Help Center/ GaussDB/ Service Overview/ Permission Management
Updated on 2025-11-11 GMT+08:00
View PDF
Share

Permission Management

If you need to assign different permissions for employees in your organization to access GaussDB resources, IAM is a good choice for fine-grained permission management. IAM provides user authentication, permission assignment, and access control, enabling secure management of access to your cloud resources. If your HUAWEI ID does not require IAM for permission management, you may skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control the scope of access to specific Huawei Cloud resources. For example, some developers in your enterprise need to use GaussDB but you do not want them to have permissions to high-risk operations such as deleting GaussDB instances. To achieve such purpose, you can use IAM to grant them only the permissions to use GaussDB, but not delete GaussDB instances. With IAM, you can control their usage of GaussDB resources.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes their differences.

Table 1 Differences between role/policy-based and identity policy-based authorization

Authorization Model

Core Relationship

Permissions

Authorization Method

Scenario

Role/Policy

User-permission-authorization scope
  • System-defined roles
  • System-defined policies
  • Custom policies

Assigning roles or policies to principals

To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.

Identity policy

User-policy
  • System-defined identity policies
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users permission to create GaussDB instances in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attaches the policy to the users or grants the users access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Authorization

GaussDB supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

GaussDB is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for GaussDB instances in the selected projects. If you set Scope to All resources, the users have permissions for GaussDB instances in all region-specific projects. When accessing GaussDB, the users need to switch to the authorized region.

Table 2 lists all the system-defined policies supported by GaussDB. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

Table 2 System-defined permissions for GaussDB

Role/Policy Name

Description

Type

Dependencies

GaussDB FullAccess

Full permissions for GaussDB

System-defined policy

To use storage autoscaling, create DR tasks, reset DR configurations, and rectify agency permissions, configure the following actions for IAM users:

  • Actions required for creating a custom policy:
    • iam:agencies:listAgencies
    • iam:agencies:createAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:grantRoleToGroupOnProject
    • iam:roles:listRoles
    • iam:permissions:listRolesForAgencyOnDomain
    • iam:permissions:revokeRoleFromAgencyOnProject
    • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.
Actions required for creating a yearly/monthly instance using a RAM-based shared KMS key:
  • iam:agencies:listAgencies
  • iam:roles:listRoles
  • iam:agencies:pass
  • iam:agencies:createAgency
  • iam:permissions:grantRoleToAgency

GaussDB FullAccess already contains the iam:agencies:listAgencies, iam:roles:listRoles, and iam:agencies:pass actions.

GaussDB is a region-level service, and IAM is a global service. If you want to grant GaussDB FullAccess to a project, grant BSS ServiceAgencyReadPolicy (global service) to it as well. Granting GaussDB FullAccess to all projects eliminates the need for additional configuration when using IAM actions.

BSS ServiceAgencyCreatePolicy contains the following actions: iam:agencies:createAgency and iam:permissions:grantRoleToAgency.

GaussDB ReadOnlyAccess

Read-only permissions for GaussDB

System-defined policy

None

Table 3 lists the common operations supported by each system policy of GaussDB. Choose appropriate system policies based on this table.

Table 3 Common operations supported by system-defined permissions

Operation

GaussDB FullAccess

GaussDB ReadOnlyAccess

Creating a GaussDB instance

x

Deleting a GaussDB instance

x

Querying GaussDB instances

Table 4 Common operations and supported actions

Operation

Action

Remarks

Creating a DB instance

gaussdb:instance:create

gaussdb:param:list

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To create a yearly/monthly instance, configure the following actions:

bss:order:update

bss:order:view

bss:balance:view

To create an encrypted instance, configure the following actions:

kms:cmk:get

kms:cmk:list

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Changing instance specifications

gaussdb:instance:modifySpec

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Adding nodes

gaussdb:instance:modifySpec

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Scaling up storage

gaussdb:instance:modifySpec

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Rebooting a DB instance

gaussdb:instance:restart

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Deleting a DB instance

gaussdb:instance:delete

To unsubscribe from a yearly/monthly instance, configure the following actions:

"bss:unsubscribe:update"

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Querying DB instances

gaussdb:instance:list

None

Querying DB instance details

gaussdb:instance:list

To display VPC, subnet, and security group information in the instance list, configure vpc:*:get and vpc:*:list. To display the disk usage, configure ces:*:list.

