Creating a User and Authorizing the User the Permission to Access DEW
This section describes how to use IAM to implement fine-grained permissions control for your DEW resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
- Grant users only the permissions required to perform a task.
- Entrust a Huawei account or cloud service to perform professional, efficient O&M on your DEW resources.
If your Huawei account does not require individual IAM users, skip this chapter.
This section describes the procedure for granting permissions (see Figure 1).
Prerequisites
Before granting permissions to a user group, you need to understand the available DEW permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in DEW.
For the system policies of other services, see System Permissions.
Role/Policy |
Description |
Type |
Dependency |
---|---|---|---|
KMS Administrator |
All permissions of KMS |
Role |
None |
KMS CMKFullAccess |
All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
KMS CMKReadOnlyAccess |
Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
Role/Policy |
Description |
Type |
Dependency |
---|---|---|---|
DEW KeypairFullAccess |
All permissions for KPS. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
DEW KeypairReadOnlyAccess |
Read-only permissions for KPS in DEW. Users with this permission can only view KPS data. |
Policy |
None |
Role/Policy |
Description |
Type |
Dependency |
---|---|---|---|
CSMS FullAccess |
All permissions for CSMS in DEW. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
CSMS ReadOnlyAccess |
Read-only permissions for CSMS in DEW. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
Table 4 describes the common operations supported by each system-defined permission of DEW. Select the permissions as needed.
Operation |
KMS Administrator |
KMS CMKFullAccess |
DEW KeypairFullAccess |
DEW KeypairReadOnlyAccess |
---|---|---|---|---|
Creating a key |
√ |
√ |
x |
x |
Enable a key |
√ |
√ |
x |
x |
Disable a key |
√ |
√ |
x |
x |
Schedule key deletion |
√ |
√ |
x |
x |
Cancel scheduled key deletion |
√ |
√ |
x |
x |
Modify a key alias |
√ |
√ |
x |
x |
Modify key description |
√ |
√ |
x |
x |
Generate a random number |
√ |
√ |
x |
x |
Create a DEK |
√ |
√ |
x |
x |
Create a plaintext-free DEK |
√ |
√ |
x |
x |
Encrypt a DEK |
√ |
√ |
x |
x |
Decrypt a DEK |
√ |
√ |
x |
x |
Obtain parameters for importing a key |
√ |
√ |
x |
x |
Import key materials |
√ |
√ |
x |
x |
Delete key materials |
√ |
√ |
x |
x |
Create a grant |
√ |
√ |
x |
x |
Revoke a grant |
√ |
√ |
x |
x |
Retire a grant |
√ |
√ |
x |
x |
Query the grant list |
√ |
√ |
x |
x |
Query retirable grants |
√ |
√ |
x |
x |
Encrypt data |
√ |
√ |
x |
x |
Decrypt data |
√ |
√ |
x |
x |
Send signature messages |
√ |
√ |
x |
x |
Authenticate signature |
√ |
√ |
x |
x |
Enabling key rotation |
√ |
√ |
x |
x |
Modify key rotation interval |
√ |
√ |
x |
x |
Disabling key rotation |
√ |
√ |
x |
x |
Query key rotation status |
√ |
√ |
x |
x |
Query CMK instances |
√ |
√ |
x |
x |
Query key tags |
√ |
√ |
x |
x |
Query project tags |
√ |
√ |
x |
x |
Batch add or delete key tags |
√ |
√ |
x |
x |
Add tags to a key |
√ |
√ |
x |
x |
Delete key tags |
√ |
√ |
x |
x |
Query the key list |
√ |
√ |
x |
x |
Query key details |
√ |
√ |
x |
x |
Query public key |
√ |
√ |
x |
x |
Query instance quantity |
√ |
√ |
x |
x |
Query quotas |
√ |
√ |
x |
x |
Query the key pair list |
x |
x |
√ |
√ |
Create or import a key pair |
x |
x |
√ |
x |
Query key pairs |
x |
x |
√ |
√ |
Delete a key pair |
x |
x |
√ |
x |
Update key pair description |
x |
x |
√ |
x |
Bind a key pair |
x |
x |
√ |
x |
Unbind a key pair |
x |
x |
√ |
x |
Query a binding task |
x |
x |
√ |
√ |
Query failed tasks |
x |
x |
√ |
√ |
Delete all failed tasks |
x |
x |
√ |
x |
Delete a failed task |
x |
x |
√ |
x |
Query running tasks |
x |
x |
√ |
√ |
Authorization Process
- Creating a User Group and Assigning Permissions
Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
- Creating an IAM User
Create a user on the IAM console and add the user to the user group created in 1.
- Log in and verify permissions.
Log in to the console as newly created user, and verify that the user only has the assigned permissions.
- Choose Service List > Data Encryption Workshop. In the navigation pane, choose Key Pair Service. If a message appears indicating lack of permissions, the KMS CMKFullAccess policy has taken effect.
- Click Service List and select a service other than DEW. If a message is displayed indicating that you do not have permission to access the service, the KMS CMKFullAccess policy has taken effect.
Tenant Guest Roles
If you have configured Tenant Guest permissions for the IAM account, apart from the read-only permissions for all cloud services except Identity and Access Management (IAM), you also have the following KMS permissions:
- kms:cmk:create: Create a key.
- kms:cmk:createDataKey: Create a DEK.
- kms:cmk:createDataKeyWithoutPlaintext: Create a plaintext-free DEK.
- kms:cmk:encryptDataKey: Encrypt the DEK.
- kms:cmk:decryptDataKey: Decrypt a DEK.
- kms:cmk:retireGrant: Retire a grant.
- kms:cmk:decryptData: Decrypt data.
- kms:cmk:encryptData: Encrypt data.
- kms::generateRandom: Generate a random number.
If you want to configure the Tenant Guest role for an IAM user but do not want to have the preceding permissions, you need to configure a custom deny policy for the IAM user. For details about how to configure a custom policy, see Creating a Custom DEW Policy.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot