Permissions Management
If you need to assign different permissions to employees in your enterprise to buycreate WAF resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your Huawei account works good for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.
IAM is a free service Huawei Cloudprovides for you. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, some developers in your enterprise need to use WAF but you do not want them to have permissions to high-risk operations such as deleting WAF. To achieve such purpose, you can use IAM to grant them only the permissions to use WAF, but not delete WAF. With IAM, you can control their usage of WAF resources.
There are two types of IAM authorization: policy/role authorization and identity policy authorization.
The differences and relationships between the two authorization models are as follows:
|
Name |
Relationship |
Permission |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Granting a role or policy to a subject |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small and medium-sized enterprises. |
|
Identity policy |
User-Policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium-sized and large enterprises. |
For example, if you want to grant an IAM user the permissions to create WAF instances in CN North-Beijing4 and OBS buckets in CN South-Guangzhou, you need to use the administrator role to create two custom policies and assign them to the IAM user. With ABAC, the administrator only needs to create one custom policy and configure the condition key g:RequestedRegion for the policy, You can attach a subject to a policy or grant the policy to the subject to assign the corresponding permissions. This permission configuration mode is more fine-grained and flexible.
Policies and actions in the two authorization models are not interoperable. You are advised to use the policy-based authorization model. Role/Policy-based Permissions Management and Identity Policy-based Permissions Management describe the system permissions of the two models.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Permissions Management
WAF supports role/policy-based authorization. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
WAF is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing WAF, the users need to switch to a region where they have been authorized to use the WAF service.
Table 2 lists all the system policies of WAF. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Category |
Dependency |
|---|---|---|---|
|
WAF Administrator |
Administrator of WAF, who has the permissions to manage instances and protection policies. |
System-defined role |
Dependent on the Tenant Guest and Server Administrator roles.
|
|
WAF FullAccess |
All permissions for WAF |
System-defined policy |
None. |
|
WAF ReadOnlyAccess |
Read-only permissions for WAF. |
System-defined policy |
Table 3 lists the common operations supported by system-defined permissions for WAF.
|
Operation |
WAF FullAccess |
WAF ReadOnlyAccess |
WAF Administrator |
|---|---|---|---|
|
Querying domain names protected by cloud WAF |
√ |
√ |
√ |
|
Adding a domain name to cloud WAF |
√ |
x |
√ |
|
Querying details about a domain name by domain ID in cloud mode |
√ |
√ |
√ |
|
Updating configurations of domain names protected with cloud WAF |
√ |
x |
√ |
|
Deleting a domain name from the cloud WAF |
√ |
x |
√ |
|
Changing protection status of a domain name |
√ |
x |
√ |
|
Obtaining domain name routing information (in cloud mode) |
√ |
√ |
√ |
|
Querying domain names protected by dedicated WAF engines |
√ |
√ |
√ |
|
Adding a domain name to a dedicated WAF instance |
√ |
x |
√ |
|
Modifying a domain name protected by a dedicated WAF instance |
√ |
x |
√ |
|
Querying domain name settings in dedicated mode |
√ |
√ |
√ |
|
Deleting a domain name from a dedicated WAF instance |
√ |
x |
√ |
|
Modifying the protection status of a domain name in dedicated mode |
