IAM-based Permissions Management
If you need to assign different permissions for IAM to employees in your organization, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions to control their access to specific resources. For example, if you want project planners in your company to view IAM details but do not want them to delete IAM users or perform any other high-risk operations, you can create IAM users and grant permission to view IAM but not permission to delete. For the system-defined permissions supported by IAM, see System-defined Identity Policies.
IAM Permissions
Table 1 lists all the system-defined identity policies for IAM.
|
Name |
Description |
Type |
|---|---|---|
|
IAMFullAccessPolicy |
Full permissions for IAM. |
System-defined identity policy |
|
IAMReadOnlyPolicy |
Read-only permissions for IAM. |
System-defined identity policy |
Table 2 lists the common operations supported by system-defined identity policies for IAM.
|
Operation |
IAMFullAccessPolicy |
IAMReadOnlyPolicy |
|---|---|---|
|
Creating IAM users |
Yes |
No |
|
Querying IAM user details |
Yes |
Yes |
|
Modifying IAM user information |
Yes |
No |
|
Querying security settings of IAM users |
Yes |
Yes |
|
Modifying security settings of IAM users |
Yes |
No |
|
Deleting IAM users |
Yes |
No |
|
Creating user groups |
Yes |
No |
|
Querying user group details |
Yes |
Yes |
|
Modifying user group information |
Yes |
No |
|
Adding users to user groups |
Yes |
No |
|
Removing users from user groups |
Yes |
No |
|
Deleting user groups |
Yes |
No |
|
Assigning permissions to user groups |
Yes |
No |
|
Removing permissions of user groups |
Yes |
No |
|
Creating custom identity policies |
Yes |
No |
|
Modifying custom identity policies |
Yes |
No |
|
Deleting custom identity policies |
Yes |
No |
|
Querying permission details |
Yes |
Yes |
|
Creating trust agencies |
Yes |
No |
|
Querying trust agencies |
Yes |
Yes |
|
Modifying trust agencies |
Yes |
No |
|
Switching roles |
Yes |
No |
|
Deleting trust agencies |
Yes |
No |
|
Granting permissions to trust agencies |
Yes |
No |
|
Removing permissions of trust agencies |
Yes |
No |
|
Querying quotas |
Yes |
Yes |
If an IAM user wants to manage the access keys of other IAM users, see Table 3. For example, if IAM user A wants to create an access key for IAM user B, IAM user A must have the FullAccess permission.
|
Operation |
IAMFullAccessPolicy |
IAMReadOnlyPolicy |
|---|---|---|
|
Creating access keys (for other IAM users) |
Yes |
No |
|
Querying access keys (of other IAM users) |
Yes |
Yes |
|
Modifying access keys (for other IAM users) |
Yes |
No |
|
Deleting access keys (for other IAM users) |
Yes |
No |
Content of IAMFullAccessPolicy
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*:*"
]
}
]
}
Content of IAMReadOnlyPolicy
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*:get*",
"iam:*:list*",
"iam:*:check*",
"iam:*:show*"
]
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
