Permissions

If you need to assign different permissions to employees in your enterprise to access your Global Accelerator resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.

With IAM, you can use your HUAWEI ID to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use Global Accelerator resources but should not delete them or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the required permissions.

Skip this section if your HUAWEI ID does not require individual IAM users for permissions management.

IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the What Is IAM?

Global Accelerator Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups that they are added to, and can perform specified operations on cloud services.

Global Accelerator is a global service for access from any region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.

You can grant permissions by using roles or policies.

Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you may need to also assign other dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for secure access control. For example, you can grant users only the permissions for managing Global Accelerator resources.

Table 1 lists the system-defined roles or policies supported by Global Accelerator.

**Table 1** System-defined roles and policies supported by Global Accelerator
Role/Policy Name	Description	Type	Dependency
GA FullAccess	Permissions: all permissions for Global Accelerator Scope: Global-level service	System-defined policy	-
GA ReadOnlyAccess	Permissions: read-only permissions for Global Accelerator Scope: Global-level service	System-defined policy	-

Table 2 lists the common operations supported by each system-defined permission for Global Accelerator.

**Table 2** Common operations supported by system-defined permissions
Operation	GA FullAccess	GA ReadOnlyAccess
Creating a global accelerator	√	×
Viewing a global accelerator	√	√
Modifying a global accelerator	√	×
Deleting a global accelerator	√	×
Adding a listener	√	×
Viewing a listener	√	√
Modifying a listener	√	×
Deleting a listener	√	×
Adding an endpoint group	√	×
Viewing an endpoint group	√	√
Modifying an endpoint group	√	×
Deleting an endpoint group	√	×
Adding an endpoint	√	×
Viewing an endpoint	√	√
Modifying an endpoint	√	×
Removing an endpoint	√	×
Configuring a health check	√	×
Viewing health check settings	√	√
Modifying health check settings	√	×
Disabling a health check	√	×
Deleting a health check	√	×
Creating an IP address group	√	×
Querying IP address groups	√	√
Querying the details of an IP address group	√	√
Modifying an IP address group	√	×
Deleting an IP address group	√	×
Adding CIDR blocks to an IP address group	√	×
Removing CIDR blocks from an IP address group	√	×
Associating an IP address group with a listener	√	×
Disassociating an IP address group from a listener	√	×
Adding tags to a resource	√	×
Querying tags of a specific resource	√	√
Deleting tags from a resource	√	×