CNAD Pro Permissions and Actions
This section describes how to use IAM for fine-grained CNAD permissions management. If your Huawei Cloud account does not need individual IAM users, skip this section.
By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added. Users inherit permissions from the groups and can perform operations on cloud services as allowed by the permissions.
You can grant users permissions by using roles and policies. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. IAM uses policies to perform fine-grained authorization. A policy defines permissions required to perform operations on specific cloud resources under certain conditions.
Supported Actions
CNAD Pro provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.
- Permissions: Statements in a policy that allow or deny certain operations
- Actions: Added to a custom policy to control permissions for specific operations
Permission |
Action |
Dependency |
---|---|---|
Querying Quotas |
cnad:quota:get |
- |
Querying Details About a Protection Policy |
cnad:policy:get |
- |
Querying Statistics |
cnad:countReport:get |
- |
Querying the Asset Security Status |
cnad:securityStatusReport:get |
- |
Querying Weekly Security Statistics |
cnad:weekStatisticsReport:get |
- |
Configuring an Alarm Notification |
cnad:alarmConfig:create |
To grant the alarm notification permission to users, you must also grant the cnad:alarmConfig:create permission and the SMN Administrator permission configured for the CN-Hong Kong region to the users. |
Deleting an Alarm Notification |
cnad:alarmConfig:delete |
To grant the alarm notification permission to users, you must also grant the cnad:alarmConfig:delete permission and the SMN Administrator permission configured for the CN-Hong Kong region to the users. |
Querying Alarm Notifications |
cnad:alarmConfig:get |
To grant the alarm notification permission to users, you must also grant the cnad:alarmConfig:get permission and the SMN Administrator permission configured for the CN-Hong Kong region to the users. |
Upgrading an Instance |
cnad:package:put |
- |
Binding an IP Address to Be Protected to an Instance |
cnad:protectedIp:create |
To grant a user the permission for binding objects to a CNAD Pro instance, you need to grant both the cnad:protectedIp:create permission and the vpc:publicIps:list permission configured for the region to which the instance belongs. For example, a user purchases a CNAD Pro instance that is located in CN-Hong Kong. To grant a user the permission for binding objects to a CNAD Pro instance, you need to grant both the cnad:protectedIp:create permission, and the vpc:publicIps:list permission configured for CN-Hong Kong so that the user can only perform operations on the protected objects in CN-Hong Kong. |
Creating a Protection Policy |
cnad:policy:create |
- |
Updating a Protection Policy |
cnad:policy:put |
- |
Deleting a Protection Policy |
cnad:policy:delete |
- |
Binding a Protection Policy to a Protected IP Address |
cnad:bindPolicy:create |
- |
Removing a Protection Policy from a Protected IP Address |
cnad:unbindPolicy:create |
- |
Adding a Blacklist or Whitelist Rule |
cnad:blackWhiteIpList:create |
- |
Deleting a Blacklist or Whitelist Rule |
cnad:blackWhiteIpList:delete |
- |
Updating the Tag of a Protected IP Address |
cnad:ipTag:put |
- |
Querying the Cleaning Scope |
cnad:cleanScaleDropList:list |
- |
Querying Instances |
cnad:packageDropList:list |
- |
Querying Protection Policies |
cnad:policyDropList:list |
- |
Querying the List of Protected IP Addresses |
cnad:protectedIpDropList:list |
- |
Querying Details of an Instance |
cnad:package:list |
- |
Querying Details About a Protection Policy |
cnad:policy:list |
- |
Querying the List of Protected IP Addresses |
cnad:protectedIp:list |
- |
Querying Total Traffic Data |
cnad:trafficTotalReport:list |
- |
Querying Attack Traffic |
cnad:trafficAttackReport:list |
- |
Queries the Total Number of Data Packets |
cnad:packetTotalReport:list |
- |
Querying the Number of Attack Packets |
cnad:packetAttackReport:list |
- |
Querying DDoS Mitigation Trend |
cnad:cleanCountReport:list |
- |
Querying the Peak Traffic Scrubbed |
cnad:cleanKbpsReport:list |
- |
Querying the Distribution of Attack Types |
cnad:attackTypeReport:list |
- |
Querying Attack Events |
cnad:attackReport:list |
- |
Querying Top 10 Attacked IP Addresses |
cnad:attackTop:list |
- |
Creating an Instance |
cnad:package:create |
To grant a user the permission for purchasing CNAD Pro, you need to grant the cnad:package:create permission to the user and the following BSS permissions configured for all regions: |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot