Help Center/ Cloud Bastion Host/ Service Overview/ Permissions Management of CBH Instances
Updated on 2024-05-16 GMT+08:00

Permissions Management of CBH Instances

If you need to assign different permissions to employees in your enterprise to access your CBH instances, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your cloud resources.

With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can create IAM users for the software developers and assign specific permissions to allow them to only use CBH instances but not to create, change specifications of, or upgrade CBH instances.

If your account does not need individual IAM users for permissions management, then you may skip over this section.

IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

CBH Instance Permissions

By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.

CBH is a project-level service deployed and accessed in specific physical regions. To assign CBH permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing a CBH instance, switch to a region where they have been authorized to use the CBH instance.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CBH users only the permissions for managing a certain type of resources. For details about the actions supported by CBH, see Permissions and Supported Actions.

Table 1 lists all the system-defined roles and policies supported by CBH instances.

Table 1 System permissions for CBH instances

Role/Policy Name

Description

Type

Dependency

CBH FullAccess

All permissions (except the payment permission) on CBH instances

System-defined policy

None

CBH ReadOnlyAccess

Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but not configure services.

System-defined policy

None

To use all CBH functions on the CBH console, you need to have the CBH FullAccess role assigned at the enterprise project level and the CBH ReadOnlyAccess role assigned at the IAM project level.

Table 2 lists the common operations for each system-defined policy or role of CBH instances. Select the policies or roles as required.

Table 2 Common operations for each system-defined policy or role of CBH

Operation

CBH FullAccess

CBH ReadOnlyAccess

Creating a CBH instance

x

Changing CBH instance specifications (changing specifications)

x

Querying the CBH instance list

Upgrading the CBH system version

x

Querying total ECS quota

x

Binding or unbinding an EIP

x

Restarting a CBH instance

x

Starting a CBH instance

x

Stopping a CBH instance

x

Querying the AZ of a CBH instance

x

Checking whether an IPv6 CBH instance can be created

x

Checking network connection between the CBH instance and the license center

x

Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center

x

CBH FullAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
                    "Effect": "Allow",
                    "Action": [
                        "cbh:*:*",
                        "vpc:subnets:get",
                        "vpc:publicIps:list",
                        "vpc:vpcs:list",
                        "vpc:securityGroups:get",
                        "vpc:firewallGroups:get",
                        "vpc:firewallPolicies:get",
                        "vpc:firewallRules:get",
                        "vpc:ports:get",
                        "vpc:publicips:update",
                        "vpc:securityGroups:create",
                        "vpc:firewallRules:create",
                        "vpc:firewallPolicies:addRule"
                        "ecs:cloudServerFlavors:get",
                        "evs:types:get"
            ]
        }
    ]
}

CBH ReadOnlyAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
                    "Effect": "Allow",
                    "Action": [
                        "cbh:*:list*",
                        "vpc:publicIps:list",
                        "vpc:vpcs:list",
                        "vpc:securityGroups:get",  
                        "vpc:subnets:get"
            ]
        }
    ]
}