Permissions Management
You can create users or administrators in OneAccess and grant them permissions for controlling access to specific applications or specific functions of the administrator portal. For details, see (User) Logging In to the User Portal and Accessing Applications.
If you need to assign different permissions for OneAccess instances you purchased on Huawei Cloud to employees in your organization, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources. You can use IAM to manage permissions for modifying OneAccess instances on Huawei Cloud.
You can create IAM users for your employees on your Huawei Cloud account, and assign permissions to these users on a principle of least privilege (PoLP) basis to control their access to specific resource types. For example, you can grant permissions to allow certain IT personnel in your enterprise to view OneAccess instances but disallow them to modify the certificates.
If your account does not require individual IAM users for permissions management, skip this section.
IAM is a free service of Huawei Cloud. You only pay for the resources in your account. For more information about IAM, see What Is IAM?
OneAccess Console Permissions
By default, new IAM users do not have permissions. To assign permissions to new users, you need to add them to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which you add them and can perform specific operations on cloud services.
OneAccess is a global service deployed and accessed without specifying any physical region. You can assign OneAccess permissions to users in the global service project. The users do not need to switch regions when they access OneAccess.
You can grant permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users. Huawei Cloud services depend on each other. When using roles to grant permissions, you also need to assign dependency roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. Most policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by OneAccess, see OneAccess Actions.
Table 1 lists all system-defined permissions for the OneAccess console.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
Tenant Administrator |
Permissions for all services except IAM, including all permissions for OneAccess. |
System-defined role |
|
Tenant Guest |
Read-only permissions for all services except IAM. IAM users granted these permissions can only view this service and cannot configure resources in it. |
System-defined role |
|
IAM ReadOnlyAccess |
Read-only permissions for IAM. |
System-defined policy |
|
OneAccess FullAccess |
Full permissions for OneAccess. |
System-defined policy |
|
OneAccess ReadOnlyAccess |
Read-only permissions for OneAccess. Users granted these permissions can only view this service and cannot configure resources in it. |
System-defined policy |
Huawei Cloud accounts, authorized member accounts, and delegated accounts can purchase OneAccess instances. These accounts can use OneAccess only after instances are authorized.
Table 2 lists the common operations supported by system-defined permissions for OneAccess.
|
Operation |
Tenant Administrator |
Tenant Guest |
OneAccess FullAccess |
OneAccess ReadOnlyAccess |
|---|---|---|---|---|
|
Querying instances |
√ |
√ |
√ |
√ |
|
Querying domain certificate details |
√ |
√ |
√ |
√ |
|
Ordering an instance |
√
NOTE:
Member accounts and delegated accounts must have the IAM ReadOnlyAccess permission. |
× |
√
NOTE:
Member accounts and delegated accounts must have the IAM ReadOnlyAccess permission. |
× |
|
Customizing domain names |
√ |
× |
√ |
× |
|
Unbinding custom domain names |
√ |
× |
√ |
× |
|
Modifying domain certificates |
√ |
× |
√ |
× |
|
Deleting an instance |
√ |
× |
√ |
× |
OneAccess Actions
OneAccess provides system-defined policies, which can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are basic concepts related to policies:
- Permissions: Statements in a policy that allow or deny certain operations.
- Actions: Specific operations that are allowed or denied.
- IAM or enterprise projects: Type of projects for which permissions can be granted. For example, policies that contain actions for both IAM projects and enterprise projects can be assigned in both IAM and Enterprise Management, but policies that contain only actions for IAM projects can be assigned only in IAM. For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM Projects and Enterprise Projects?
|
Permission |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|
|
Enabling product instances |
oneaccess:instances:create |
√ |
× |
|
Querying instances |
oneaccess:instances:get |
√ |
× |
|
Customizing domain names |
oneaccess:domains:create |
√ |
× |
|
Unbinding custom domain names |
oneaccess:domains:delete |
√ |
× |
|
Querying domain certificate details |
oneaccess:certificates:get |
√ |
× |
|
Modifying domain certificates |
oneaccess:certificates:update |
√ |
× |
|
Modifying specifications |
oneaccess:instances:update |
√ |
× |
|
Granting user permissions for specific instances |
oneaccess:permissions:grantRoleToUser |
√ |
× |
|
Removing permissions granted to users for specific instances |
oneaccess:permissions:revokeRoleFromUser |
√ |
× |
|
Querying permissions |
oneaccess:permissions:listRoles |
√ |
× |
|
Querying permissions of authorized users |
oneaccess:permissions:listRolesForUser |
√ |
× |
|
Querying authorized users of an instance |
oneaccess:permissions:listUsersOnInstance |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