√ |
x |
√ |
|
Querying protection policies |
√ |
√ |
√ |
|
Adding a policy |
√ |
x |
√ |
|
Querying a policy by ID |
√ |
√ |
√ |
|
Updating a protection policy |
√ |
x |
√ |
|
Deleting a protection policy |
√ |
x |
√ |
|
Updating the domain names to which a protection policy applies |
√ |
x |
√ |
|
Changing the status of a rule |
√ |
x |
√ |
|
Querying the CC attack protection rule list |
√ |
√ |
√ |
|
Creating a CC attack protection rule |
√ |
x |
√ |
|
Querying a CC attack protection rule by ID |
√ |
√ |
√ |
|
Updating a CC protection rule |
√ |
x |
√ |
|
Deleting a CC protection rule |
√ |
x |
√ |
|
Querying precise protection rules |
√ |
√ |
√ |
|
Adding a precise protection rule |
√ |
x |
√ |
|
Querying a precise protection rule by ID |
√ |
√ |
√ |
|
Updating a precise protection rule |
√ |
x |
√ |
|
Deleting a precise protection rule |
√ |
x |
√ |
|
Querying the global protection whitelist rule list |
√ |
√ |
√ |
|
Creating a global protection whitelist rule |
√ |
x |
√ |
|
Querying a global protection whitelist rule |
√ |
√ |
√ |
|
Updating a global protection whitelist rule |
√ |
x |
√ |
|
Deleting a global protection whitelist rule |
√ |
x |
√ |
|
Querying the blacklist and whitelist rule list |
√ |
√ |
√ |
|
Adding a blacklist or whitelist rule |
√ |
x |
√ |
|
Querying a blacklist or whitelist rule |
√ |
√ |
√ |
|
Updating a blacklist or whitelist rule |
√ |
x |
√ |
|
Deleting a blacklist or whitelist rule |
√ |
x |
√ |
|
Querying the JavaScript anti-crawler rule list |
√ |
√ |
√ |
|
Updating a JavaScript anti-crawler protection rule |
√ |
x |
√ |
|
Creating a script anti-crawler rule |
√ |
x |
√ |
|
Querying a JavaScript anti-crawler rule |
√ |
√ |
√ |
|
Updating a JavaScript anti-crawler rule |
√ |
x |
√ |
|
Deleting a JavaScript anti-crawler rule |
√ |
x |
√ |
|
Querying data masking rules |
√ |
√ |
√ |
|
Creating a data masking rule |
√ |
x |
√ |
|
Querying the data masking rule list |
√ |
√ |
√ |
|
Updating a data masking rule |
√ |
x |
√ |
|
Deleting a data masking rule |
√ |
x |
√ |
|
Querying the list of known attack source rules |
√ |
√ |
√ |
|
Creating a known attack source rule |
√ |
x |
√ |
|
Querying a known attack source rule by ID |
√ |
√ |
√ |
|
Updating a known attack source rule |
√ |
x |
√ |
|
Deleting a known attack source rule |
√ |
√ |
√ |
|
Querying geolocation access control rules |
√ |
√ |
√ |
|
Creating a geolocation access control rule |
√ |
x |
√ |
|
Querying a geolocation control rule |
√ |
√ |
√ |
|
Updating a geolocation access control rule |
√ |
x |
√ |
|
Deleting a geolocation access control rule |
√ |
x |
√ |
|
Querying the list of web tamper protection rules |
√ |
√ |
√ |
|
Creating a web tamper protection rule |
√ |
x |
√ |
|
Querying a web tamper protection rule |
√ |
√ |
√ |
|
Deleting a web tamper protection rule |
√ |
x |
√ |
|
Updating the cache for a web tamper protection rule |
√ |
x |
√ |
|
Querying the list of information leakage prevention rules |
√ |
√ |
√ |
|
Creating a sensitive information leakage prevention rule |
√ |
x |
√ |
|
Querying an information leakage prevention rule |
√ |
√ |
√ |
|
Updating an information leakage prevention rule |
√ |
x |
√ |
|
Deleting an information leakage prevention rule |
√ |
x |
√ |
|
Querying the reference table list |
√ |
√ |
√ |
|
Adding a reference table |
√ |
x |
√ |
|
Querying the reference table list |
√ |
√ |
√ |
|
Modifying a reference table |
√ |
x |
√ |
|
Deleting a reference table |
√ |
x |
√ |
|
Querying IP address groups |
√ |
√ |
√ |
|
Creating an IP address group |
√ |
x |
√ |
|
Querying IP address group details |
√ |
√ |
√ |
|
Modifying an IP address group |
√ |
x |
√ |
|
Deleting an IP address group |
√ |
x |
√ |
|
Querying the certificate list |
√ |
√ |
√ |
|
Adding a certificate |
√ |
x |
√ |
|
Querying a certificate |
√ |
√ |
√ |
|
Modifying a certificate |
√ |
x |
√ |
|
Deleting a certificate |
√ |
x |
√ |
|
Applying a certificate to a domain name |
√ |
x |
√ |
|
Querying the list of attack events |
√ |
√ |
√ |
|
Querying the event details by event ID |
√ |
√ |
√ |
|
Querying the number of requests and attacks on dashboard |
√ |
√ |
√ |
|
Querying the QPS statistics |
√ |
√ |
√ |
|
Querying bandwidth usage statistics |
√ |
√ |
√ |
|
Querying the number of abnormal requests |
√ |
√ |
√ |
|
Querying security data statistics on dashboard |
√ |
√ |
√ |
|
Querying the requests to a protected website for a time range |
√ |
√ |
√ |
|
Querying features available in a site |
√ |
√ |
√ |
|
Querying dedicated WAF instances |
√ |
√ |
√ |
|
Creating a dedicated WAF instance |
√ |
x |
√ |
|
Querying details about a dedicated WAF instance |
√ |
√ |
√ |
|
Renaming a dedicated WAF instance |
√ |
x |
√ |
|
Deleting a dedicated WAF instance |
√ |
x |
√ |
|
Querying LTS settings |
√ |
√ |
√ |
|
Configuring LTS |
√ |
x |
√ |
|
Buying a yearly/monthly-billed cloud WAF instance |
√ |
x |
√ |
|
Changing specifications of a yearly/monthly-billed cloud WAF instance |
√ |
x |
√ |
|
Enabling the pay-per-use billing for a cloud WAF instance |
√ |
x |
√ |
|
Disabling the pay-per-use billing for a cloud WAF instance |
√ |
x |
√ |
|
Querying WAF subscriptions |
√ |
√ |
√ |
|
Querying the list of protected domain names |
√ |
√ |
√ |
|
Querying a domain name by ID |
√ |
√ |
√ |
|
Migrating a WAF instance along with domain names it protects from the current enterprise project to another |
√ |
x |
√ |
|
Querying WAF back-to-source IP addresses |
√ |
√ |
√ |
|
Querying alarm notification configuration |
√ |
√ |
√ |
|
Updating alarm notification configuration |
√ |
x |
√ |
Roles or Policies Required for Operations on the WAF Console
When using WAF, you may need to view resources of or use other cloud services. So you need to obtain required permissions for dependent services so that you can view resources or use WAF functions on WAF Console. To that end, make sure you have the WAF FullAccess or WAF ReadOnlyAccess assigned first.
|
Console Function |
Dependent Services |
Policy/Role Required |
|---|---|---|
|
Dashboard |
Enterprise Project Management Service (EPS) |
You can view the data on the Dashboard page of an enterprise project only after obtaining the EPS ReadOnlyAccess system policy. |
|
Buying a dedicated waf instance |
Identity and Access Management (IAM) Network Console VPC Elastic Cloud Server (ECS) Tag Management Service (TMS) |
|
|
Buying a WAF instance (for Dedicated Cloud) |
Elastic Volume Service (EVS) |
The EVS ReadOnlyAccess system policy is required to query EVS disks you have. |
|
Managing dedicated WAF instances |
Network Console VPC Elastic IP (EIP) Elastic Load Balance (ELB) |
|
|
Adding a website to WAF (ELB mode) |
Elastic Load Balance (ELB) |
The ELB Administrator system role is required along with the ELB FullAccess and ELB ReadOnlyAccess permissions to query load balancers bound to dedicated WAF instances. |
|
Instance group management |
Elastic Load Balance (ELB) |
The ELB ReadOnlyAccess system policy is required to query load balancers used for a WAF instance group. |
|
Adding a website to WAF (cloud and dedicated modes) |
Cloud Certificate & Manager (CCM) |
The SCM ReadOnlyAccess system policy is required to query certificate details. |
|
Editing server information |
Cloud Certificate & Manager (CCM) |
|
|
Website settings |
Cloud Certificate & Manager (CCM) |
|
|
Notifications |
Simple Message Notification (SMN) |
The SMN ReadOnlyAccess system policy is required to obtain SMN topic groups. |
|
Enabling LTS for WAF logging |
Log Tank Service (LTS) |
The LTS ReadOnlyAccess system policy is required to select log group and log stream names created in LTS. |
Identity Policy-based Permissions Management
WAF supports identity policy-based authorization. Table 5 lists all the system-defined identity policies for WAF. System-defined identity policies are independent from system policies in role/policy-based authorization.
