- What's New
- Service Overview
- Getting Started
- User Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
- Instance Management
- Access Control Attribute Management
-
Permission Set Management
- Adding a System-defined Identity Policy
- Deleting a Permission Set
- Querying Permission Set Details
- Updating a Permission Set
- Deleting a System-defined Identity Policy
- Querying Details About a Custom Identity Policy
- Adding a Custom Identity Policy
- Deleting a Custom Identity Policy
- Listing Accounts Associated with a Permission Set
- Listing System-defined Identity Policies
- Listing Pre-provisioning Statuses of Permission Sets
- Listing Permission Sets
- Creating a Permission Set
- Listing Permission Sets Provisioned to an Account
- Pre-provisioning a Permission Set
- Querying Pre-attachment Status Details of a Permission Set
- Adding a System-defined Policy
- Deleting a System-defined Policy
- Listing System-defined Policies
-
Account Assignment Management
- Removing Account Assignments
- Querying Details about the Account Assignment Creation Status
- Listing Account Assignment Creation Statuses
- Listing Account Assignment Deletion Statuses
- Listing Users or Groups Associated with an Account and a Permission Set
- Creating Account Assignments
- Querying Details about the Account Assignment Deletion Status
- Tag Management
- User Management
- Group Management
- Group Membership Management
- SCIM User Management
- SCIM Group Management
- Service Provider (SP) Management
- Client Management
- Token Management
- Device Authorization Management
- Authorization Management
- Account Management
- Agency Management
- Credentials Management
- Appendixes
- Change History
- General Reference
Copied.
Permissions
If you need to assign different permissions to workforce identities in your enterprise to access IAM Identity Center resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions to control their access to specific resources.
You can skip this section if you do not need fine-grained permissions management.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see IAM Service Overview.
IAM Identity Center Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
IAM Identity Center is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access IAM Identity Center in all regions.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you may need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions.
Table 1 lists all the system-defined permissions for IAM Identity Center.
Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
IAM IdentityCenter FullAccess |
Administrator permissions for IAM Identity Center. Users with these permissions can perform all operations on IAM Identity Center. |
System-defined policy |
None |
IAM IdentityCenter ReadOnlyAccess |
Read-only permissions for viewing data on IAM Identity Center. |
System-defined policy |
None |
Table 2 lists the common operations supported by system-defined permissions for IAM Identity Center.
Operation |
IAM IdentityCenter FullAccess |
IAM IdentityCenter ReadOnlyAccess |
---|---|---|
Creating a user |
√ |
x |
Viewing details about a user |
√ |
√ |
Modifying user information |
√ |
x |
Creating a group |
√ |
x |
Adding a user to or removing a user from a group |
√ |
x |
Deleting a group |
√ |
x |
Viewing details about a group |
√ |
√ |
Creating a permission set |
√ |
x |
Modifying a permission set |
√ |
x |
Deleting a permission set |
√ |
x |
Viewing details about a permission set |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot