If you need to grant your enterprise personnel permission to access your Billing Center, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, you can use IAM to allow finance personnel in your enterprise to view data in the Billing Center but disallow them from paying for orders.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
Table 1 Differences between role/policy-based authorization and identity policy-based authorization
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|
Role/Policy |
User-permission-authorization scope |
- System-defined roles
- System-defined policies
- Custom policies
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
- System-defined identity policies
- Custom identity policies
|
- Assigning identity policies to principals
- Attaching identity policies to principals
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use identity policy-based authorization. For details about system-defined permissions of the two models, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
Billing Center supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations in Billing Center based on the permissions they have been assigned.
Table 2 lists all system-defined permissions for Billing Center. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
Table 2 System-defined permissions for Billing Center
|
Role/Policy Name |
Permissions |
Type |
Dependencies |
|
BSS Administrator |
Business Support System (BSS) administrator with all permissions. |
System-defined roles |
None |
|
BSS FinanceAccess |
Permissions for financial operations, including payment, billing, invoicing, and cost-related operations. These permissions do not cover cloud service changes, such as resource unsubscriptions. This policy is generally granted to financial personnel. |
System-defined policy |
None |
|
BSS ReadonlyAccess |
Read-only permissions for Billing Center, Cost Center, and Message Center. |
System-defined policies |
None |
|
BSS ServiceAgencyCreatePolicy |
Creating a service agency for provisioning yearly/monthly cloud service resources |
System-defined policies |
None |
|
BSS ServiceAgencyReadPolicy |
Reading the information of service agency for provisioning yearly/monthly cloud service resources |
System-defined policies |
None |
Table 3 lists the common operations supported by system-defined policies and roles for Billing Center.
Table 3 Common operations supported by system-defined policies and roles for Billing Center
|
Operation |
BSS Administrator |
BSS FinanceAccess |
BSS ReadonlyAccess |
|
Modify account details, such as the password, applicable industry, contact information, preferences, and partners. |
Supported |
Not supported |
Not supported |
|
View account information. |
Supported |
Supported |
Supported |
|
Top up the account and pay off arrears. |
Supported |
Supported |
Not supported |
|
View the order details. |
Supported |
Supported |
Supported |
|
Pay for orders. |
Supported |
Supported |
Not supported |
|
Place or cancel orders. |
Supported |
Supported |
Not supported |
|
View the renewal management information. |
Supported |
Supported |
Not supported |
|
Renew resources, enable auto-renewal, set expiration policies, change the billing mode from pay-per-use to yearly/monthly, and release resources. |
Supported |
Supported |
Not supported |
|
View the resources that can be unsubscribed from and have been unsubscribed from. |
Supported |
Not supported |
Not supported |
|
Request invoices and view invoice information. |
Supported |
Supported |
Not supported |
|
View invoice history and details. |
Supported |
Not supported |
Not supported |
|
Export invoice information and download invoices. |
Supported |
Not supported |
Not supported |
|
Modify the contract or commerce information. |
Supported |
Supported |
Not supported |
|
View coupons. |
Supported |
Supported |
Supported |
|
View discount and price information. |
Supported |
Not supported |
Not supported |
|
View bills, usage details, and the expenditure growth on the Overview page. |
Supported |
Supported |
Supported |
|
Export bills, usage details, income and expense. |
Supported |
Supported |
Not supported |
|
View expenditure details, resource expenditures, bill analysis, and historical payments. |
Supported |
Supported |
Supported |
|
Export expenditure details, resource expenditures, bill analysis, and historical payments. |
Supported |
Supported |
Not supported |
|
View expenditure breakdowns by enterprise project. |
Supported |
Supported |
Supported |
|
Export expenditure breakdowns by enterprise project. |
Supported |
Supported |
Not supported |
|
Enable or disable Enterprise Project Management Service (EPS). |
Supported |
Not supported |
Supported |
|
Enable or disable the fund quota function for enterprise projects. |
Supported |
Supported |
Not supported |
|
View the fund quota of enterprise projects. |
Supported |
Supported |
Supported |
|
Adjust the fund quota of enterprise projects. |
Supported |
Supported |
Not supported |
|
View the fund quota adjustment records of enterprise projects. |
Supported |
Supported |
Supported |
|
Modify enterprise project groups. |
Supported |
Not supported |
Not supported |
|
View enterprise project groups. |
Supported |
Supported |
Supported |
Identity Policy-based Authorization
Billing Center supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for Billing Center. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
Table 4 System-defined identity policies for Billing Center
|
Identity Policy Name |
Permissions |
Type |
|
BILLINGFullAccessPolicy |
All permissions for Billing Center, My Account, Cost Center, Enterprise Center, and Message Center. This policy is generally granted to the administrator. |
System-defined identity policy |
|
BILLINGOperatorPolicy |
Permissions to query non-financial data across Billing Center, My Account, Cost Center, Enterprise Center, and Message Center. These permissions allow you to view cloud service changes, management activities, and usage data. It is generally granted to the technical personnel, such as R&D and O&M personnel. |
System-defined identity policy |
|
BILLINGFinancePolicy |
Permissions for financial operations, including payments, expenditures, invoicing, and costs. This policy does not have the permissions to modify cloud services. This policy is generally granted to financial personnel. |
System-defined identity policy |
|
BILLINGAgencyCreatePolicy |
Permissions to create a service agency for provisioning yearly/monthly cloud service resources. |
System-defined identity policies |
Table 5 lists the common operations supported by system-defined identity policies for Billing Center.
Table 5 Common operations supported by system-defined identity policies for Billing Center
|
Operation |
BILLINGFullAccessPolicy |
BILLINGOperatorPolicy |
BILLINGFinancePolicy |
|
Top-up/Make payments, and set available credit alert. |
Supported |
Not supported |
Supported |
|
Query payment history, expenditure quota, and arrears. |
Supported |
Not supported |
Supported |
|
Export payment history . |
Supported |
Supported |
Supported |
|
Manage and store bills. |
Supported |
Supported |
Supported |
|
View bills, amount due, unpaid bills, expenditure of the current month, and expenditure trends. |
Supported |
Supported |
Supported |
|
Export bills. |
Supported |
Supported |
Supported |
|
Manage bill details, such as customizing columns and setting query dimensions. |
Supported |
Supported |
Supported |
|
View detailed bills. |
Supported |
Supported |
Supported |
|
Export detailed bills. |
Supported |
Supported |
Supported |
|
View summary of resource packages, list of resource packages, remaining resources, and resource usage. |
Supported |
Supported |
Supported |
|
Set alerts for remaining usage of resource packages. |
Supported |
Supported |
Supported |
|
View coupons, and activate coupons. |
Supported |
Supported |
Supported |
|
View commercial discounts. |
Supported |
Not supported |
Not supported |
|
Manage invoices. |
Supported |
Not supported |
Supported |
|
View invoice history and details. |
Supported |
Not supported |
Not supported |
|
Export invoice information and download invoices. |
Supported |
Not supported |
Not supported |
|
Pay for orders. |
Supported |
Not supported |
Supported |
|
View orders. |
Supported |
Supported |
Supported |
|
Renew subscriptions. |
Supported |
Not supported |
Supported |
|
View renewable subscriptions. |
Supported |
Not supported |
Supported |
|
Unsubscribe from resources. |
Supported |
Supported |
Not supported |
|
View expenditure breakdowns by enterprise project. |
Supported |
Supported |
Supported |
|
Enable EPS. |
Supported |
Not supported |
Not supported |
|
Enable or disable the fund quota function for enterprise projects. |
Supported |
Not supported |
Supported |
|
View the fund quota of enterprise projects. |
Supported |
Supported |
Supported |
|
Adjust the fund quota of enterprise projects. |
Supported |
Not supported |
Supported |
|
View the fund quota adjustment records of enterprise projects. |
Supported |
Supported |
Supported |
|
Modify enterprise project groups. |
Supported |
Supported |
Not supported |
|
View enterprise project groups. |
Supported |
Supported |
Supported |
