Help Center> Cloud Bastion Host> User Guide> Instances> Permissions Management> Managing CBH Instance Permissions and Supported Actions
Updated on 2023-08-17 GMT+08:00

Managing CBH Instance Permissions and Supported Actions

This section describes fine-grained permissions management for your CBH. If your account does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Permissions are classified into roles and policies based on the authorization granularity. Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

Supported Actions

CBH provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.
Table 1 Supported Actions

Permission

Action

Creating a CBH instance

cbh:instance:create

Changing CBH instance specifications

cbh:instance:alterSpec

Querying the CBH instance list

cbh:instance:list

Upgrading the CBH system version

cbh:instance:upgrade

Querying total ECS quota

cbh:instance:getEcsQuota

Binding or unbinding an EIP

cbh:instance:eipOperate

Restarting a CBH instance

cbh:instance:reboot

Starting a CBH instance

cbh:instance:start

Stopping a CBH instance

cbh:instance:stop

Querying the AZ of a CBH instance

cbh:instance:getAvailableZones

Checking whether an IPv6 CBH instance can be created

cbh:instance:checkIpv6

Checking network connection between the CBH instance and the license center

cbh:network:check

Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center

cbh:network:change