Help Center/ EventGrid/ Service Overview/ Permissions Management
Updated on 2023-10-25 GMT+08:00

Permissions Management

You can use IAM to manage EG permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can create IAM users for software developers and assign permissions to allow them to use EG resources but prevent them from deleting resources or performing any high-risk operations.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

IAM can be used free of charge. You pay only for the resources in your account. For details, see IAM Service Overview.

EG Permissions

By default, new IAM users do not have any permissions. You need to add them to one or more groups, and then add permissions policies or roles to these groups. The users inherit permissions from their groups and can then perform specified operations on cloud services.

EG is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, set the scope to Region-specific projects and select projects for the permissions to take effect. If All resources is selected, the permissions will take effect for the user group in all region-specific projects. Switch to a region where you have been authorized to access EG.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism enables more flexible policy-based authorization and meets secure access control requirements. For example, you can grant IAM users only the permissions for performing specific operations on event sources. Most policies define permissions based on APIs.

Table 1 lists all the system-defined roles and policies supported by EG.

Table 1 EG permissions

Role/Policy Name

Description

Type

Dependency

EG FullAccess

Full permissions for EG

System-defined policy

N/A

EG Publisher

Permissions for publishing events

System-defined policy

N/A

EG ReadOnlyAccess

Read-only permissions for EG

System-defined policy

N/A

Table 2 lists the common operations supported by each system-defined policy of EG. Please choose proper policies according to this table.

Table 2 Common operations supported by each system-defined policy

Operation

EG FullAccess

EG Publisher

EG ReadOnlyAccess

Create event subscription

NOTE:

To create event targets with FunctionGraph, EG, or SMN, you must be granted the required permissions. For details, see Table 3.

×

×

Enable/Disable event subscription

×

×

Update event subscription

×

×

Delete event subscription

×

×

View event subscription

×

Create event source

×

×

Update event source

×

×

Delete event source

×

×

View event source

×

Create event channel

×

×

Update event channel

×

×

Delete event channel

×

×

View event channel

Create connection

×

×

Update connection

×

×

Delete connection

×

×

View connection

×

Create endpoint

×

×

Update endpoint

×

×

Delete endpoint

×

×

View endpoint

×

Publish event to event channel

×

Table 3 Additional permission parameters

Configuration

Permission

Configure event targets with EG, SMN, or FunctionGraph

iam:permissions:grantRoleToAgencyOnProject

iam:agencies:listAgencies

iam:roles:listRoles

iam:agencies:getAgency

iam:agencies:createAgency

iam:permissions:listRolesForAgency

iam:permissions:listRolesForAgencyOnProject

iam:permissions:listRolesForAgencyOnDomain