required

  • Deploy components using OBS software package
  • Authorize and unbind cloud storage

Object Storage Service (OBS)

To use these two functions, an IAM user must be granted: CAE FullAccess and OBS Administrator.

Create an environment

Application Operations Management (AOM)

To create an environment, an IAM user must be granted: CAE FullAccess and AOM FullAccess.

NOTE:

If IAM users are granted the V3 system permission CAE FullAccess for an enterprise project, they cannot use the component event and component log functions. Permissions of CAE that depend on AOM do not support enterprise projects, including aom:alarm:list (querying event alarm information), aom:metric:get (querying metrics), and aom:metric:list (querying time series data).

For details about AOM permissions policies and supported actions, see Actions Supported by Policy-based Authorization.

Component creation, deployment, upgrade, and rollback

Software Repository for Container (SWR)

To perform operations on components, an IAM user must be granted: CAE FullAccess and SWR Admin.

Query and configure public domain names

Domain Name Service (DNS)

To query and configure public domain names, an IAM user must be granted: CAE FullAccess and DNS Administrator.

NOTE:

To grant the DNS Administrator permission, the VPC Administrator and Tenant Guest permissions must be granted. After the DNS Administrator permission is granted, the VPC Administrator and Tenant Guest permissions can be deleted. The deletion does not affect domain name configuration.

Buy a package and make payment

Billing Center (BSS)

To buy a package and make payment, an IAM user must be granted: CAE FullAccess and BSS Finance.

  • Configure a secret
  • Configure environment variables by referring secrets

Data Encryption Workshop (DEW)

To configure secrets and use them to configure environment variables, an IAM user must be granted: CAE FullAccess, KMS CMKFullAccess (all permissions for KMS CMKs), and CSMS ReadonlyAccess (read-only permissions for CSMS).

Customizing Fine-grained Policies

To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CAE as required. Table 4 describes fine-grained permission dependencies of CAE.

On the IAM console, choose Permissions > Policies/Roles > Create Custom Policy > Select service > CAE > Policy Content. Only the permissions (cae:environment:* and cae:application:*) listed in the following table apply to Huawei Cloud regions.

Table 4 Fine-grained permission dependencies of CAE

Permission Name

Description

Permission Dependency

Scenarios (Actions)

cae:environment:create

Create an environment

  • vpc:vpcs:get
  • vpc:vpcs:list
  • vpc:vpcs:create
  • vpc:subnets:get
  • vpc:subnets:create
  • vpc:ports:get
  • vpc:ports:create
  • OBS Administrator
  • AOM FullAccess
  • BSS Finance
  • SWR Admin
  • Create an environment
  • Buy a package
  • Enable certificate configuration
  • Modify certificate configurations
  • Configure a domain name
  • Authorize cloud storage

cae:environment:list

Query all environments

  • obs:bucket:GetBucketLocation
  • obs:bucket:GetBucketStorage
  • obs:bucket:GetBucketStoragePolicy
  • Query an environment
  • View cloud storage authorization

cae:environment:get

Query environment information

None

  • View certificate configurations
  • View a domain name

-

cae:environment:delete

Delete an environment

  • vpc:ports:delete
  • OBS Administrator
  • Delete an environment
  • Disable certificate configuration
  • Cancel domain name configuration
  • Unbind cloud storage

cae:application:create

Create an application

  • rds:instance:list
  • rds:databaseUser:list
  • rds:database:list
  • cse:engine:get
  • cse:engine:list
  • lts:groups:create
  • lts:topics:create
  • lts:*:list
  • lts:*:get
  • OBS Administrator
  • SWR Admin
  • Create an application
  • Create the components
  • Modify component configurations

cae:application:get

Query application information

  • rds:instance:list
  • rds:databaseUser:list
  • rds:database:list
  • cse:engine:get
  • cse:engine:list
  • View application information
  • View component information
  • View component configuration

cae:application:list

Query all applications

None

  • View all applications
  • View usage data
  • View all components and instances
  • View component events

cae:application:modify

Update application information

  • OBS Administrator
  • SWR Admin

Component operations:

  • Scaling
  • Upgrade
  • Rollback
  • Stop
  • Start
  • Restart
  • Modify

cae:application:delete

Delete an application

  • lts:groups:delete
  • lts:topics:delete
  • OBS Administrator
  • Delete an application
  • Delete a component
  • Delete component configuration

cae:application:createConsole

Log in remotely

  • cae:application:delete
  • cae:application:modify
  • cae:application:get

Log in remotely