Permissions Management
If you need to assign different permissions to employees in your enterprise to access your DataArtsFabric resources, IAM is a good choice for fine-grained permissions management. This service provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can assign permissions to control users' access to specific resources. For example, if you want some software developers in your enterprise to be able to use DataArtsFabric resources but do not want them to be able to delete resources or perform any other high-risk operations, you can create IAM users and grant permission to use DataArtsFabric resources but not permission to delete them.
DataArtsFabric supports role/policy-based authorization.
|
Policy |
Core Relationship |
Permission |
Authorization Method |
Application Scenario |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 region A and OBS buckets in CN South-Guangzhou region B. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, you only need to create one custom identity policy, use the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
DataArtsFabric supports role/policy-based authorization. By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. Users inherit permissions of the groups to which they are added. This process is called authorization. The users then inherit permissions from the groups and can perform specified operations on cloud services.
DataArtsFabric is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-north-4) in the specified regions (for example, CN North-Beijing4), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing DataArtsFabric, the users need to switch to a region where they have been authorized to use this service.
The following table lists all system-defined permissions of DataArtsFabric.
|
Role/Policy Name |
Description |
Category |
Dependency |
|---|---|---|---|
|
DataArtsFabricFullPolicy |
Full permissions for DataArtsFabric. |
System-defined policy |
|
|
DataArtsFabricConsoleFullPolicy |
All permissions for using DataArtsFabric on the console, including all permissions of DataArtsFabricFullPolicy and some permissions required on the console. |
System-defined policy |
|
|
DataArtsFabricReadOnlyPolicy |
Read-only permissions for DataArtsFabric. |
System-defined policy |
LakeFormation ReadOnlyAccess |
The following table lists the common operations supported by system-defined permissions for DataArtsFabric. You can refer to this table to select the permissions as required.
|
Operation |
DataArtsFabricConsoleFullPolicy |
DataArtsFabricFullPolicy |
DataArtsFabricReadOnlyPolicy |
|---|---|---|---|
|
Listing workspaces |
√ |
√ |
√ |
|
Creating a workspace |
√ |
√ |
× |
|
Modifying a workspace |
√ |
√ |
× |
|
Modifying workspace monitoring configuration |
√ |
√ |
× |
|
Deleting a workspace |
√ |
√ |
× |
|
Querying compute resources |
√ |
√ |
√ |
|
Creating a computing resource |
√ |
√ |
× |
|
Modifying a compute resource |
√ |
√ |
× |
|
Deleting a compute resource |
√ |
√ |
× |
|
Listing the endpoints of a workspace |
√ |
√ |
√ |
|
Creating an endpoint for a workspace |
√ |
√ |
× |
|
Querying the endpoint details of a workspace |
√ |
√ |
√ |
|
Modifying an endpoint of a workspace |
√ |
√ |
× |
|
Deleting an endpoint of a workspace |
√ |
√ |
× |
|
Listing jobs |
√ |
√ |
√ |
|
Creating a job |
√ |
√ |
× |
|
Querying a job |
√ |
√ |
√ |
|
Modifying a job |
√ |
√ |
× |
|
Deleting a job |
√ |
√ |
× |
|
Listing services |
√ |
√ |
√ |
|
Creating a service |
√ |
√ |
× |
|
Modifying a service |
√ |
√ |
× |
|
Querying a service |
√ |
√ |
√ |
|
Deleting a service |
√ |
√ |
× |
|
Creating a model |
√ |
√ |
× |
|
Listing models |
√ |
√ |
√ |
|
Querying a model |
√ |
√ |
√ |
|
Deleting a model |
√ |
√ |
× |
|
Modifying a model |
√ |
√ |
× |
|
Creating a tag |
√ |
√ |
× |
|
Deleting a tag |
√ |
√ |
× |
|
Listing tags |
√ |
√ |
√ |
|
Querying tags of a specific resource |
√ |
√ |
√ |
|
Listing resources by tag |
√ |
√ |
√ |
|
Creating a notification policy |
√ |
√ |
× |
|
Listing notification policies |
√ |
√ |
√ |
|
Deleting a notification policy |
√ |
√ |
× |
|
Listing running jobs |
√ |
√ |
√ |
|
Running a job |
√ |
√ |
× |
|
Querying a running job |
√ |
√ |
√ |
|
Deleting a running job |
√ |
√ |
× |
|
Canceling a running job |
√ |
√ |
× |
|
Invoking an inference service instance |
√ |
√ |
× |
|
Listing routes |
√ |
√ |
√ |
|
Querying session information |
√ |
√ |
√ |
|
Subscribing to a public endpoint |
√ |
√ |
× |
Role/Policy Dependencies of the DataArtsFabric Console
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Granting service permissions |
IAM |
Granting permissions on the authorization page requires the IAM user to have the IAM Agency Management FullAccess policy. |
|
Creating a workspace |
LakeFormation |
Users with the DataArtsFabricFullPolicy policy can create workspaces. Specifying a LakeFormation metastore during workspace creation requires the LakeFormation ReadOnlyAccess policy. |
|
Creating a model |
OBS |
To create a model and specify its OBS file path on the model management page, an IAM user must have the DataArtsFabricFullPolicy and OBS OperateAccess policies. |
|
Creating a notification policy |
IAM SMN |
Creating a notification policy requires an IAM user to have the DataArtsFabricFullPolicy, IAM Agency Management ReadOnly, and SMN ReadOnlyAccess policies. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