|
Policy Name |
Description |
Role Type |
|---|---|---|
|
WAFFullAccessPolicy |
Web Application Firewall (WAF) administrator |
System-defined policy |
|
WAFReadOnlyAccessPolicy |
Read-only permissions for WAF |
System-defined policy |
Table 6 lists the common operations supported by each system policy of WAF.
|
Operation |
WAFReadOnlyAccessPolicy |
WAFFullAccessPolicy |
|---|---|---|
|
Querying domain names protected by cloud WAF |
√ |
√ |
|
Adding a domain name to cloud WAF |
x |
√ |
|
Querying details about a domain name by domain ID in cloud mode |
√ |
√ |
|
Updating configurations of domain names protected with cloud WAF |
x |
√ |
|
Deleting a domain name from the cloud WAF |
x |
√ |
|
Changing protection status of a domain name |
x |
√ |
|
Obtaining domain name routing information (in cloud mode) |
√ |
√ |
|
Querying domain names protected by dedicated WAF engines |
√ |
√ |
|
Adding a domain name to a dedicated WAF instance |
x |
√ |
|
Modifying a domain name protected by a dedicated WAF instance |
x |
√ |
|
Querying domain name settings in dedicated mode |
√ |
√ |
|
Deleting a domain name from a dedicated WAF instance |
x |
√ |
|
Modifying the protection status of a domain name in dedicated mode |
x |
√ |
|
Querying protection policies |
√ |
√ |
|
Adding a policy |
x |
√ |
|
Querying a policy by ID |
√ |
√ |
|
Updating a protection policy |
x |
√ |
|
Deleting a protection policy |
x |
√ |
|
Updating the domain names to which a protection policy applies |
x |
√ |
|
Changing the status of a rule |
x |
√ |
|
Querying the CC attack protection rule list |
√ |
√ |
|
Creating a CC attack protection rule |
x |
√ |
|
Querying a CC attack protection rule by ID |
√ |
√ |
|
Updating a CC protection rule |
x |
√ |
|
Deleting a CC protection rule |
x |
√ |
|
Querying precise protection rules |
√ |
√ |
|
Adding a precise protection rule |
x |
√ |
|
Querying a precise protection rule by ID |
√ |
√ |
|
Updating a precise protection rule |
x |
√ |
|
Deleting a precise protection rule |
x |
√ |
|
Querying the global protection whitelist rule list |
√ |
√ |
|
Creating a global protection whitelist rule |
x |
√ |
|
Querying a global protection whitelist rule |
√ |
√ |
|
Updating a global protection whitelist rule |
x |
√ |
|
Deleting a global protection whitelist rule |
x |
√ |
|
Querying the blacklist and whitelist rule list |
√ |
√ |
|
Adding a blacklist or whitelist rule |
x |
√ |
|
Querying a blacklist or whitelist rule |
√ |
√ |
|
Updating a blacklist or whitelist rule |
x |
√ |
|
Deleting a blacklist or whitelist rule |
x |
√ |
|
Querying the JavaScript anti-crawler rule list |
√ |
√ |
|
Updating a JavaScript anti-crawler rule |
x |
√ |
|
Creating a script anti-crawler rule |
x |
√ |
|
Querying a JavaScript anti-crawler rule |
√ |
√ |
|
Updating a JavaScript anti-crawler rule |
x |
√ |
|
Deleting a JavaScript anti-crawler rule |
x |
√ |
|
Querying the data masking rule list |
√ |
√ |
|
Creating a data masking rule |
x |
√ |
|
Querying a data masking rule |
√ |
√ |
|
Updating a data masking rule |
x |
√ |
|
Deleting a data masking rule |
x |
√ |
|
Querying the list of known attack source rules |
√ |
√ |
|
Creating a known attack source rule |
x |
√ |
|
