CFW Permissions and Supported Actions

This topic describes fine-grained permissions management for your CFW instances. If your Huawei Cloud account does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

If the peak TPS is greater than 2000, local authentication is required.

Supported Actions

CFW provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

Permission: A statement in a policy that allows or denies certain operations.
Action: Specific operations that are allowed or denied.

Permission	Action
Create a cloud firewall	cfw:instance:create
Add CFW capacity	cfw:instance:alterSpec
Delete a cloud firewall	cfw:instance:delete
Query a cloud firewall	cfw:instance:get
Query the cloud firewall list	cfw:instance:list
Enable or disable EIP protection	cfw:eip:operate
Query the EIP list	cfw:eip:list
Query EIP statistics	cfw:eipStatistics:get
Query policy statistics	cfw:policyStatistics:get
Create an ACL rule	cfw:acl:create
Modify an ACL rule	cfw:acl:put
Delete an ACL rule	cfw:acl:delete
Query the ACL rule list	cfw:acl:list
Configure ACL rule priority	cfw:acl:setPriority
Create a blacklist or whitelist	cfw:blackWhite:create
Modify a blacklist or whitelist	cfw:blackWhite:put
Delete a blacklist or whitelist	cfw:blackWhite:delete
Query a blacklist or whitelist	cfw:blackWhite:list
Create an IP address group	cfw:ipGroup:create
Modify an IP address group	cfw:ipGroup:put
Delete an IP address group	cfw:ipGroup:delete
Query the IP address group list	cfw:ipGroup:list
Query the details of an IP address group	cfw:ipGroup:get
Add a member to an IP address group	cfw:ipMember:create
Update a member in an IP address group.	cfw:ipMember:put
Delete a member from an IP address group	cfw:ipMember:delete
Query IP address group members	cfw:ipMember:list
Create a service group	cfw:serviceGroup:create
Modify a service group	cfw:serviceGroup:put
Delete a service group	cfw:serviceGroup:delete
Query the details about a service group	cfw:serviceGroup:get
Query the service group list	cfw:serviceGroup:list
Add a member to a service group	cfw:serviceMember:create
Update a member in a service group	cfw:serviceMember:put
Delete a member from a service group	cfw:serviceMember:delete
Query service group members	cfw:serviceMember:list
Query the ACL log list	cfw:accessControlLog:list
Query the traffic log list	cfw:flowLog:list
Query the attack log list	cfw:attackLog:list
Query the traffic log report	cfw:flowLogReport:get
Query the ACL log report	cfw:accessControlLogReport:get
Query the ACL log report	cfw:attackLogReport:get
Enable basic protection	cfw:ips:start
Disable basic protection	cfw:ips:stop
Query basic protection status	cfw:ipsStatus:get
Configure the IPS mode	cfw:ipsMode:operate
Query the IPS mode	cfw:ipsMode:get
Create a packet capture task	cfw:captureTask:create
Query the packet capture task list	cfw:captureTask:list
Batch delete packet capture tasks	cfw:captureTask:delete
Stop a packet capture task	cfw:captureTask:stop
Download packet capture results	cfw:captureTask:getResult
Query CFW instance resources	cfw:resource:list