Updated on 2024-11-21 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your MAS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.

You can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use MAS resources but should not be allowed to delete MAS instances or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using MAS resources.

You can skip this section if you do not need fine-grained permissions management.

IAM is free of charge. You pay only for the resources in your account. For details, see IAM Service Overview.

MAS Permissions

By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.

MAS is a project-level service deployed and accessed in specific physical regions. To assign MAS permissions to a user group, you need to specify region-specific projects for which the permissions will take effect. If you select All projects, the permissions will be granted for both the global service project and all region-specific projects. When accessing MAS, users need to switch to a region where they have been authorized to use MAS.

You can grant permissions by using roles and policies.
  • Roles: a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependent roles for permissions to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant MAS users only the permissions for performing specific operations on MAS instances.

    Table 1 lists all the system-defined roles and policies supported by MAS.

Table 1 System-defined roles and policies supported by MAS

Role/Policy Name

Description

Type

Dependency

MAS FullAccess

All permissions for MAS. Users granted these permissions can manage all MAS instances.

System-defined policy

None

MAS CommonOperations

Basic operation permissions for MAS, including the permissions to operate application, monitors, and components, but excluding the permissions to create or delete instances.

System-defined policy

None

MAS ReadOnlyAccess

Read-only permissions for MAS. Users granted these permissions can only view the MAS instance data.

System-defined policy

None

Table 2 lists the common operations supported by each system policy of MAS. Select the policies as required.

Table 2 Common operations supported by each system policy

Operation

MAS FullAccess

MAS CommonOperations

MAS ReadOnlyAccess

Enabling function modules

×

×

Modifying function modules

×

×

Deleting function modules

×

×

Creating namespaces

×

×

Modifying namespaces

×

Deleting namespaces

×

×

Viewing namespace details

Creating applications

×

Modifying applications

×

Deleting applications

×

Buying multi-active instances

×

×

Modifying multi-active instances

×

Deleting multi-active instances

×

×

Viewing multi-active instances

Creating data sources

×

×

Modifying data sources

×

Deleting data sources

×

×

Viewing data source details

Creating sync links

×

×

Editing synchronization links

×

Deleting sync links

×

×

Viewing sync link details

Switching over monitors

×

Creating monitors

×

Configuring monitors

×

Modifying monitors

×

Switching over data centers

×

Deleting monitors

×

Configuring connection pools

×

Configuring SDK accesses

×

Adding secret keys

×

Modifying secret keys

×

Deleting secret keys

×

Creating notifications

×

Modifying notifications

×

Deleting notifications

×

Configuring DC-level automatic switchover

×

Creating credentials

×

×

Deleting credentials

×

×

Using credentials

×

Checking credentials