Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CCM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access CCM but not to delete CCM or its resources, then you can create an IAM policy to assign the developers the permission to access CCM but prevent them from deleting CCM related data.

If your Huawei Cloud account does not need individual IAM users for permissions management, you may skip over this topic.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see What Is IAM.

CCM Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

CCM is a global service deployed for all physical regions. Therefore, CCM permissions are assigned to users in the Global project, and the users do not need to switch regions when accessing CCM.

You can grant users permissions by using roles and policies.

Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing CCM, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CCM users the permissions to manage only a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by CCM, see Permissions Policies and Supported Actions.

Table 1 lists the system-defined roles of CCM.

**Table 1** System role supported by CCM
Role/Policy	Description	Type	Dependency
SCM Administrator	SCM administrator permissions. Users with SCM administrator permissions have all the permissions for the SCM service.	System-defined policy	The Server Administrator and Tenant Guest roles need to be assigned in the same project. BSS Administrator role is required for purchasing a certificate. BSS Administrator: a system role, which is the administrator of the billing center (BSS) and has all permissions for the service. WAF FullAccess: system policy, which is the Web Application Firewall (WAF) administrator. ELB FullAccess: a system policy that has all permissions for Elastic Load Balance (ELB). CDN FullAccess: a system policy that has the permission to operate all fine-grained authentication interfaces of the Content Delivery Network (CDN). EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator. DNS FullAccess: a system policy that has all permissions for Domain Name Service (DNS), including creating, deleting, querying, and modifying DNS resources.
SCM FullAccess	All permissions for SCM	System-defined policy	BSS Administrator role is required for purchasing a certificate. BSS Administrator: a system role, which is the administrator of the billing center (BSS) and has all permissions for the service. WAF FullAccess: system policy, which is the WAF administrator. ELB FullAccess: a system policy that has all permissions for Elastic Load Balance (ELB). CDN FullAccess: a system policy that has the permission to operate all fine-grained authentication interfaces of the Content Delivery Network (CDN). EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator. DNS FullAccess: a system policy that has all permissions for Domain Name Service (DNS), including creating, deleting, querying, and modifying DNS resources.
SCM ReadOnlyAccess	Read-only permission for SCM. Users with the read-only permission can only query certificate information but cannot add, delete, or modify certificates.	System-defined policy	None.
PCA FullAccess	All permissions for PCA	System policy	BSS Administrator role is required for creating a private CA or private certificate. EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator.

Table 2 lists the common operations supported by each system-defined policy of SCM. Select the proper system-defined policies as required.

To purchase a certificate, your account must have the BSS Administrator permission in addition to the SCM Administrator or SCM FullAccess permission.

BSS Administrator: has all permissions on account center, billing center, and resource center. It is a project-level role, which must be assigned in the same project.

**Table 2** Common operations for each system-defined policy or role of SCM
Operation	SCM Administrator	SCM FullAccess	SCM ReadOnlyAccess
Querying the SSL certificate list	√	√	√
Querying the details of an SSL certificate	√	√	√
Querying the SSL certificate type	√	√	√
Querying details about SSL certificates of CAs	√	√	√
Withdrawing an SSL certificate application	√	√	x
Purchasing an SSL certificate	√	√	x
Applying for an SSL certificate	√	√	x
Restoring the information provided when applying for an SSL certificate	√	√	x
Obtaining the information provided when applying for an SSL certificates	√	√	√
Modifying an SSL certificate	√	√	x
Deleting an SSL certificate	√	√	x
Downloading an SSL certificate	√	√	x
Uploading authentication information	√	√	x
Revoking an SSL certificate	√	√	x
Pushing an SSL certificate to other services	√	√	x
Querying the record of SSL certificates pushed to other services	√	√	√
Uploading an SSL certificate	√	√	x
Verifying a CSR	√	√	x
Adding an additional domain name	√	√	x
Canceling privacy authorization	√	√	x
Reissuing an SSL certificate	√	√	x
Unsubscribing from an SSL certificate	√	√	x

Helpful Links

Previous topic: PCA-related Concepts

Next topic: Related Services

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot