Permissions Management
If you need to assign different permissions to employees in your enterprise to access your MAS resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
You can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use MAS resources but should not be allowed to delete MAS instances or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using MAS resources.
You can skip this section if you do not need fine-grained permissions management.
IAM is free of charge. You pay only for the resources in your account. For details, see IAM Service Overview.
MAS Permissions
By default, new IAM users do not have permissions. To assign permissions to new users, add them to one or more groups, and grant permissions to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.
MAS is a project-level service deployed and accessed in specific physical regions. To assign MAS permissions to a user group, you need to specify region-specific projects for which the permissions will take effect. If you select All projects, the permissions will be granted for both the global service project and all region-specific projects. When accessing MAS, users need to switch to a region where they have been authorized to use MAS.
- Roles: a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependent roles for permissions to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant MAS users only the permissions for performing specific operations on MAS instances.
Table 1 lists all the system-defined roles and policies supported by MAS.
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
MAS FullAccess |
All permissions for MAS. Users granted these permissions can manage all MAS instances. |
System-defined policy |
None |
MAS CommonOperations |
Basic operation permissions for MAS, including the permissions to operate application, monitors, and components, but excluding the permissions to create or delete instances. |
System-defined policy |
None |
MAS ReadOnlyAccess |
Read-only permissions for MAS. Users granted these permissions can only view the MAS instance data. |
System-defined policy |
None |
Table 2 lists the common operations supported by each system policy of MAS. Select the policies as required.
Operation |
MAS FullAccess |
MAS CommonOperations |
MAS ReadOnlyAccess |
|---|---|---|---|
Enabling function modules |
√ |
× |
× |
Modifying function modules |
√ |
× |
× |
Deleting function modules |
√ |
× |
× |
Creating namespaces |
√ |
× |
× |
Modifying namespaces |
√ |
√ |
× |
Deleting namespaces |
√ |
× |
× |
Viewing namespace details |
√ |
√ |
√ |
Buying multi-active instances |
√ |
× |
× |
Modifying multi-active instances |
√ |
√ |
× |
Deleting multi-active instances |
√ |
× |
× |
Viewing multi-active instances |
√ |
√ |
√ |
Creating data sources |
√ |
× |
× |
Modifying data sources |
√ |
√ |
× |
Deleting data sources |
√ |
× |
× |
Viewing data source details |
√ |
√ |
√ |
Creating sync links |
√ |
× |
× |
Editing synchronization links |
√ |
√ |
× |
Deleting sync links |
√ |
× |
× |
Viewing sync link details |
√ |
√ |
√ |
Creating applications |
√ |
√ |
× |
Modifying applications |
√ |
√ |
× |
Deleting applications |
√ |
√ |
× |
Switching over monitors |
√ |
√ |
× |
Creating monitors |
√ |
√ |
× |
Configuring monitors |
√ |
√ |
× |
Modifying monitors |
√ |
√ |
× |
Switching over data centers |
√ |
√ |
× |
Deleting monitors |
√ |
√ |
× |
Configuring connection pools |
√ |
√ |
× |
Configuring SDK accesses |
√ |
√ |
× |
Adding secret keys |
√ |
√ |
× |
Modifying secret keys |
√ |
√ |
× |
Deleting secret keys |
√ |
√ |
× |
Creating notifications |
√ |
√ |
× |
Modifying notifications |
√ |
√ |
× |
Deleting notifications |
√ |
√ |
× |
Configuring DC-level automatic switchover |
√ |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
