Granting COC Permissions Based on Roles

This section describes how to use IAM to implement fine-grained permissions control for your COC resources. With IAM, you can:

Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing COC resources.
Grant only the minimum permissions required for users to perform a given task.
Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your COC resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

This section describes the procedure for granting COC permissions (see Figure 1).

Prerequisites

Before assigning permissions to a user group, ensure that you have learned about the permissions supported by COC. For details about the system-defined permissions supported by COC, see Permissions Management. To grant permissions for other services, learn about all system-defined permissions.

Example Workflow

Figure 1 Process of granting COC permissions to a user

Create a user group and assign permissions to it.
Create a user group on the IAM console, and grant the read-only system permission COC ReadOnlyAccess and the administrator system permission COC FullAccess to the user group.
Create an IAM user and add it to the group.
Create a user on the IAM console and add the user to the group created in 1.
Log in to COC and verify permissions.
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task fails to be created (assume that you have only the COC ReadOnlyAccess permission), the COC ReadOnlyAccess permission has been applied.
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task can be created (assume that you have only the COC FullAccess permission), the COC FullAccess permission has been applied.
If the system-defined COC permissions do not meet your authorization requirements, create custom policies. For actions supported for custom policies, see Policies and Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common COC custom policies.

Example Custom Policies for COC

Example 1: Allow users to create O&M tasks.

{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:task:create"
      ]
    }
  ]
}

Example 2: Grant permissions to deny topic deletion.
A policy with only the Deny permissions must be used along with other policies to take effect. If the permissions granted to an IAM user contain both Allow and Deny, the Deny permissions take precedence over the Allow permissions.
Assume that you want to grant the permissions of the COC FullAccess policy to a user but want to prevent them from deleting documents. You can create a custom policy for denying document deletion, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on COC resources except deleting documents. The following is an example of a deny policy:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "coc:document:delete"
      ]
    }
  ]
}
```
Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:document:create",
        "scm:cert:complete"
      ]
    }
  ]
}
```