Updated on 2022-06-10 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CBS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources.

You can create IAM users under your Huawei Cloud account, and assign permissions to these users to control their access to specific resource types. For example, some software developers in your enterprise need to use CBS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using CBS resources.

If you do not need to create IAM users for permissions management, skip this chapter.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

CBS Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

CBS is a project-level service deployed in specific physical regions. Therefore, CBS permissions are assigned to target projects (ap-southeast-1) in specific regions (such as CN-Hong Kong) and only take effect in these regions. If you want the permissions to take effect in all regions,assign the permissions to projects in each region. When accessing CBS, the users need to switch to a region where they have been authorized to use cloud services.

Table 1 lists all system-defined roles supported by CBS. HUAWEI CLOUD services interwork with each other, and roles of some services are dependent on roles of other services to take effect. When assigning CBS permissions to users, you need to also assign dependent roles for the VPC permissions to take effect.

Table 1 System-defined role supported by CBS

Role Name

Description

CBS Administrator

CBS administrator with full permissions.

CBS Guest

CBS guests, who can call all query and Q&A APIs, access the console, and view statistics. Guests cannot add, delete, or modify Q&A pairs or chatbots.