Using IAM Roles or Policies to Grant Access to COC

To manage the permissions for your COC, you can use the IAM and refer to Permissions Management. With IAM, you can:

Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to COC resources.
Grant only the minimum permissions required for users to perform a given task.
Entrust a Huawei account or a cloud service to perform efficient O&M on your COC resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before authorizing a user group, learn about the permissions supported by COC and choose policies or roles according to your requirements, for details, see Permissions Management For the permissions of other services, see System-defined Permissions.

Example Workflow

Figure 1 Process of granting COC permissions to a user
Click to enlarge

Create a user group and assign permissions to it.
Create a user group on the IAM console, and assign the COCReadOnlyAccess policy to the group.
Create a user group and assign permissions to it.
Create a user on the IAM console and add the user to the group created in 1.
Log in and verify permissions.
Log in to the console as the created user, and verify the user's permissions in the authorized region by performing the following operations:
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task fails to be created (assume that you have only the COC ReadOnlyAccess permission), the COC ReadOnlyAccess permission has been applied.
- Log in to COC, choose Task Management > To-do Center in the navigation pane. In the upper right corner of the displayed page, click Create Ticket. If a to-do task can be created (assume that you have only the COC FullAccess permission), the COC FullAccess permission has been applied.

Example of Custom Policies for COC

If the system-defined COC permissions do not meet your authorization requirements, create custom policies. For actions supported for custom policies, see Policies Actions.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy The following lists examples of common COC custom policies.

Example 1: Authorize users to create O&M tasks.

{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:task:create"
      ]
    }
  ]
}

Example 2: Grant permissions to deny document deletion.
A policy with only the Deny permissions must be used along with other policies to take effect. If the permissions granted to an IAM user contain both Allow and Deny, the Deny permissions take precedence over the Allow permissions.
Assume that you want to grant the permissions of the COC FullAccess policy to a user but want to prevent them from deleting documents. You can create a custom policy for denying document deletion, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on COC resources except deleting documents. The following is an example of a deny policy:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "coc:document:delete"
      ]
    }
  ]
}
```
Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:
```
{
  "Version": "1.1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "coc:document:create",
        "scm:cert:complete"
      ]
    }
  ]
}
```