Viewing the instance overview data

gaussdb:instance:list

gaussdb:alarm:list

gaussdb:disasterRecovery:list

To query alarm information, configure the following actions:

"ces:alarmHistory:list"

Changing a DB instance password

gaussdb:instance:modify

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Changing a DB instance name

gaussdb:instance:modify

None

Binding or unbinding an EIP

gaussdb:instance:modify

To display EIPs on the console, configure the following actions:

vpc:publicIps:get

vpc:publicIps:list

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Creating a parameter template

gaussdb:param:create

gaussdb:param:list

None

Modifying a parameter template

gaussdb:param:modify

None

Obtaining parameter templates

gaussdb:param:list

None

Applying a parameter template

gaussdb:param:apply

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create

Deleting a parameter template

gaussdb:param:delete

None

Creating a manual backup

gaussdb:backup:create

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Obtaining backups

gaussdb:backup:list

None

Modifying a backup policy

gaussdb:instance:modifyBackupPolicy

None

Deleting a manual backup

gaussdb:backup:delete

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create"

Restoring data to a new DB instance

gaussdb:instance:create

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To report event monitoring upon an operation failure, configure the following actions:

"ces:alarmsOnOff:put"

"ces:alarms:create

Querying project tags

gaussdb:tag:list

None

Adding or deleting project tags in batches

gaussdb:instance:dealTag

None

Modifying quotas

gaussdb:quota:modify

None

Querying predefined tags

gaussdb:instance:list

To query predefined tags, configure the following action:

tms:resourceTags:list

Querying configured log groups

-

To query configured log groups, configure the following action:

lts:groups:get

Querying configured log streams

-

To query configured log streams, configure the following action:

lts:topics:get

Viewing metrics

-

ces:metric:listGroups

ces:metric:listConfig

Configuring autoscaling

gaussdb:instance:autoEnlargePolicy

To enable autoscaling, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

Querying advanced features

gaussdb:instance:listFeatures

None

Enabling advanced features

gaussdb:instance:updateFeatures

None
Table 5 DR operations and supported actions

Operation

Action

Remarks

Querying instances that can be used for establishing a DR relationship

gaussdb:disasterRecovery:list

gaussdb:instance:listAll

None

Querying the real-time DR monitoring status of an instance

gaussdb:disasterRecovery:list

gaussdb:disasterRecovery:get

None

Querying established DR relationships

gaussdb:disasterRecovery:list

gaussdb:disasterRecovery:listAll

None

Resetting the DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

To enable the DR operation, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

An agency RDSAccessProjectResource (including the policy DBS AgencyPolicy) will be automatically created in the current region.

Establishing a DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

To enable the DR operation, configure the following actions for the IAM users instead of your Huawei account:

  • iam:agencies:listAgencies
  • iam:agencies:createAgency
  • iam:permissions:listRolesForAgencyOnProject
  • iam:permissions:grantRoleToGroupOnProject
  • iam:roles:listRoles
  • iam:permissions:listRolesForAgencyOnDomain
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:permissions:revokeRoleFromAgencyOnDomain
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

An agency RDSAccessProjectResource (including the policy DBS AgencyPolicy) will be automatically created in the current region.

Promoting the DR instance to primary

gaussdb:disasterRecovery:failover

The RDSAccessProjectResource agency is required.

Removing a DR relationship

gaussdb:disasterRecovery:release

The RDSAccessProjectResource agency is required.

Switching roles of primary and DR instances

gaussdb:disasterRecovery:switchover

The RDSAccessProjectResource agency is required.

Re-establishing a DR relationship

gaussdb:disasterRecovery:construct

gaussdb:disasterRecovery:create

The RDSAccessProjectResource agency is required.

Performing a DR drill

gaussdb:disasterRecovery:simulation

The RDSAccessProjectResource agency is required.

Caching logs for DR

gaussdb:disasterRecovery:keeplog

None

Querying DR operation records

gaussdb:instance:listRecord

None

In DR scenarios, you also need to configure permissions and actions on the cloud where the DR instance resides before performing DR-related operations.

Identity Policy-based Authorization

GaussDB supports identity policy-based authorization. Table 6 lists all the system-defined identity policies for GaussDB. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

Table 6 System-defined identity policies for GaussDB

Identity Policy Name

Description

Type

GaussDBFullAccessPolicy

Full permissions for GaussDB

System-defined identity policy

GaussDBReadOnlyPolicy

Read-only permissions for GaussDB

System-defined identity policy

Table 7 lists the common operations supported by system-defined policies for GaussDB.

Table 7 Common operations supported by system-defined policies

Operation

GaussDBFullAccessPolicy

GaussDBReadOnlyPolicy

Querying DB instances

Creating a DB instance

x

Deleting a DB instance

x

Helpful Links