Permissions

If you need to assign different permissions to personnel in your enterprise to access your VPCs, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources.

With IAM, you can create IAM users, and assign permissions to control their access to specific resources. For example, if you want some software developers in your enterprise to use VPCs but do not want them to delete VPCs or perform any other high-risk operations, you can grant permissions to use VPCs but not permissions to delete them.

If your HUAWEI ID does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account. For more information, see IAM Service Overview.

VPC Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

VPC is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-1) in the specified regions (for example, CN-Hong Kong), the users only have permissions for VPCs in the selected projects. If you set Scope to All resources, users have permissions for VPCs in all region-specific projects. When accessing VPCs, the users need to switch to the authorized region.

You can grant permissions by using roles and policies.

Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When you grant permissions using roles, you also need to attach dependent roles. Roles are not ideal for fine-grained authorization and least privilege access.
Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant VPC users only the permissions for managing a certain type of resources. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by VPC, see Permissions Policies and Supported Actions.

Table 1 lists all the system-defined permissions for VPC.

**Table 1** System-defined permissions for VPC
Policy Name	Description	Policy Type	Dependencies
VPC FullAccess	Full permissions for VPC	System-defined policy	To use the VPC flow log function, users must also have the LTS ReadOnlyAccess permission.
VPC ReadOnlyAccess	Read-only permissions on VPC.	System-defined policy	None
VPC Administrator	Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules. To be granted this permission, users must also have the Tenant Guest permission.	System-defined role	Tenant Guest policy, which must be attached in the same project as VPC Administrator.

Table 2 lists the common operations supported by system-defined permissions for VPC.

**Table 2** Common operations supported by system-defined permissions
Operation	VPCReadOnlyAccess	VPC Administrator	VPC FullAccess
Creating a VPC	Not supported	Supported	Supported
Modifying a VPC	Not supported	Supported	Supported
Deleting a VPC	Not supported	Supported	Supported
Viewing VPC information	Supported	Supported	Supported
Creating a subnet	Not supported	Supported	Supported
Viewing subnet information	Supported	Supported	Supported
Modifying a subnet	Not supported	Supported	Supported
Deleting a subnet	Not supported	Supported	Supported
Creating a security group	Not supported	Not supported	Supported
Viewing security group information	Supported	Not supported	Supported
Modifying a security group	Not supported	Not supported	Supported
Deleting a security group	Not supported	Not supported	Supported
Adding a security group rule	Not supported	Not supported	Supported
Viewing a security group rule	Supported	Not supported	Supported
Modifying a security group rule	Not supported	Not supported	Supported
Deleting a security group rule	Not supported	Not supported	Supported
Creating a network ACL	Not supported	Supported	Supported
Viewing a network ACL	Supported	Supported	Supported
Modifying a network ACL	Not supported	Supported	Supported
Deleting a network ACL	Not supported	Supported	Supported
Adding a network ACL rule	Not supported	Supported	Supported
Modifying a network ACL rule	Not supported	Supported	Supported
Deleting a network ACL rule	Not supported	Supported	Supported
Creating a VPC peering connection	Not supported	Supported	Supported
Modifying a VPC peering connection	Not supported	Supported	Supported
Deleting a VPC peering connection	Not supported	Supported	Supported
Querying a VPC peering connection	Supported	Supported	Supported
Accepting a VPC peering connection request	Not supported	Supported	Supported
Rejecting a VPC peering connection request	Not supported	Supported	Supported
Creating a route table	Not supported	Supported	Supported
Deleting a route table	Not supported	Supported	Supported
Modifying a route table	Not supported	Supported	Supported
Associating a route table with a subnet	Not supported	Supported	Supported
Adding a route	Not supported	Supported	Supported
Modifying a route	Not supported	Supported	Supported
Deleting a route	Not supported	Supported	Supported
Creating a VPC flow log	Not supported	Supported	Supported
Viewing a VPC flow log	Supported	Supported	Supported
Enabling or disabling a VPC flow log	Not supported	Supported	Supported
Deleting a VPC flow log	Not supported	Supported	Supported