Permissions Management

If you need to assign different permissions to personnel in your enterprise to access your CFW resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your Huawei Cloud resources. If your Huawei Cloud account works well for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.

IAM is free of charge. You pay only for the resources in your account.

With IAM, you can control the access to Huawei Cloud resources through authorization. For example, if you want some software developers in your enterprise to use CFW resources but do not want them to delete CFW instances or perform any other high-risk operations, you can create IAM users and grant permission to use CFW instances but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Authorization Model	Core Relationship	Permission	Authorization Method	Description
Role/Policy-based authorization	User-permission-authorization scope	System-defined role System-defined policy Custom policy	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy-based authorization	User-policy	System-defined policy Custom identity policy	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users the permissions needed to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies/Identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. Role/Policy-based Permissions Management and Identity Policy-based Permissions Management describe the system permissions of the two models.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

CFW supports role/policy-based authorization. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.

CFW is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing CFW, the users need to switch to a region where they have been authorized to use cloud services.

Table 1 lists all system permissions of CFW. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

**Table 2** System-defined permissions supported by CFW
Role/Policy Name	Description	Category	Dependency
CFW FullAccess	All permissions for CFW	System-defined policy	None
CFW ReadOnlyAccess	Read-only permissions for CFW	System-defined policy	None

Table 3 describes the common operations supported by each system-defined permission of CFW. Select the permissions as needed.

**Table 3** Common operations supported by each system policy
Operation	CFW FullAccess	CFW ReadOnlyAccess
Changing the firewall name	√	×
Viewing firewall information	√	√
Viewing EIPs	√	√
Synchronizing EIPs	√	√
Enabling or disabling EIP protection	√	×
Viewing a VPC border firewall	√	√
Enabling or disabling VPC border firewall	√	×
Adding a protected VPC	√	×
Deleting a protected VPC	√	×
Editing a protected VPC	√	×
Viewing the ACL rule list	√	√
Creating an ACL rule	√	×
Importing ACL rules	√	×
Exporting ACL rules	√	×
Modifying an ACL rule	√	×
Enabling or disabling an ACL rule	√	×
Viewing the blacklist and whitelist	√	√
Creating a blacklist or whitelist	√	×
Modifying a blacklist or whitelist	√	×
Querying IP address groups	√	√
Viewing the details of an IP address group	√	√
Creating an IP address group	√	×
Modifying an address group	√	×
Deleting an IP address group	√	×
Querying the service group list	√	√
Viewing the details about a service group	√	√
Creating a service group	√	×
Modifying a service group	√	×
Deleting a service group	√	×
Viewing the list of domain name groups	√	√
Viewing the details about a domain name group	√	√
Creating a domain name group	√	×
Modifying a domain name group	√	×
Deleting a domain name group	√	×
Changing the protection mode	√	√
Viewing basic IPS defense rules	√	√
Viewing custom IPS signatures	√	×
Enabling/Disabling the virtual patch	√	×
Switching the current IPS action	√	×
Editing a custom IPS signature	√	×
Copying custom IPS signature	√	×
Deleting a custom IPS signature	√	×
Viewing the advanced IPS rules	√	√
Modifying an advanced IPS rule	√	×
Viewing Internet access analysis	√	√
Viewing proactive external access analysis	√	√
Viewing inter-VPC access analysis	√	√
Querying attack logs	√	√
Querying access control logs	√	√
Querying traffic logs	√	√
Modifying LTS log synchronization settings	√	×
Modifying the alarm notification status	√	×
Marking an alarm notification group	√	×
Viewing the packet capture task list	√	√
Viewing the result of a packet capture task	√	√
Creating a packet capture task	√	×
Deleting a packet capture task	√	×
Stopping a packet capture task	√	×
Copying a packet capture task	√	×
Viewing the account list	√	√
Adding an account	√	×
Deleting an account	√	×
Checking the DNS configuration	√	√
Modifying the DNS configuration	√	×
Querying the antivirus status	√	√
Changing the antivirus status	√	×
Querying the status of an antivirus rule	√	√
Modifying the status of an antivirus rule	√	×

Roles or policies required for operations on the CFW console

Certain CFW functions depend on cloud services such as Elastic Cloud Server (ECS) and Virtual Private Cloud (VPC). Some functions of these cloud services do not support enterprise projects, so some permissions may become invalid after the CFW FullAccess and CFW ReadOnlyAccess system policies are granted to enterprise projects.

To avoid this problem, log in to your Huawei Cloud account to create two system policies. For details, see Creating Custom Policies.

For the cloud services that CFW depends on, if they do not support enterprise projects, add the following content to grant permissions to them. For Log Tank Service (LTS), grant all permissions to it on the CFW page.

