Help Center/ Ubiquitous Cloud Native Service/ Service Overview/ Permissions Management
Updated on 2025-07-29 GMT+08:00
Share

Permissions Management

If you need to grant your enterprise personnel permissions to access your UCS resources, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, which help secure access to your resources.

With IAM, you can create IAM users and grant them permissions to access only specific resources. For example, if you want some software developers in your enterprise to be able to use UCS clusters but do not want them to be able to unregister clusters or perform any other high-risk operations, you can create IAM users and grant them permissions to use UCS clusters but not permissions to delete them.

UCS Permission Types

UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster. The two permission types apply to different resource types and are granted using different methods.

  • UCS resource permissions are granted based on the system policies of IAM. UCS resources include fleets, clusters, and federation instances. Administrators can grant different permissions to different user roles (such as development and O&M) to control their use of UCS resources.
  • Kubernetes resource permissions in a cluster are granted based on the Kubernetes RBAC capability. Refined permissions can be granted to Kubernetes resource objects in a cluster. With permission settings, the permissions for performing operations on different Kubernetes resource objects (such as workloads, jobs, and services) will vary with users.

If your team mainly uses UCS resources, IAM system-defined policies can meet your requirements. If you need refined permissions on Kubernetes resource objects in a cluster, use IAM system-defined policies together with Kubernetes RBAC.

UCS Resource Permissions (IAM-based)

New IAM users do not have any permissions assigned by default. You need to add them to one or more groups and attach permissions policies or roles to these groups. Users then inherit permissions from the groups they belong to and can perform specified operations on cloud services based on the permissions.

UCS is a global service deployed in all physical regions. When you set the authorization scope to Global services, users have permissions to access UCS in all regions.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Cloud services often depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant IAM users only permissions to manage a certain type of fleets and clusters.

Table 1 lists all system-defined permissions for UCS.

Table 1 System-defined permissions for UCS

Policy Name

Description

Type

UCS FullAccess

Administrator permissions for UCS. Users with these permissions can perform all operations on UCS resources, for example, creating permission policies and security policies.

System-defined policy

UCS CommonOperations

Common operation permissions for UCS. Users with these permissions can create workloads, distribute traffic, and perform other operations.

System-defined policy

UCS CIAOperations

Administrator permissions for Container Intelligent Analysis.

System-defined policy

UCS ReadOnlyAccess

Read-only permissions for UCS (except for Container Intelligent Analysis)

System-defined policy

Services on Huawei Cloud are interdependent, so UCS depends on other cloud services to implement some functions such as image repository and domain name resolution. The preceding four system-defined policies are often used together with roles or policies of other cloud services for refined authorization. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the least-privilege permissions required by the Administrator, Developer, and Viewer roles to use each UCS function.

Table 2 Least-privilege permissions required by each UCS function

Function

Permission Type

Permissions

Least-Privilege Permissions

Fleets

Administrator
  • Creating and deleting a fleet
  • Registering a Huawei Cloud cluster (CCE standard cluster or CCE Turbo cluster), an on-premises cluster, or an attached cluster
  • Unregistering a cluster
  • Adding a cluster to or removing a cluster from a fleet
  • Adding permissions for a cluster or fleet
  • Enabling cluster federation and performing federation management operations (such as creating a workload and creating a DNS policy)

UCS FullAccess

Viewer

Querying the list or details of clusters or fleets

UCS ReadOnlyAccess

Huawei Cloud clusters

Administrator

Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS FullAccess + CCE Administrator

Developer

Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + CCE Administrator

Viewer

Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS ReadOnlyAccess + CCE Administrator

On-premises/Attached clusters

Administrator

Read-write permissions on on-premises/attached clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS FullAccess

Developer

Read-write permissions on on-premises/attached clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.)

Viewer

Read-only permissions on on-premises/attached clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.)

Image Repositories

Administrator

All permissions on SoftWare Repository for Container (SWR), including creating organizations, pushing images, viewing the image list or details, and pulling images

SWR Administrator

Permissions

Administrator
  • Creating and deleting permissions
  • Viewing the permission list or details
NOTE:

When creating permissions, you need to grant the IAM ReadOnlyAccess permissions (read-only permissions on IAM) to IAM users to obtain the IAM user list.

UCS FullAccess + IAM ReadOnlyAccess

Viewer

Viewing the permission list or details

UCS ReadOnlyAccess + IAM ReadOnlyAccess

Policy Center

Administrator
  • Enabling Policy Center
  • Creating and disabling a policy instance
  • Viewing the policy list
  • Viewing policy implementation details

UCS FullAccess

Viewer

Viewing the policy list and policy implementation details of fleets and clusters with Policy Center enabled

UCS CommonOperations or UCS ReadOnlyAccess

Traffic Distribution

Administrator

Creating a traffic policy, suspending and deleting a scheduling policy, and performing other operations
  • UCS CommonOperations + DNS Administrator (recommended)
  • UCS FullAccess + DNS Administrator

Viewer

Viewing the traffic policy list or details

UCS ReadOnlyAccess + DNS Administrator

Container Intelligent Analysis

Administrator
  • Connecting clusters or canceling cluster connection
  • Viewing the monitoring data of infrastructures, workloads, and other resources

UCS CIAOperations

Kubernetes Resource Permissions in a Cluster (Kubernetes RBAC-based)

Kubernetes resource permissions in a cluster are based on Kubernetes RBAC. The administrator can grant users refined permissions on specific Kubernetes resource objects in a cluster. These are cluster- and namespace-level resources. Refined operation permissions include get, list, watch, create, update, patch, and delete. The permissions take effect on the namespaces of a fleet or a cluster that is not added to any fleet. The operation permissions details are as follows:

  • get retrieves a specific resource object by name.
  • list retrieves all resource objects of a specific type in the namespace.
  • watch responds to resource changes.
  • create creates a resource.
  • update updates a resource.
  • patch updates resources partially.
  • delete deletes a resource.

For details about cluster- and namespace-level resources, see Kubernetes Resource Objects.

For example, after permission policies are configured according to the scheme shown in Figure 1, user A can only perform get, list, and watch (read-only) operations on Deployments, pods, and Services in namespace A of the fleet, and user B can perform all operations on all resources in namespace B of the fleet.

Figure 1 Granting permissions on Kubernetes resources

Five common permission types are available on the UCS console: Administrator, O&M, Developer, Viewer, and Custom. You can grant these permission types to users. If these permission types cannot meet your requirements, you can configure custom permissions by specifying the operation type and resource object.

Table 3 Permission types

Permission Type

Description

Administrator

Read-write permissions on all Kubernetes resource objects

Developer

Read-write permissions on most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

Viewer

Read-only permissions on all Kubernetes resource objects