Permission Management

If you need to assign different permissions to employees in your enterprise to access your FRS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your FRS resources.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip over this section.

With IAM, you can create IAM users for employees in your organization and assign permissions to control their access to Huawei Cloud resources. For example, some software developers in your enterprise need to use FRS but should not be allowed to delete other FRS resources or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using FRS resources.

IAM is free of charge. You pay only for the resources you use. For more information about IAM, see What Is IAM.

FRS Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to and can perform specified operations on FRS based on the permissions.

FRS is a project-level service deployed and accessed in specific physical regions. To assign FRS permissions to a user group, set the scope to Region-specific projects and select projects (for example, AP-Bangkok) in the corresponding region (for example, ap-southeast-2) for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing FRS, you need to switch to a region where you have been authorized to use this service.

Table 1 lists all the system roles supported by FRS.

**Table 1** System policies
Policy Name	Description	Policy Type	Dependencies
FRS FullAccess	All permissions	System policy	None
FRS ReadOnlyAccess	Read-only access	System policy	None

Table 2 lists the common operations supported by each system policy.

**Table 2** Common operations supported by each system policy
Action	Description	FRS FullAccess	FRS ReadOnlyAccess
frs:faceSearch:subscribe	Subscribe to Face Retrieval.	Yes	No
frs:faceSearch:unsubscribe	Unsubscribe from Face Retrieval.	Yes	No
frs:faceSearch:getSubscribeUserList	Query the list of users who have subscribed to Face Retrieval.	Yes	Yes
frs:faceSearch:subscribeAllUsers	Subscribe to Face Retrieval for all subusers.	Yes	No
frs:faceSearch:unsubscribeAllUsers	Unsubscribe from Face Retrieval for all subusers.	Yes	No
frs:faceCompare:subscribe	Subscribe to Face Verification.	Yes	No
frs:faceCompare:unsubscribe	Unsubscribe from Face Verification.	Yes	No
frs:faceCompare:getSubscribeUserList	Query the list of users who have subscribed to Face Verification.	Yes	Yes
frs:faceCompare:subscribeAllUsers	Subscribe to Face Verification for all subusers.	Yes	No
frs:faceCompare:unsubscribeAllUsers	Unsubscribe from Face Verification for all subusers.	Yes	No
frs:faceDetect:subscribe	Subscribe to Face Detection.	Yes	No
frs:faceDetect:unsubscribe	Unsubscribe from Face Detection.	Yes	No
frs:faceDetect:getSubscribeUserList	Query the list of users who have subscribed to Face Detection.	Yes	Yes
frs:faceDetect:subscribeAllUsers	Subscribe to Face Detection for all subusers.	Yes	No
frs:faceDetect:unsubscribeAllUsers	Unsubscribe from Face Detection for all subusers.	Yes	No
frs:liveDetect:subscribe	Subscribe to Face LiveDetect.	Yes	No
frs:liveDetect:unsubscribe	Unsubscribing from Face LiveDetect.	Yes	No
frs:liveDetect:getSubscribeUserList	Query the list of users who have subscribed to Face LiveDetect.	Yes	Yes
frs:liveDetect:subscribeAllUsers	Subscribe to Face LiveDetect for all subusers.	Yes	No
frs:liveDetect:unsubscribeAllUsers	Unsubscribe from Face LiveDetect for all subusers.	Yes	No