Help Center/ Cost Center/ User Guide/ Permissions Management/ Using IAM to Grant Access to Cost Center/ Using IAM Identity Policies to Grant Access to Cost Center
Updated on 2025-11-24 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to Cost Center

System-defined permissions in identity-based authorization provided by Identity and Access Management (IAM) let you control access to Cost Center. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Cost Center.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account to perform efficient O&M on your Cost Center.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about system-defined permissions in Identity Policy-based Authorization for Cost Center. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting Cost Center permissions using identity policy-based authorization
  1. On the IAM console, create an IAM user or create a user group.
  2. Attach a system-defined identity policy (CostCenterReadOnlyPolicy as an example) to the user or user group.

    Assign the permissions defined in the system-defined identity policy CostCenterReadOnlyPolicy to the user or group, or attach the system-defined identity policy to it.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • In the upper right corner of the Huawei Cloud official website, choose Billing & Costs from the drop-down list of your login account. Then, click Cost Center to check if you have the query permission. If you have, the CostCenterReadOnlyPolicy policy is in effect.
    • Add or delete data on any page in Cost Center. If you see a message about insufficient permissions to perform the operation, the CostCenterReadOnlyPolicy policy is in effect.

Example Custom Identity Policies

You can create custom identity policies to supplement the system-defined identity policies of Cost Center. For details about actions supported in custom identity policies, see Actions Supported by Identity Policy-based Authorization.

To create a custom identity policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal. The following provides examples of custom Cost Center identity policies.

  • Example 1: Grant permission to view cost analyses and add/modify budget reports. 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "costCenter:costAnalysis:listCosts",
                "costCenter:budget:configBudgetReport"
            ]
        }
    ]
}
  • Example 2: Grant permission to view cost analyses and configure cost budgets in Cost Center, and export the bill summary in Billing Center.

    A custom policy can contain the actions of one or multiple services.

    Example policy containing multiple actions:

    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "costCenter:costAnalysis:listCosts",
                "costCenter:budget:configBudget"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "billing:bill:export"
            ]
        }
    ]
}