Permissions Management
If you need to assign different permissions to employees in your company to access your GaussDB resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your resources.
If your account does not need individual IAM users for permissions management, you can skip this section.
With IAM, you can use your account to create IAM users for your employees, and assign specific permissions to different users to control their access to specific resource types. For example, you can grant software developers in your company permissions to use GaussDB resources but not the permissions needed to delete them or perform any high-risk operations.
IAM can be used for free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
GaussDB Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.
GaussDB is a project-level service deployed for specific regions. To assign GaussDB permissions to a user group, specify the scope as region-specific projects and select the project for the permissions to take effect. If All projects is selected, the permissions will be granted to the user group in all region-specific projects. When accessing GaussDB, the users need to switch to the authorized region.
- Roles: A coarse-grained way of granting permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you may need to assign additional roles because of the different dependencies involved with role-based permissions. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A more fine-grained system. Policies let you define permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant IAM users only the permissions needed to manage a certain type of GaussDB resources. Most policies define permissions based on APIs.
Table 1 lists all the system-defined policies supported by GaussDB.
Policy Name |
Description |
Category |
|---|---|---|
GaussDB FullAccess |
Full permissions for GaussDB |
System-defined policy |
GaussDB ReadOnlyAccess |
Read-only permissions for GaussDB |
System-defined policy |
Table 2 lists the common operations supported by each system policy of GaussDB. Choose appropriate system policies based on this table.
Operation |
GaussDB FullAccess |
GaussDB ReadOnlyAccess |
|---|---|---|
Creating a GaussDB instance |
√ |
x |
Deleting a GaussDB instance |
√ |
x |
Querying GaussDB instances |
√ |
√ |
Operation |
Action |
Remarks |
|---|---|---|
Creating a DB instance |
gaussdb:instance:create gaussdb:param:list |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get To create a yearly/monthly instance, configure the following actions: bss:order:update bss:order:view bss:balance:view To create an encrypted instance, configure the following actions for the project: kms:cmk:get kms:cmk:list To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Changing CPU and memory specifications of an instance |
gaussdb:instance:modifySpec |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Adding nodes |
gaussdb:instance:modifySpec |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Scaling up storage space |
gaussdb:instance:modifySpec |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Rebooting a DB instance |
gaussdb:instance:restart |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Deleting a DB instance |
gaussdb:instance:delete |
To unsubscribe from a yearly/monthly instance, configure the following actions: "bss:unsubscribe:update" To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Querying instances |
gaussdb:instance:list |
None |
Querying instance details |
gaussdb:instance:list |
If the VPC, subnet, and security group are displayed in the instance list, configure vpc:*:get and vpc:*:list. If the used disk is displayed, configure ces:*:list. |
Changing a DB instance password |
gaussdb:instance:modify |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Changing a DB instance name |
gaussdb:instance:modify |
None |
Binding or unbinding an EIP |
gaussdb:instance:modify |
To display EIPs on the console, configure the following actions: vpc:publicIps:get vpc:publicIps:list To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Creating a parameter template |
gaussdb:param:create gaussdb:param:list |
None |
Modifying a parameter template |
gaussdb:param:modify |
None |
Obtaining parameter templates |
gaussdb:param:list |
None |
Applying a parameter template |
gaussdb:param:apply |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create |
Deleting a parameter template |
gaussdb:param:delete |
None |
Creating a manual backup |
gaussdb:backup:create |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Obtaining backups |
gaussdb:backup:list |
None |
Modifying the backup policy |
gaussdb:instance:modifyBackupPolicy |
None |
Deleting a manual backup |
gaussdb:backup:delete |
To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Restoring data to a new DB instance |
gaussdb:instance:create |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create |
Querying project tags |
gaussdb:tag:list |
None |
Adding or deleting project tags in batches |
gaussdb:instance:dealTag |
None |
Modifying quotas |
gaussdb:quota:modify |
None |
Querying predefined tags |
gaussdb:instance:list |
To query predefined tags, configure the following action: tms:resourceTags:list |
Querying configured log groups |
- |
To query configured log groups, configure the following action: lts:groups:get |
Querying configured log streams |
- |
To query configured log streams, configure the following action: lts:topics:get |
Enabling autoscaling |
gaussdb:instance:autoEnlargePolicy |
To enable autoscaling, configure the following actions for the IAM users instead of your Huawei account:
|
Performing DBMind-related operations |
gaussdb:instance:sqlCollect gaussdb:instance:sqlDiagnosis gaussdb:instance:riskAnalysis gaussdb:instance:indexAdvise |
gaussdb:instance:sqlCollect (SQL data collection) gaussdb:instance:sqlDiagnosis (Slow query diagnosis) gaussdb:instance:riskAnalysis (Risk prediction) gaussdb:instance:indexAdvise (Index recommendations) |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
