Permissions
Description
If you need to grant your enterprise personnel permission to access your LTS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your LTS resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use LTS resources but do not want them to be able to delete resources or perform any other high-risk operations, you can create IAM users and grant permission to use LTS resources but not permission to delete them.
If your Huawei account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
Why Is "Insufficient Permission" Displayed After Enterprise Project Authorization?
IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and only take effect for IAM. For details, see What Are the Differences Between IAM and Enterprise Management?
In LTS, only log group, log stream, and dashboard resource APIs support enterprise project authorization. For other APIs that support only IAM project authorization:
- Click By IAM Project during authorization.
Figure 1 Viewing authorization records by IAM project
- When selecting the authorization scope, select Region-specific projects according to the minimum authorization principle.
LTS Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on LTS based on the permissions they have been assigned.
LTS is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions, the users only have permissions for LTS in the selected projects. If you select All projects, the users have permissions for LTS in all region-specific projects. When accessing LTS, the users need to switch to the authorized region.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Cloud services often depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
The system permissions supported by LTS are listed in Table 1.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
LTS FullAccess |
Full permissions for LTS. Users with these permissions can perform operations on LTS. |
System-defined policy |
CCE Administrator, OBS Administrator, FunctionGraph FullAccess, and AOM FullAccess |
|
LTS ReadOnlyAccess |
Read-only permissions for LTS. Users with these permissions can only view LTS data. |
System-defined policy |
CCE Administrator, OBS Administrator, and AOM FullAccess |
|
LTS Administrator |
Administrator permissions for LTS. |
System-defined role |
Tenant Guest and Tenant Administrator |
Table 2 lists the common operations supported by system-defined permissions for LTS.
|
Operation |
LTS FullAccess |
LTS ReadOnlyAccess |
LTS Administrator |
|---|---|---|---|
|
Querying a log group |
√ |
√ |
√ |
|
Creating a log group |
√ |
× |
√ |
|
Modifying a log group |
√ |
× |
√ |
|
Deleting a log group |
√ |
× |
√ |
|
Querying a log stream |
√ |
√ |
√ |
|
Creating a log stream |
√ |
× |
√ |
|
Modifying a log stream |
√ |
× |
√ |
|
Deleting a log stream |
√ |
× |
√ |
|
Configuring log collection from hosts |
√ |
× |
√ |
|
Viewing a dashboard |
√ |
√ |
√ |
|
Creating a dashboard |
√ |
× |
√ |
|
Modifying a dashboard |
√ |
× |
√ |
|
Deleting a dashboard |
√ |
× |
√ |
|
Querying log structuring configurations |
√ |
√ |
√ |
|
Configuring log structuring |
√ |
× |
√ |
|
Enabling quick analysis |
√ |
× |
√ |
|
Disabling quick analysis |
√ |
× |
√ |
|
Configuring delimiters |
√ |
× |
√ |
|
Querying a filter |
√ |
√ |
√ |
|
Disabling a filter |
√ |
× |
√ |
|
Enabling a filter |
√ |
× |
√ |
|
Deleting a filter |
√ |
× |
√ |
|
Querying an alarm rule |
√ |
√ |
√ |
|
Creating an alarm rule |
√ |
× |
√ |
|
Modifying an alarm rule |
√ |
× |
√ |
|
Deleting an alarm rule |
√ |
× |
√ |
|
Viewing a log transfer task |
√ |
√ |
√ |
|
Creating a log transfer task |
√ |
× |
√ |
|
Modifying a log transfer task |
√ |
× |
√ |
|
Deleting a log transfer task |
√ |
× |
√ |
|
Enabling a log transfer task |
√ |
× |
√ |
|
Disabling a log transfer task |
√ |
× |
√ |
|
Installing ICAgent |
√ |
× |
√ |
|
Upgrading ICAgent |
√ |
× |
√ |
|
Uninstalling ICAgent |
√ |
× |
√ |
To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of LTS as required.
