Permissions
If you need to grant your enterprise personnel permission to access your CodeArts PerfTest resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to be able to use CodeArts PerfTest resources but do not want them to be able to delete resources or perform any other high-risk operations, you can create IAM users and grant permission to use CodeArts PerfTest resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
CodeArts PerfTest supports system role-based authorization but does not support system policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
CodeArts PerfTest is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select projects (for example, ap-southeast-3) in the specified regions (for example, AP-Singapore), the users only have permissions for CodeArts resources in the selected projects. If you set Scope to All resources, the users have permissions for CodeArts resources in all region-specific projects. When accessing CodeArts PerfTest, the users need to switch to the authorized region.
Table 2 lists all the system permissions for CodeArts PerfTest.
|
Role Name |
Description |
Dependencies |
|---|---|---|
|
CodeArts PerfTest Administrator |
Administrator permissions for CodeArts PerfTest. Users with these permissions can perform all operations on CodeArts PerfTest and test resources of the current tenant and all IAM users, such as adding, deleting, modifying, and querying resources. |
This role depends on the Server Administrator, Tenant Guest, CCE Administrator, and VPCEndpoint Administrator roles. |
|
CodeArts PerfTest Developer |
Developer permissions for CodeArts PerfTest. Users with these permissions can perform all operations, such as adding, deleting, modifying, and querying resources, only on a user's own CodeArts PerfTest and test resources. |
This role depends on the Tenant Guest role. |
|
CodeArts PerfTest Operator |
Operator permissions for CodeArts PerfTest. Users with these permissions can only read their own CodeArts PerfTest and test resources. |
This role depends on the Tenant Guest role. |
|
CodeArts PerfTest Resource Administrator |
Resource administrator permissions for CodeArts PerfTest. Users with these permissions have all permissions related to test resources in CodeArts PerfTest. |
This role depends on the Tenant Guest, CCE Administrator, and VPCEndpoint Administrator roles. |
|
CodeArts PerfTest Resource Developer |
Resource developer permissions for CodeArts PerfTest. Users with these permissions can only view and use CodeArts PerfTest resources, but cannot create, update, or delete infrastructure resources. |
This role depends on the Tenant Guest role. |
The following table lists the common operations supported by system-defined permissions for CodeArts PerfTest.
|
Operation |
CodeArts PerfTest Administrator |
CodeArts PerfTest Developer |
CodeArts PerfTest Operator |
|---|---|---|---|
|
Querying subscribed CodeArts PerfTest packages on the console |
√ |
√ |
√ |
|
Querying all PerfTest projects of a tenant on the console |
√ |
× |
× |
|
Querying all PerfTest projects of the current user on the console |
√ |
√ |
√ |
|
Editing all PerfTest projects, test cases, and tasks of a tenant on the console |
√ |
× |
× |
|
Editing a PerfTest project, test case, or task of the current user on the console |
√ |
√ |
× |
|
Querying all JMeter projects of a tenant on the console |
√ |
× |
× |
|
Querying JMeter projects of the current user on the console |
√ |
√ |
√ |
|
Editing all JMeter projects, test plans, and thread groups of a tenant on the console |
√ |
× |
× |
|
Editing a JMeter project, test plan, or thread group of the current user on the console |
√ |
√ |
× |
|
Operation |
CodeArts PerfTest Administrator |
CodeArts PerfTest Resource Administrator |
CodeArts PerfTest Resource Developer |
|---|---|---|---|
|
Adding, deleting, and modifying test resources on the console |
√ |
√ |
× |
|
Querying test resources on the console |
√ |
√ |
√ |
|
Querying test resources on the console when starting a PerfTest/JMeter task |
√ |
√ |
√ |
Role/Policy Dependencies of the CodeArts PerfTest Console
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Test resources |
Cloud Container Engine (CCE) |
An IAM user can access the CCE cluster information only after being granted the CCE Administrator permission. |
|
VPC Endpoint (VPCEP) |
An IAM user can enable communication between debugging and execution nodes and CodeArts PerfTest only after being granted the VPCEndpoint Administrator permission. |
|
|
Intelligent analysis |
Application Performance Management (APM) |
IAM users can query the APM application group list only after being granted the APM ReadOnlyAccess permission. |
|
Application Operations Management (AOM) |
IAM users can query AOM nodes only after being granted the AOM ReadOnlyAccess permission. |
Identity Policy-based Authorization
CodeArts PerfTest supports identity policy-based authorization. Table 6 lists all the system-defined identity policies for CodeArts PerfTest.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
CodeArtsPerfTestFullAccessPolicy |
Full permissions for CodeArts PerfTest |
System-defined identity policy |
|
CodeArtsPerfTestReadOnlyPolicy |
Read-only permissions for CodeArts PerfTest |
System-defined identity policy |
|
CodeArtsPerfTestResourceFullAccessPolicy |
Administrator permissions for CodeArts PerfTest resources |
System-defined identity policy |
|
CodeArtsPerfTestResourceDeveloperPolicy |
Developer permissions for CodeArts PerfTest resources |
System-defined identity policy |
The following table lists the common operations supported by system-defined identity policies for CodeArts PerfTest.
|
Operation |
CodeArtsPerfTestFullAccessPolicy |
CodeArtsPerfTestReadOnlyPolicy |
|---|---|---|
|
Querying subscribed CodeArts PerfTest packages on the console |
√ |
√ |
|
Subscribing to a CodeArts PerfTest package on the console |
√ |
× |
|
Querying all PerfTest projects of a tenant on the console |
√ |
√ |
|
Editing all PerfTest projects, test cases, and tasks of a tenant on the console |
√ |
× |
|
Querying all JMeter projects of a tenant on the console |
√ |
√ |
|
Editing all JMeter projects, test plans, and thread groups of a tenant on the console |
√ |
× |
|
Operation |
CodeArtsPerfTestFullAccessPolicy |
CodeArtsPerfTestResourceFullAccessPolicy |
CodeArtsPerfTestResourceDeveloperPolicy |
|---|---|---|---|
|
Adding, deleting, and modifying test resources on the console |
√ |
√ |
× |
|
Querying test resources on the console |
√ |
√ |
√ |
|
Querying test resources on the console when starting a PerfTest/JMeter task |
√ |
√ |
√ |
Identity Policy Dependencies of the CodeArts PerfTest Console
The CodeArtsPerfTestFullAccessPolicy identity policy already contains all the permissions required by the CodeArts PerfTest console. No additional identity policies are needed. If you use an identity policy other than CodeArtsPerfTestFullAccessPolicy, add the identity policy of the dependent service by referring to Table 9.
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Test resources |
Cloud Container Engine (CCE) |
To create and edit a private resource group, you must be granted the CCEFullPolicy permission to access the CCE cluster information. |
|
Identity and Access Management (IAM) |
To create and edit a private resource group, you must be granted the iam:agencies:createV5 and iam:agencies:attachPolicyV5 permissions to create the perftest_admin_trust tenant agency. |
|
|
VPC Endpoint (VPCEP) |
To create and edit a private resource group, you must be granted the VPCEPFullAccessPolicy permission to enable your ECSs to communicate with CodeArts PerfTest. |
|
|
Intelligent analysis |
Application Performance Management (APM) |
To use Java probes, you must have the APMFullAccessPolicy policy assigned. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
