Permissions Management
If you need to assign different permissions to employees in your enterprise to access your COC resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use COC resources but do not want them to delete COC resources or perform any other high-risk operations, you can grant the permission to use COC resources but not the permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between the two authorization models.
|
Authorization Model |
Core Relationship |
Permission |
Authorization Method |
Application Scenario |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permissions-authorization scope |
|
Granting roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy-based authorization |
Policies |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou . With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/Identity policies and actions in the two authorization scenarios are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions in the two authorization models, see Policies/Roles Permission Management and Identity Policy-based Authorization.
For details about IAM, see What Is IAM?
Policies/Roles Permission Management
COC supports authorization with roles and policies. By default, new IAM users do not have any permissions assigned. You need to add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
COC is a global service deployed and accessed without specifying any physical region. When the authorization scope is set to Global services, you have the permission to access COC resources in all regions.
Table 2 lists all the system-defined permissions for COC. System-defined policies and system-defined identity policies in the two authorization models are not interoperable.
|
System-defined Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
COC ReadOnlyAccess |
Read-only permissions of COC |
System-defined policies |
None |
|
COC FullAccess |
Administrator permissions of COC |
System-defined policies |
None |
Table 3 lists the common operations and permissions supported by each system-defined policy of COC.
|
Operation |
COC ReadOnlyAccess |
COC FullAccess |
|---|---|---|
|
Viewing to-do tasks |
√ |
√ |
|
Creating and handling to-do tasks |
x |
√ |
|
Viewing the resource list |
√ |
√ |
|
Managing resources |
x |
√ |
|
Viewing the script list |
√ |
√ |
|
Adding, deleting, modifying, and executing scripts |
x |
√ |
|
Viewing the job list |
√ |
√ |
|
Adding, deleting, modifying, and executing jobs |
x |
√ |
|
Performing operations on ECSs |
x |
√ |
|
Viewing scheduled O&M tasks |
√ |
√ |
|
Adding, deleting, modifying, and executing scheduled O&M tasks |
x |
√ |
|
Viewing the parameter center |
√ |
√ |
|
Adding, deleting, and modifying parameters |
x |
√ |
|
Viewing incident tickets |
√ |
√ |
|
Creating and handling incidents |
x |
√ |
|
Viewing alarm records |
√ |
√ |
|
Handling alarms |
x |
√ |
|
View chaos drill plans |
√ |
√ |
|
Executing drill tasks |
x |
√ |
|
Viewing shift schedules |
√ |
√ |
|
Creating a shift schedule |
x |
√ |
|
Viewing account baselines |
√ |
√ |
|
Creating account baselines |
x |
√ |
Identity Policy-based Authorization
COC supports authorization with identity policies. Table 4 lists all the system-defined identity policies for COC. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
COCReadOnlyPolicy |
Read-only permissions of COC |
System-defined identity policies |
|
COCFullAccessPolicy |
Administrator permissions of COC |
System-defined identity policies |
Table 5 lists the common operations supported by system-defined identity policies of COC.
|
Operation |
COCReadOnlyAccess |
COCFullAccessPolicy |
|---|---|---|
|
Viewing to-do tasks |
√ |
√ |
|
Creating and handling to-do tasks |
x |
√ |
|
Viewing the resource list |
√ |
√ |
|
Managing resources |
x |
√ |
|
Viewing the script list |
√ |
√ |
|
Adding, deleting, modifying, and executing scripts |
x |
√ |
|
Viewing the job list |
√ |
√ |
|
Adding, deleting, modifying, and executing jobs |
x |
√ |
|
Performing operations on ECSs |
x |
√ |
|
Viewing scheduled O&M tasks |
√ |
√ |
|
Adding, deleting, modifying, and executing scheduled O&M tasks |
x |
√ |
|
Viewing the parameter center |
√ |
√ |
|
Adding, deleting, and modifying parameters |
x |
√ |
|
Viewing incident tickets |
√ |
√ |
|
Creating and handling incidents |
x |
√ |
|
Viewing alarm records |
√ |
√ |
|
Handling alarms |
x |
√ |
|
View chaos drill plans |
√ |
√ |
|
Executing drill tasks |
x |
√ |
|
Viewing shift schedules |
√ |
√ |
|
Creating a shift schedule |
x |
√ |
|
Viewing account baselines |
√ |
√ |
|
Creating account baselines |
x |
√ |
Identity Policies On Which the COC Console Depends
|
Console Function |
Dependent Cloud Service/Resource |
Identity Policy Required |
|---|---|---|
|
Executing the script |
ECS |
After an IAM user is assigned the COCFullAccessPolicy permission, the user needs to be assigned the ECSFullPolicy permission to execute scripts on ECSs. |
|
Executing a Job |
ECS |
After an IAM user is assigned the COCFullAccessPolicy permission, the user needs to be assigned the ECSFullPolicy permission to execute jobs on ECSs. |
|
Performing operations on ECSs |
ECS |
After an IAM user is assigned the COCFullAccessPolicy permission, the user needs to be assigned the ECSFullPolicy permission to execute operations on ECSs. |
|
Executing scheduled O&M tasks |
ECS |
After an IAM user is assigned the COCFullAccessPolicy permission, the user needs to be assigned the ECSFullPolicy permission to execute scheduled O&M tasks on ECSs. |
Related Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