Table 3 describes fine-grained permission dependencies of LTS.
|
Permission |
Description |
Dependency |
|---|---|---|
|
lts:agents:list |
List agents |
None |
|
lts:buckets:get |
Query a specified bucket |
None |
|
lts:groups:put |
Modify a specified log group |
None |
|
lts:transfers:create |
Create a log transfer task |
obs:bucket:PutBucketAcl obs:bucket:GetBucketAcl obs:bucket:GetEncryptionConfiguration obs:bucket:HeadBucket dis:streams:list dis:streamPolicies:list |
|
lts:groups:get |
Query a specified log group |
None |
|
lts:transfers:put |
Modify a log transfer task |
obs:bucket:PutBucketAcl obs:bucket:GetBucketAcl obs:bucket:GetEncryptionConfiguration obs:bucket:HeadBucket dis:streams:list dis:streamPolicies:list |
|
lts:resourceTags:delete |
Delete resource tags |
None |
|
lts:ecsOsLogPaths:list |
List OS log paths of a specified image |
None |
|
lts:structConfig:create |
Create an LTS structuring configuration |
None |
|
lts:agentsConf:get |
Query a specified agent configuration |
None |
|
lts:logIndex:list |
List log indexes |
None |
|
lts:transfers:delete |
Delete a log transfer task |
None |
|
lts:regex:create |
Extract structured fields |
None |
|
lts:subscriptions:delete |
Delete a specified subscription |
None |
|
lts:overviewLogsLast:list |
List the latest logs of a user |
None |
|
lts:logIndex:get |
Query a specified log index |
None |
|
lts:sqlalarmrules:create |
Create an alarm rule |
None |
|
lts:agentsConf:create |
Create an agent configuration |
None |
|
lts:sqlalarmrules:get |
Query an alarm rule |
None |
|
lts:datasources:batchdelete |
Batch delete data sources |
None |
|
lts:structConfig:put |
Modify an LTS structuring configuration |
None |
|
lts:groups:list |
List log groups |
None |
|
lts:sqlalarmrules:delete |
Delete an alarm rule |
None |
|
lts:transfers:action |
Enable or disable a log transfer task |
None |
|
lts:datasources:post |
Create a data source |
None |
|
lts:topics:create |
Create a log topic |
None |
|
lts:resourceTags:get |
Query resource tags |
None |
|
lts:filters:put |
Modify a log filter |
None |
|
lts:logs:list |
List logs |
None |
|
lts:subscriptions:create |
Create a subscription |
None |
|
lts:filtersAction:put |
Enable or disable a log filter |
None |
|
lts:overviewLogsTopTopic:get |
Query data metrics of the topic with the largest log volume |
None |
|
lts:datasources:put |
Modify a data source |
None |
|
lts:structConfig:delete |
Delete an LTS structuring configuration |
None |
|
lts:logIndex:delete |
Delete a specified log index |
None |
|
lts:filters:get |
Query a specified log filter |
None |
|
lts:topics:delete |
Delete log topics |
None |
|
lts:agentSupportedOsLogPaths:list |
List the log paths of OS supported by the agent |
None |
|
lts:topics:put |
Modify a log topic |
None |
|
lts:agentHeartbeat:post |
Upload agent heartbeats |
None |
|
lts:logsByName:upload |
Upload logs by log group name and topic name |
None |
|
lts:buckets:list |
List buckets |
None |
|
lts:logIndex:post |
Create a log index |
None |
|
lts:logContext:list |
List log contexts |
None |
|
lts:groups:delete |
Delete a specified log group |
None |
|
lts:filters:delete |
Delete a log filter |
None |
|
lts:resourceTags:put |
Update resource tags |
None |
|
lts:structConfig:get |
Query an LTS structuring configuration |
None |
|
lts:overviewLogTotal:get |
Query the total log volume of the current user |
None |
|
lts:subscriptions:put |
Modify a specified subscription |
None |
|
lts:subscriptions:list |
List subscriptions |
None |
|
lts:datasources:delete |
Delete a specified data source |
None |
|
lts:transfersStatus:get |
Query the log transfer status |
None |
|
lts:logIndex:put |
Modify a specified log index |
None |
|
lts:sqlalarmrules:put |
Modify an alarm rule |
None |
|
lts:logs:upload |
Upload logs |
None |
|
lts:agentDetails:list |
List agent diagnostic logs |
None |
|
lts:agentsConf:put |
Modify an agent configuration |
None |
|
lts:logstreams:list |
Filter log stream resources |
None |
|
lts:subscriptions:get |
Query a specified subscription |
None |
|
lts:disStreams:list |
List DIS streams |
None |
|
lts:groupTopics:put |
Create a log group and topic |
None |
|
lts:resourceInstance:list |
List resource instances |
None |
|
lts:transfers:list |
List transfer tasks |
None |
|
lts:topics:get |
Query a specified log topic |
None |
|
lts:agentsConf:delete |
Delete a specified agent configuration |
None |
|
lts:agentEcs:list |
List ECSs |
None |
|
lts:indiceLogs:list |
Search for logs |
None |
|
lts:topics:list |
List log topics |
None |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
