Permissions
If you need to grant your enterprise personnel permission to access your DDS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you to securely access your Huawei Cloud resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to be able to use DDS resources but do not want them to be able to delete DDS resources or perform any other high-risk operations, you can create IAM users and grant permission to use DDS resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attaches the policy to the users or grants the users access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
DDS supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
DDS is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing DDS, the users need to switch to the authorized region.
Table 2 lists all the system-defined permissions for DDS. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
DDS FullAccess |
Full permissions for DDS resources. |
System-defined policy |
CBC actions required for creating yearly/monthly DB instances:
CBC actions required for unsubscribing from a yearly/monthly instance:
|
|
DDS ReadOnlyAccess |
Read-only permissions for DDS resources. Users granted these permissions can only view DDS data. |
System-defined policy |
None |
Table 3 lists the common operations supported by system-defined permissions for DDS.
|
Operation |
DDS FullAccess |
DDS ReadOnlyAccess |
|---|---|---|
|
Creating an instance |
Supported |
Not supported |
|
Querying instances |
Supported |
Supported |
|
Deleting an instance |
Supported |
Not supported |
|
Restarting an instance |
Supported |
Not supported |
|
Performing a primary/secondary switchover |
Supported |
Not supported |
|
Changing a database port |
Supported |
Not supported |
|
Resetting a password |
Supported |
Not supported |
|
Modifying an SSL policy |
Supported |
Not supported |
|
Changing a security group |
Supported |
Not supported |
|
Binding or unbinding an EIP |
Supported |
Not supported |
|
Scaling up storage |
Supported |
Not supported |
|
Changing the instance class |
Supported |
Not supported |
|
Adding nodes |
Supported |
Not supported |
|
Deleting the node that fails to be added |
Supported |
Not supported |
|
Modifying a backup policy |
Supported |
Not supported |
|
Renaming an instance |
Supported |
Not supported |
|
Changing a private IP address |
Supported |
Not supported |
|
Changing the parameter template associated with a node in an instance |
Supported |
Not supported |
|
Enabling or disabling Show Original Log |
Supported |
Not supported |
|
Enabling or disabling the audit log policy |
Supported |
Not supported |
|
Downloading audit logs |
Supported |
Not supported |
|
Deleting audit logs |
Supported |
Not supported |
|
Downloading a backup |
Supported |
Not supported |
|
Creating a manual backup |
Supported |
Not supported |
|
Querying backups |
Supported |
Supported |
|
Restoring to a new instance |
Supported |
Not supported |
|
Restoring to an existing instance |
Supported |
Not supported |
|
Deleting a backup |
Supported |
Not supported |
|
Creating a parameter template |
Supported |
Not supported |
|
Querying parameter templates |
Supported |
Supported |
|
Modifying a parameter template |
Supported |
Not supported |
|
Deleting a parameter template |
Supported |
Not supported |
|
Querying the task center list |
Supported |
Not supported |
|
Stopping a backup |
Supported |
Not supported |
Table 4 lists common DDS operations and corresponding actions. You can refer to this table to customize permission policies.
|
Operation |
Actions |
Authorization Scope |
Remarks |
|---|---|---|---|
|
Instance creation page |
|
Supported:
|
The VPC, subnet, and security group are displayed on the instance creation page. |
|
Creating an instance |
|
Supported:
|
If the default VPC, subnet, and security group are used, the vpc:*:create permission must be configured. Creating an encrypted instance requires the KMS Administrator permission for the project. |
|
Querying instances |
dds:instance:list |
Supported:
|
- |
|
Querying details of an instance |
dds:instance:list |
Supported:
|
If the VPC, subnet, and security group need to be displayed on the instance details page, add the vpc:*:get and vpc:*:list actions. |
|
Exporting the instance list |
dds:instance:list |
Supported:
|
If the VPC, subnet, and security group are required, add the vpc:*:get and vpc:*:list actions. |
|
Deleting an instance |
dds:instance:deleteInstance |
Supported:
|
When deleting a DB instance, delete the IP address on the data side. |
|
Restarting an instance |
dds:instance:reboot |
Supported:
|
- |
|
Performing a primary/secondary switchover |
dds:instance:switchover |
Supported:
|
- |
|
Changing a database port |
dds:instance:modifyPort |
Supported:
|
- |
|
Resetting a password |
dds:instance:resetPasswd |
Supported:
|
- |
|
Modifying an SSL policy |
dds:instance:modifySSL |
Supported:
|
- |
|
Changing a security group |
dds:instance:modifySecurityGroup |
Supported:
|
- |
|
Binding an EIP |
dds:instance:bindPublicIp |
Supported:
|
When binding an EIP, you need to query created EIPs.
