Permissions
If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you flexibly manage resource access.
You can create users using IAM and grant users permissions to implement access control. For example, if you want some of your employees to have the permissions for configuring the resource recorder, you can create IAM users for them and grant them with the required permissions.
If your Huawei Cloudaccount does not need individual IAM users for permissions management, skip this chapter.
IAM can be used free of charge. You pay only for the resources in your account. For more details, see IAM Service Overview.
Config Permissions
By default, new IAM users do not have permissions. You need to add a user to one or more groups and attach permissions policies or roles to these groups. Users in a group inherit permissions from the group, so that they can perform operations on cloud services based on the permissions.
Config is a global service. Your access will not be affected across different regions. So, users with related permissions can access Config and other global services in all regions.
A user with Config read-only permissions can view all resources on the Resource List page.
Table 1 lists all the system-defined permissions supported by Config.
Policy |
Description |
Dependencies |
---|---|---|
RMS ConsoleFullAccess |
All permissions to use the Config console, including permissions to view resources and view and perform operations on the resource recorder, advanced queries, aggregators, and conformance packages. |
RF FullAccess |
RMS FullAccess |
All permissions for Config: permissions for viewing resources and viewing and performing operations on the resource recorder, compliance rules, advanced queries, aggregators, and conformance packages. |
RF FullAccess |
RMS ReadOnlyAccess |
Read-only permissions for Config: viewing resources, the resource recorder, advanced queries, aggregators, compliance packages, and resource compliance. |
None |
An IAM user or IAM Identity Center user may still be denied specific operations on resource recorders, rules, or conformance packages even if they have been granted the RMSConsoleFullAccess permission. This is because specific operations require IAM agencies. To perform these operations, you need related IAM agencies. The following lists the details.
To create IAM agencies, you need the iam:agencies:createAgency and iam:permissions:grantRoleToAgency permissions. To grant the permission iam:permissions:grantRoleToAgency, specific actions need to be specified.
Table 2 lists the common operations and the system-defined permissions of Config.
Operation |
RMS ConsoleFullAccess |
RMS FullAccess |
RMS ReadOnlyAccess |
---|---|---|---|
Querying all resources |
√ |
√ |
√ |
Query details about a resource. |
√ |
√ |
√ |
Filtering resources |
√ |
√ |
√ |
Exporting resources |
√ |
√ |
√ |
Viewing resource compliance data |
√ |
√ |
√ |
Viewing relationships of a resource |
√ |
√ |
√ |
Viewing resource change history |
√ |
√ |
√ |
Querying the resource recorder |
√ |
√ |
√ |
Enabling, configuring, or modifying the resource recorder |
√ |
√ |
x |
Disabling the resource recorder |
√ |
√ |
x |
Querying a compliance policy |
√ |
√ |
√ |
Modifying rules |
√ |
√ |
x |
Adding rules |
√ |
√ |
x |
Querying rules |
√ |
√ |
√ |
Deleting rules |
√ |
√ |
x |
Creating organization rules |
√ |
√ |
x |
Modifying organization rules |
√ |
√ |
x |
Viewing organization rules |
√ |
√ |
√ |
Deleting organization rules |
√ |
√ |
x |
Viewing resource compliance evaluation results |
√ |
√ |
√ |
Triggering a resource compliance evaluation |
√ |
√ |
x |
Updating compliance evaluation results |
√ |
√ |
x |
Running advanced queries |
√ |
√ |
x |
Creating advanced queries |
√ |
√ |
x |
Querying advanced queries |
√ |
√ |
√ |
Listing advanced queries |
√ |
√ |
√ |
Updating advanced queries |
√ |
√ |
x |
Deleting advanced queries |
√ |
√ |
x |
Creating a resource aggregator |
√ |
√ |
x |
Viewing a resource aggregator |
√ |
√ |
√ |
Modifying a resource aggregator |
√ |
√ |
x |
Deleting a resource aggregator |
√ |
√ |
x |
Viewing aggregated rules |
√ |
√ |
√ |
Viewing aggregated resources |
√ |
√ |
√ |
Authorizing a resource aggregator account |
√ |
√ |
x |
Deleting the authorization for resource aggregation |
√ |
√ |
x |
Deleting resource aggregation requests |
√ |
√ |
x |
Viewing resource aggregation requests |
√ |
√ |
√ |
Running advanced queries to aggregators |
√ |
√ |
x |
Viewing an authorization list |
√ |
√ |
√ |
Creating conformance packages |
√ (depending on RF FullAccess) |
√ (depending on RF FullAccess) |
x |
Viewing conformance packages |
√ |
√ |
√ |
Listing conformance packages |
√ |
√ |
√ |
Deleting conformance packages |
√ (depending on RF FullAccess) |
√ (depending on RF FullAccess) |
x |
Listing conformance package sample templates |
√ |
√ |
√ |
Creating organization conformance packages |
√ |
√ |
x |
Viewing organization conformance packages |
√ |
√ |
√ |
Listing organization conformance packages |
√ |
√ |
√ |
Deleting organization conformance packages |
√ |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot