Granting COC Permissions Based on Policies

To manage permissions on COC, access IAM to:

Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing COC resources.
Grant only the minimum permissions required for users to perform a given task.
Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your COC resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

This section describes how to perform policy-based authorization. Figure 1 shows the process.

Prerequisites

Before granting permissions, ensure that you have learned about COC permissions. For details about the system policies supported by COC, see Policy-based Authorization Model. To grant permissions for other services, learn about all permissions supported by IAM by referring to System-defined Permissions.

Example Workflow

Figure 1 Process of granting COC permissions to a user

Create a user or Create a user group.
Log in to the IAM console to create an IAM user or user group.
Grant a system policy to the user or the user group.
Assign the system read-only permission COC ReadOnlyPolicy and the service administrator permission COC FullAccessPolicy to the user or add them to the user group.
Log in to COC and verify permissions.
Log in to the console as an authorized user and verify the permissions.
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task fails to be created (assume that you have only the COC ReadOnlyPolicy permission), the COC ReadOnlyPolicy permission has been applied.
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task can be created (assume that you have only the COC FullAccessPolicy permission), the COC FullAccessPolicy permission has been applied.
Custom policies can be created as a supplement to the system policies of COC. For actions supported for custom policies, see Policies and Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common COC custom policies.

Example Custom Policies for COC

Example 1: Allow users to create O&M tasks.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:task:create"
      ]
    }
  ]
}

Example 2: Grant permissions to deny topic deletion.
A policy with only the Deny permissions must be used along with other policies to take effect. If the permissions granted to an IAM user contain both Allow and Deny, the Deny permissions take precedence over the Allow permissions.
Assume that you want to grant the permissions of the COC FullAccessPolicy policy to a user but want to prevent them from deleting documents. You can create a custom policy for denying document deletion, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on COC resources except deleting documents. The following is an example of a deny policy:
```
{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "coc:document:delete"
      ]
    }
  ]
}
```
Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:
```
{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:document:create",
        "scm:cert:complete"
      ]
    }
  ]
}
```