For details, see Floating IP Address. |
|
Unbinding an EIP |
dds:instance:unbindPublicIp |
Supported:
|
For details, see Floating IP Address. |
|
Scaling up storage |
dds:instance:extendVolume |
Supported:
|
- |
|
Changing the instance class |
dds:instance:modifySpec |
Supported:
|
- |
|
Adding nodes |
|
Supported:
|
- |
|
Deleting the node that fails to be added |
dds:instance:extendNode |
Supported:
|
If the IP address has been created but the subsequent procedure fails, delete the IP address on the data side. |
|
Modifying a backup policy |
dds:instance:modifyBackupPolicy |
Supported:
|
- |
|
Renaming an instance |
dds:instance:modify |
Supported:
|
- |
|
Changing a private IP address |
|
Supported:
|
Before changing the private IP address, query available IP addresses. |
|
Changing the parameter template associated with a node in an instance |
dds:instance:modifyParameter |
Supported:
|
- |
|
Enabling or disabling Show Original Log |
dds:instance:modifySlowLogPlaintextSwitch |
Supported:
|
- |
|
Enabling or disabling the audit log policy |
dds:instances:modifyAuditLogSwitch |
Supported:
|
- |
|
Downloading audit logs |
dds:instances:downloadAuditLog |
Supported:
|
- |
|
Deleting audit logs |
dds:instance:deleteAuditLog |
Supported:
|
- |
|
Downloading a backup |
dds:backup:download |
Supported:
|
- |
|
Changing the billing mode from pay-per-use to yearly/monthly |
dds:instances:renew |
Supported:
|
- |
|
Creating a manual backup |
dds:instance:createManualBackup |
Supported:
|
- |
|
Querying backups |
dds:backup:list |
Supported:
|
- |
|
Restoring to a new instance |
|
Supported:
|
The KMS Administrator permission needs to be configured for an encrypted instance in a project. |
|
Restoring to an existing instance |
dds:backup:refreshInstanceFromBackup |
Supported:
|
- |
|
Deleting a backup |
dds:backup:delete |
Supported:
|
- |
|
Creating a parameter template |
dds:param:create |
Supported:
|
- |
|
Querying parameter templates |
dds:param:list |
Supported:
|
- |
|
Modifying a parameter template |
dds:param:modify |
Supported:
|
- |
|
Deleting a parameter template |
dds:param:delete |
Supported:
|
- |
|
Querying the task center list |
dds:task:list |
Supported:
|
- |
|
Stopping a backup |
dds:backup:stop |
Supported:
|
- |
|
Querying a log group |
lts:groups:get |
Supported:
|
- |
|
Querying a log stream |
lts:topics:get |
Supported:
|
- |
Identity Policy-based Authorization
DDS supports identity policy-based authorization. Table 5 lists all the system-defined policies for DDS. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
DDSFullAccessPolicy |
Full permissions for DDS |
System-defined identity policy |
|
DDSReadOnlyPolicy |
Read-only permissions for DDS |
System-defined identity policy |
Table 6 lists the common operations supported by system-defined identity policies for DDS.
|
Operation |
DDSFullAccessPolicy |
DDSReadOnlyPolicy |
|---|---|---|
|
Creating an instance |
Supported |
Not supported |
|
Querying instances |
Supported |
Supported |
|
Deleting an instance |
Supported |
Not supported |
|
Restarting an instance |
Supported |
Not supported |
|
Performing a primary/secondary switchover |
Supported |
Not supported |
|
Changing a database port |
Supported |
Not supported |
|
Resetting a password |
Supported |
Not supported |
|
Modifying an SSL policy |
Supported |
Not supported |
|
Changing a security group |
Supported |
Not supported |
|
Binding or unbinding an EIP |
Supported |
Not supported |
|
Scaling up storage |
Supported |
Not supported |
|
Changing the instance class |
Supported |
Not supported |
|
Adding nodes |
Supported |
Not supported |
|
Deleting the node that fails to be added |
Supported |
Not supported |
|
Modifying a backup policy |
Supported |
Not supported |
|
Renaming an instance |
Supported |
Not supported |
|
Changing a private IP address |
Supported |
Not supported |
|
Changing the parameter template associated with a node in an instance |
Supported |
Not supported |
|
Enabling or disabling Show Original Log |
Supported |
Not supported |
|
Enabling or disabling the audit log policy |
Supported |
Not supported |
|
Downloading audit logs |
Supported |
Not supported |
|
Deleting audit logs |
Supported |
Not supported |
|
Downloading a backup |
Supported |
Not supported |
|
Creating a manual backup |
Supported |
Not supported |
|
Querying backups |
Supported |
Supported |
|
Restoring to a new instance |
Supported |
Not supported |
|
Restoring to an existing instance |
Supported |
Not supported |
|
Deleting a backup |
Supported |
Not supported |
|
Creating a parameter template |
Supported |
Not supported |
|
Querying parameter templates |
Supported |
Supported |
|
Modifying a parameter template |
Supported |
Not supported |
|
Deleting a parameter template |
Supported |
Not supported |
|
Querying the task center list |
Supported |
Not supported |
|
Stopping a backup |
Supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
