Permissions
If you need to assign different permissions to personnel in your enterprise to access your TaurusDB for PostgreSQL resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions to control their access to specific resources. For example, if you want some software developers in your enterprise to use TaurusDB for PostgreSQL resources but do not want them to delete TaurusDB for PostgreSQL resources or perform any other high-risk operations, you can create IAM users for the software developers and grant them only the permissions required for using TaurusDB for PostgreSQL resources.
If your Huawei account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
TaurusDB for PostgreSQL Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
TaurusDB for PostgreSQL is a project-level service deployed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions, the users only have permissions for TaurusDB for PostgreSQL instances in the selected projects. If you set Scope to All resources, the users have permissions for TaurusDB for PostgreSQL instances in all region-specific projects. When accessing TaurusDB for PostgreSQL instances, the users need to switch to the authorized region.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Cloud services depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only the permission to manage a certain type of database resources.
Table 1 lists all the system-defined permissions for TaurusDB for PostgreSQL.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
TaurusDB FullAccess |
Full permissions for TaurusDB for PostgreSQL |
System-defined policy |
TaurusDB FullAccess already contains the iam:agencies:listAgencies, iam:roles:listRoles, and iam:agencies:pass actions. TaurusDB for PostgreSQL is a region-level service, and IAM is a global service. If you want to grant TaurusDB FullAccess to a project, grant BSS ServiceAgencyReadPolicy (global service) to it as well. Granting TaurusDB FullAccess to all projects eliminates the need for additional configuration when using IAM actions. BSS ServiceAgencyCreatePolicy contains the following actions: iam:agencies:createAgency and iam:permissions:grantRoleToAgency. |
|
TaurusDB ReadOnlyAccess |
Read-only permissions for TaurusDB for PostgreSQL |
System-defined policy |
N/A |
Table 2 lists the common operations supported by system-defined permissions for TaurusDB for PostgreSQL.
|
Operation |
TaurusDB FullAccess |
TaurusDB ReadOnlyAccess |
|---|---|---|
|
Creating a TaurusDB for PostgreSQL instance |
√ |
x |
|
Deleting a TaurusDB for PostgreSQL instance |
√ |
x |
|
Querying TaurusDB for PostgreSQL instances |
√ |
√ |
|
Operation |
Actions |
Remarks |
|---|---|---|
|
Creating a DB instance |
gaussdb:instance:create gaussdb:param:list |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:securityGroupRules:get To create an encrypted instance, configure the KMS Administrator permission for the project. To purchase a yearly/monthly DB instance, configure the following actions: bss:order:update bss:order:pay |
|
Scaling up storage space |
gaussdb:instance:extendSpace |
N/A |
|
Rebooting a DB instance |
gaussdb:instance:restart |
N/A |
|
Deleting a DB instance |
gaussdb:instance:delete |
N/A |
|
Querying a DB instance list |
gaussdb:instance:list |
N/A |
|
Querying DB instance details |
gaussdb:instance:list |
If the VPC, subnet, and security group are displayed in the DB instance list, you need to configure vpc:*:get and vpc:*:list. |
|
Changing a DB instance password |
gaussdb:password:update |
N/A |
|
Changing a database port |
gaussdb:instance:modifyPort |
N/A |
|
Changing a DB instance name |
gaussdb:instance:modify |
N/A |
|
Changing the replication mode |
gaussdb:instance:modifySynchronizeModel |
N/A |
|
Changing the failover priority |
gaussdb:instance:modifyStrategy |
N/A |
|
Modifying the recycling policy |
gaussdb:instance:setRecycleBin |
N/A |
|
Restoring tables to a specified point in time |
gaussdb:instance:tableRestore |
N/A |
|
Obtaining a parameter template list |
gaussdb:param:list |
N/A |
|
Creating a parameter template |
gaussdb:param:create |
N/A |
|
Modifying parameters in a parameter template |
gaussdb:param:modify |
N/A |
|
Applying a parameter template |
gaussdb:param:apply |
N/A |
|
Modifying parameters of a specified DB instance |
gaussdb:param:modify |
N/A |
|
Obtaining the parameter template of a specified DB instance |
gaussdb:param:list |
N/A |
|
Obtaining parameters of a specified parameter template |
gaussdb:param:list |
N/A |
|
Deleting a parameter template |
gaussdb:param:delete |
N/A |
|
Resetting a parameter template |
gaussdb:param:reset |
N/A |
|
Comparing parameter templates |
gaussdb:param:list |
N/A |
|
Saving parameters in a parameter template |
gaussdb:param:save |
N/A |
|
Querying a parameter template type |
gaussdb:param:list |
N/A |
|
Setting an automated backup policy |
gaussdb:instance:modifyBackupPolicy |
N/A |
|
Querying an automated backup policy |
gaussdb:instance:list |
N/A |
|
Creating a manual backup |
gaussdb:backup:create |
N/A |
|
Obtaining a backup list |
gaussdb:backup:list |
N/A |
|
Obtaining the link for downloading a backup file |
gaussdb:backup:download |
N/A |
|
Querying the restoration time range |
gaussdb:instance:list |
N/A |
|
Restoring data to a new DB instance |
gaussdb:instance:create |
To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:securityGroupRules:get |
|
Restoring data to an existing or original DB instance |
gaussdb:instance:restoreInPlace |
N/A |
|
Obtaining a database backup file list |
gaussdb:backup:list |
N/A |
|
Obtaining a backup database list at a specified time point |
gaussdb:backup:list |
N/A |
|
Querying a database error log |
gaussdb:log:list |
N/A |
|
Querying a database slow log |
gaussdb:log:list |
N/A |
|
Downloading a database error log |
gaussdb:log:download |
N/A |
|
Downloading a database slow log |
gaussdb:log:download |
N/A |
|
Enabling or disabling the audit log function |
gaussdb:auditlog:operate |
N/A |
|
Obtaining an audit log list |
gaussdb:auditlog:list |
N/A |
|
Querying the audit log policy |
gaussdb:auditlog:list |
N/A |
|
Obtaining the link for downloading an audit log |
gaussdb:auditlog:download |
N/A |
|
Obtaining a switchover log |
gaussdb:log:list |
N/A |
|
Creating a database |
gaussdb:database:create |
N/A |
|
Querying details about databases |
gaussdb:database:list |
N/A |
|
Querying authorized databases of a specified user |
gaussdb:database:list |
N/A |
|
Dropping a database |
gaussdb:database:drop |
N/A |
|
Creating a database account |
gaussdb:databaseUser:create |
N/A |
|
Querying details about database accounts |
gaussdb:databaseUser:list |
N/A |
|
Querying authorized accounts of a specified database |
gaussdb:databaseUser:list |
N/A |
|
Deleting a database account |
gaussdb:databaseUser:drop |
N/A |
|
Authorizing a database account |
gaussdb:databasePrivilege:grant |
N/A |
|
Revoking permissions of a database account |
gaussdb:databasePrivilege:revoke |
N/A |
|
Viewing a task center list |
gaussdb:task:list |
N/A |
|
Deleting a task from the task center |
gaussdb:task:delete |
N/A |
|
Managing a tag |
gaussdb:instance:modify |
Tag-related operations depend on the tms:resourceTags:* permission. |
|
Stopping an instance |
gaussdb:instance:stop |
N/A |
|
Starting an instance |
gaussdb:instance:start |
N/A |
|
Modifying the remarks of a database account |
gaussdb:databaseUser:update |
N/A |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
