Permissions

If you need to grant your enterprise personnel permission to access your CloudPond resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloudcloud service resources. If your Huawei Cloudcloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloudcloud service resources. For example, if you want some software developers in your enterprise to be able to use CloudPond resources but do not want them to be able to delete CloudPond resources or perform any other high-risk operations, you can create IAM users and grant permission to use CloudPond resources but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Authorization Model	Core Relationship	Permissions	Authorization Method	Scenario
Role/Policy	User-permission-authorization scope	System-defined roles System-defined policies Custom policies	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy	User-policy	System-defined identity policies Custom identity policies	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attaches the policy to the users or grants the users access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Authorization

CloudPond supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CloudPond is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access CloudPond in all regions.

Table 2 lists all the system-defined permissions for CloudPond. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

**Table 2** System-defined permissions for CloudPond
Role/Policy Name	Description	Type	Dependencies
IES FullAccess	Administrator permissions for CloudPond. Users with these permissions can perform all operations on CloudPond.	System-defined policy	None
IES ReadOnlyAccess	Read-only permissions for CloudPond. Users with these permissions can only view CloudPond data.	System-defined policy	None

Table 3 lists the common operations supported by system-defined permissions for CloudPond.

**Table 3** Common operations supported by system-defined permissions for CloudPond
Operation	IES FullAccess	IES ReadOnlyAccess
Registering an edge site	√	x
Listing edge sites	√	√
Querying details about an edge site	√	√
Updating an edge site	√	x
Deleting an edge site	√	x
Buying edge site resources	√	x

Identity Policy-based Authorization

CloudPond supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for CloudPond. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

**Table 4** System-defined identity policies for CloudPond
Identity Policy Name	Description	Type
IESFullAccessPolicy	Full permissions for CloudPond	System-defined identity policy
IESReadOnlyPolicy	Read-only permissions for CloudPond	System-defined identity policy

Table 5 lists the common operations supported by system-defined identity policies for CloudPond.

**Table 5** Common operations supported by system-defined identity policies
Operation	IESFullAccessPolicy	IESReadOnlyPolicy
Registering an edge site	√	x
Listing edge sites	√	√
Querying details about an edge site Updating an edge site Deleting an edge site	√ √ √	√ x x
Buying edge site resources	√	x