Permissions
If you need to assign different permissions to employees in your enterprise to access your CSE resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
With IAM, you can use your public cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you want the software developers in your enterprise to have the permission to use CSE, but do not want them to have the permission to perform high-risk operations such as deletion. Then, you can use IAM to create users for developers and grant them only the permissions required for using CSE resources.
If your public cloud account does not need individual IAM users for permissions management, you may skip over this chapter.
IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.
CSE Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more user groups, and assign permission policies to the user groups. The user then inherits permissions from the user groups. This process is known as authorization. After authorization, the user can perform specified operations on CSE based on the permissions.
CSE is a project-level service deployed and accessed in specific physical regions. To assign CSE permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing CSE, the users need to switch to a region where they have been authorized to use this service.
You can grant users permissions by using roles and policies.
- Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on users' job responsibilities. There are only a limited number of roles for granting permissions to users. When you grant permissions using roles, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control.
Table 1 lists all the system policies supported by CSE.
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
CSE FullAccess |
Administrator permissions for Cloud Service Engine. |
Policy |
None |
CSE ReadOnlyAccess |
View permissions for Cloud Service Engine. |
Policy |
None |
If the listed permissions in Table 1 do not meet actual requirements, you can Creating a Custom Policy for a Microservice Engine.
For details about the service permissions required by CSE functions, see Table 2.
Dependent Service |
Permission |
|---|---|
VPC |
VPC ReadOnlyAccess |
ELB |
ELB ReadOnlyAccess |
AOM |
AOM ReadOnlyAccess |
TMS |
TMS ReadOnlyAccess |
Table 3 lists the common operations for each system-defined policy or role of CSE. Select policies or roles as needed.
Operation |
CSE ReadOnlyAccess |
CSE FullAccess |
|---|---|---|
Create a microservice engine |
x |
√ |
Maintain a microservice engine |
x |
√ |
Query a microservice engine |
√ |
√ |
Delete a microservice engine |
x |
√ |
Create a microservice |
x |
√ |
Query a microservice |
√ |
√ |
Maintain a microservice |
x |
√ |
Delete a microservice |
x |
√ |
Create microservice configurations |
x |
√ |
Query microservice configurations |
√ |
√ |
Edit microservice configurations |
x |
√ |
Delete microservice configurations |
x |
√ |
Create a microservice governance policy |
x |
√ |
Query a microservice governance policy |
√ |
√ |
Edit a microservice governance policy |
x |
√ |
Delete a microservice governance policy |
x |
√ |
To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CSE as required. Table 4 describes fine-grained permission dependencies of CSE.
Permission |
Description |
Permission Dependency |
Application Scenario |
|---|---|---|---|
cse:engine:list |
List all microservice engines |
None |
|
cse:engine:get |
View engine information |
cse:engine:list |
|
cse:engine:modify |
Modify an engine |
|
|
cse:engine:upgrade |
Upgrade an engine |
|
Upgrades include version upgrade and specification change. |
cse:engine:delete |
Delete an engine |
|
|
cse:engine:create |
Create an engine |
|
|
cse:config:modify |
Modify ServiceComb engine configuration management |
|
Modify global and governance configurations of a ServiceComb engine |
cse:config:get |
View ServiceComb engine configuration management |
|
View service configurations for a ServiceComb engine |
cse:governance:modify |
Modify the governance center of a ServiceComb engine |
|
Create and modify service governance of a ServiceComb engine |
cse:governance:get |
View the governance center of a ServiceComb engine |
|
View service governance on a ServiceComb engine |
cse:registry:modify |
Modify service registry and management of a ServiceComb engine |
|
Modify a ServiceComb engine |
cse:registry:get |
View service registry and management of a ServiceComb engine |
|
View service catalog on a ServiceComb engine |
cse:namespace:read |
View namespace resources of a Nacos engine |
cse:engine:get |
View Nacos service list and configuration list |
cse:namespace:write |
Modify namespace resources of a Nacos engine |
|
Modify Nacos service list and configuration list resources |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