      
       
         
         
           {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:quotas:list",
                "vpc:publicipTags:get"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:availabilityZones:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lts:groups:list",
                "lts:groups:get",
            ]
        }
    ]
}

          

        

      
     

CFW depends on the following global service permissions:

      
       
         
         
           {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eps:resources:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tms:predefineTags:list"
            ]
        }
    ]
}

          

        

      
     

Identity Policy-based Permissions Management

CFW supports identity policy-based authorization. Table 1 lists all the system-defined identity policies for CFW. System-defined identity policies in identity policy-based authorization and role/policy-based authorization are not interoperable.

**Table 4** System-defined identity policies for CFW
Policy Name	Description	Role Type
CFWFullAccessPolicy	All permissions for CFW	System-defined identity policy
CFWReadOnlyPolicy	Read-only permissions for CFW	System-defined identity policy
CFWServiceLinkedAgencyPolicy	Permissions of service-linked agencies for CFW across accounts.	System-defined identity policy

Table 5 describes the common operations supported by system-defined identity policies of CFW.

**Table 5** Common operations supported by system-defined identity policies
Operation	CFWFullAccessPolicy	CFWReadOnlyPolicy	CFWServiceLinkedAgencyPolicy
Changing the firewall name	√	×	×
Viewing firewall information	√	√	×
Viewing EIPs	√	√	×
Synchronizing EIPs	√	√	×
Enabling or disabling EIP protection	√	×	×
Viewing a VPC border firewall	√	√	×
Enabling or disabling VPC border firewall	√	×	×
Adding a protected VPC	√	×	×
Deleting a protected VPC	√	×	×
Editing a protected VPC	√	×	×
Viewing the ACL rule list	√	√	×
Creating an ACL rule	√	×	×
Importing ACL rules	√	×	×
Exporting ACL rules	√	×	×
Modifying an ACL rule	√	×	×
Enabling or disabling an ACL rule	√	×	×
Viewing the blacklist and whitelist	√	√	×
Creating a blacklist or whitelist	√	×	×
Modifying a blacklist or whitelist	√	×	×
Querying IP address groups	√	√	×
Viewing the details of an IP address group	√	√	×
Creating an IP address group	√	×	×
Modifying an address group	√	×	×
Deleting an IP address group	√	×	×
Querying the service group list	√	√	×
Viewing the details about a service group	√	√	×
Creating a service group	√	×	×
Modifying a service group	√	×	×
Deleting a service group	√	×	×
Viewing the list of domain name groups	√	√	×
Viewing the details about a domain name group	√	√	×
Creating a domain name group	√	×	×
Modifying a domain name group	√	×	×
Deleting a domain name group	√	×	×
Changing the protection mode	√	√	×
Viewing basic IPS defense rules	√	√	×
Viewing custom IPS signatures	√	×	×
Enabling/Disabling the virtual patch	√	×	×
Switching the current IPS action	√	×	×
Editing a custom IPS signature	√	×	×
Copying custom IPS signature	√	×	×
Deleting a custom IPS signature	√	×	×
Viewing the advanced IPS rules	√	√	×
Modifying an advanced IPS rule	√	×	×
Viewing Internet access analysis	√	√	×
Viewing proactive external access analysis	√	√	×
Viewing inter-VPC access analysis	√	√	×
Querying attack logs	√	√	×
Querying access control logs	√	√	×
Querying traffic logs	√	√	×
Modifying LTS log synchronization settings	√	×	×
Modifying the alarm notification status	√	×	×
Marking an alarm notification group	√	×	×
Viewing the packet capture task list	√	√	×
Viewing the result of a packet capture task	√	√	×
Creating a packet capture task	√	×	×
Deleting a packet capture task	√	×	×
Stopping a packet capture task	√	×	×
Copying a packet capture task	√	×	×
Viewing the account list	√	√	×
Adding an account	√	×	×
Deleting an account	√	×	×
Checking the DNS configuration	√	√	×
Modifying the DNS configuration	√	×	×
Querying the antivirus status	√	√	×
Changing the antivirus status	√	×	×
Querying the status of an antivirus rule	√	√	×
Modifying the status of an antivirus rule	√	×	×

Identity Policies Required for Operations on the CFW Console

Therefore, you need to create two system identity policies using your Huawei Cloud account. For details, see Creating a Custom Identity Policy.

      
       
         
         
           {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:quotas:list",
                "vpc:publicipTags:get"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:availabilityZones:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lts:groups:list",
                "lts:groups:get",
            ]
        }
    ]
}

          

        

      
     

CFW depends on the following global service permissions:

      
       
         
         
           {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eps:resources:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tms:predefineTags:list"
            ]
        }
    ]
}

          

        

      
     