Querying a known attack source rule by ID |
√ |
√ |
|
Updating a known attack source rule |
x |
√ |
|
Deleting a known attack source rule |
√ |
√ |
|
Querying geolocation access control rules |
√ |
√ |
|
Creating a geolocation access control rule |
x |
√ |
|
Querying a geolocation access control rule |
√ |
√ |
|
Updating a geolocation access control rule |
x |
√ |
|
Deleting a geolocation access control rule |
x |
√ |
|
Querying the list of web tamper protection rules |
√ |
√ |
|
Creating a web tamper protection rule |
x |
√ |
|
Querying a web tamper protection rule |
√ |
√ |
|
Deleting a web tamper protection rule |
x |
√ |
|
Updating the cache for a web tamper protection rule |
x |
√ |
|
Querying the list of information leakage prevention rules |
√ |
√ |
|
Creating an information leakage prevention rule |
x |
√ |
|
Querying an information leakage prevention rule |
√ |
√ |
|
Updating an information leakage prevention rule |
x |
√ |
|
Deleting an information leakage prevention rule |
x |
√ |
|
Querying the reference table list |
√ |
√ |
|
Creating a reference table |
x |
√ |
|
Querying the reference table list |
√ |
√ |
|
Modifying a reference table |
x |
√ |
|
Deleting a reference table |
x |
√ |
|
Querying IP address groups |
√ |
√ |
|
Creating an IP address group |
x |
√ |
|
Querying IP address group details |
√ |
√ |
|
Modifying an IP address group |
x |
√ |
|
Deleting an IP address group |
x |
√ |
|
Querying the certificate list |
√ |
√ |
|
Adding a certificate |
x |
√ |
|
Querying a certificate |
√ |
√ |
|
Modifying a certificate |
x |
√ |
|
Deleting a Certificate |
x |
√ |
|
Applying a certificate to a domain name |
x |
√ |
|
Querying the list of attack events |
√ |
√ |
|
Querying the event details by event ID |
√ |
√ |
|
Querying the number of requests and attacks on dashboard |
√ |
√ |
|
Querying the QPS statistics |
√ |
√ |
|
Querying bandwidth usage statistics |
√ |
√ |
|
Querying the number of abnormal requests |
√ |
√ |
|
Querying security data statistics on dashboard |
√ |
√ |
|
Querying the requests to a protected website for a time range |
√ |
√ |
|
Querying features available in a site |
√ |
√ |
|
Querying dedicated WAF instances |
√ |
√ |
|
Creating a dedicated WAF instance |
x |
√ |
|
Querying details about a dedicated WAF instance |
√ |
√ |
|
Renaming a dedicated WAF instance |
x |
√ |
|
Deleting a dedicated WAF instance |
x |
√ |
|
Querying LTS settings |
√ |
√ |
|
Configuring LTS for WAF logging |
x |
√ |
|
Buying a yearly/monthly-billed cloud WAF instance |
x |
√ |
|
Changing specifications of a yearly/monthly-billed cloud WAF instance |
x |
√ |
|
Enabling the pay-per-use billing for a cloud WAF instance |
x |
√ |
|
Disabling the pay-per-use billing for a cloud WAF instance |
x |
√ |
|
Querying WAF subscriptions |
√ |
√ |
|
Querying the list of protected domain names |
√ |
√ |
|
Querying a domain name by ID |
√ |
√ |
|
Migrating a WAF instance along with domain names it protects from the current enterprise project to another |
x |
√ |
|
Querying WAF back-to-source IP addresses |
√ |
√ |
|
Querying alarm notification configuration |
√ |
√ |
|
Updating alarm notification configuration |
x |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
