Identity Authentication and Access Control

Identity Authentication

You can access DataArts Studio through the DataArts Studio console or open APIs. In either way, access requests are sent through the RESTful APIs provided by DataArts Studio.

DataArts Studio APIs can be accessed upon successful authentication. Requests sent through the console can be authenticated using tokens, and requests for calling APIs can be authenticated using tokens or AK/SK. For details, see Authentication.

Access Control Overview

You can use Identity and Access Management (IAM) to implement fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources. For more information about IAM, see the IAM Service Overview.

Figure 1 shows the permission system. The Role/Policy-based Permissions Management and Identity Policy-based Permissions Management authorization models are supported, but system-defined policies and custom policies in the former model are not supported. Policies, identity policies, and actions in the two authorization models are not interoperable. Figure 2 compares the two models. You are advised to use attribute-based access control (ABAC) for fine-grained authorization to ensure that minimum permissions are assigned. For details about how to assign permissions, see Creating an IAM User and Assigning DataArts Studio Permissions.

If you assign both a role/policy-based permission (DAYU Administrator, DAYU User, or DataArts Studio User) and an identity policy-based permission (DataArtsStudioFullAccessPolicy, DataArtsStudioOperatorPolicy, DataArtsStudioReadOnlyPolicy, or custom identity policies) to an IAM user, the IAM user will have the following permissions:

• If both permissions contain the deny action, the deny policy prevails.
• The allow actions in the two permissions both take effect.

Figure 1 Permission system

Figure 2 Two authorization models

Role/Policy-based Permissions

Role/Policy-based authorization is a role-based access control (RBAC) model supported by IAM. It assigns permissions to users based on their roles. It provides two authorization mechanisms: system-defined roles and system-defined policies. Users assigned roles can quickly obtain permissions. This model is inflexible and cannot meet fine-grained permission control requirements. DataArts Studio supports system-defined roles (DAYU Administrator and DAYU User) but does not support system-defined policies or custom policies. DAYU Administrator grants all operation permissions to users. DAYU User grants permissions of instances, workspaces, and dependent services to users. Workspace roles grant operation permissions in a workspace. In this way, fine-grained permission control is available through system-defined roles and workspace roles.

IAM provides the following two authorization mechanisms: Note that DataArts Studio supports only the IAM role-based authorization and does not support the IAM policy-based authorization.

• IAM Roles: IAM initially provides a coarse-grained authorization mechanism to define permissions based on users' job responsibilities. This mechanism provides only a limited number of service-level roles for authorization. However, traditional IAM roles are not an ideal choice for fine-grained authorization and secure access control.
• IAM Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.

Identity Policy-based Permissions

Identity policy-based authorization is the latest ABAC authorization model supported by IAM. Administrators can customize access control policies for fine-grained and flexible permission control. supports identity policy-based authorization. System-defined identity policies provide users with permissions of instances and workspaces. After the permissions of dependent services are configured, the service operation permissions in specific workspaces are provided by workspace roles. In this way, fine-grained permission control is available through system-defined identity policies, dependent service permissions, and workspace roles.

provides the following system-defined identity policies: DataArtsStudioFullAccessPolicy, DataArtsStudioOperatorPolicy, and DataArtsStudioOperatorPolicy. Identity policies only include the permissions of instances and workspaces. Users must also be assigned the permissions of dependent services and workspace roles so that they can perform service operations. In addition, policies define permissions based on APIs. For the actions supported by , see Permissions and Supported Actions.