- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Copied.
Permissions
If you need to assign different permissions to personnel in your management account, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions enabling them to control their access to specific resources. For example, if you want some of your employees to invite member accounts to join an organization but do not want them to manage policies, you can create IAM users in the management account and grant permission to invite member accounts but not permission to create or modify policies.
If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see Identity and Access Management Service Overview.
System-defined Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach permissions policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
Organizations is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access Organizations in all regions.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by Organizations, see Permissions and Supported Actions.
Table 1 lists all the system-defined permissions for Organizations.
Role/Policy Name |
Description |
Type |
Dependencies |
---|---|---|---|
Organizations FullAccess |
Users with these permissions can create, modify, delete, and view any information about Organizations. |
System-defined policy |
N/A |
Organizations ReadOnlyAccess |
Users with these permissions can view organization information, but not make any changes. |
System-defined policy |
N/A |
Table 2 lists the common operations supported by system-defined permissions for Organizations.
Operation |
Organizations FullAccess |
Organizations ReadOnlyAccess |
---|---|---|
Creating an organization |
Supported |
Not supported |
Viewing details about an organization |
Supported |
Supported |
Deleting an organization |
Supported |
Not supported |
Creating an OU |
Supported |
Not supported |
Modifying an OU |
Supported |
Not supported |
Viewing details about an OU |
Supported |
Supported |
Deleting an OU |
Supported |
Not supported |
Inviting an account to join your organization |
Supported |
Not supported |
Creating an Account |
Supported |
Not supported |
Closing an account |
Supported |
Not supported |
Moving an account to another OU |
Supported |
Not supported |
Viewing details about an account |
Supported |
Supported |
Removing a member account from your organization |
Supported |
Not supported |
Enabling SCP |
Supported |
Not supported |
Disabling SCP |
Supported |
Not supported |
Creating an SCP |
Supported |
Not supported |
Modifying an SCP |
Supported |
Not supported |
Viewing details about an SCP |
Supported |
Supported |
Deleting an SCP |
Supported |
Not supported |
Attaching an SCP |
Supported |
Not supported |
Detaching an SCP |
Supported |
Not supported |
Enabling a trusted service |
Supported |
Not supported |
Disabling a trusted service |
Supported |
Not supported |
Configuring a delegated administrator |
Supported |
Not supported |
Adding a tag |
Supported |
Not supported |
Editing a tag |
Supported |
Not supported |
Viewing tag details |
Supported |
Supported |
Deleting a tag |
Supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot