Using IAM Identity Policies to Grant Access to DEW

If you need to perform permission management on role-based authorization model in DEW, see Identity and Access Management (IAM). With IAM, you can:

Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing DEW resources.
Grant only the permissions required for users to perform a specific task.
Entrust a Huawei account or a cloud service to perform efficient O&M on your DEW resources.

If your account does not require individual IAM users, skip this section.

This section describes the policy-based authorization method. Figure 1 shows the authorization process.

Prerequisites

Before granting permissions, learn about the DEW permissions and select them as required. For details about system-defined identity policies supported by DEW, see Permissions Management. To grant permissions for other services, learn about all permissions supported by IAM.

Authorization Process

Figure 1 Process for granting DEW permissions
Click to enlarge

Create an IAM user or create a user group.
Create a user or user group on the IAM console.
Attach a system-defined identity policy (ServiceStageReadOnlyPolicy as an example) to the user or user group.
Grant KMSReadOnlyPolicy — the read-only permission of KMS encryption keys to a user or user group and attach the policy to the user or user group.

You can click Grant in the Operation column to grant permissions to the user or user group.
Log in as an IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Data Encryption Workshop from the service list. On the DEW console, click Create Key in the upper right corner. If the key cannot be created, the KMSReadOnlyPolicy policy is in effect.
- Choose any other service in the service list. If a message appears indicating insufficient permissions to access the service, the KMSReadOnlyPolicy policy is in effect.

DEW Custom Identity Policies

You can create custom identity policies to supplement the system-defined policies of DEW. Add actions in custom identity policies as needed. For details about supported actions, see Permissions Policies and Supported Actions.
You can create custom identity policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom policy, you can select specific resources as required. For details about the supported resource types, see Permissions Policies and Supported Actions. The following provides examples of custom DEW identity policies.

Example: authorizing users to create and import keys

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:cmk:create",
                "kms:cmk:getMaterial",
                "kms:cmkTag:create",
                "kms:cmkTag:batch",
                "kms:cmk:importMaterial"
            ]
        }
    ]
}

Example: denying deletion of key tags
A deny policy must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

The following method can be used if you need to assign permissions of the KMS Administrator policy to a user but also forbid the user from deleting key tags (kms:cmkTag:delete). Create a custom policy with the action to delete key tags, set its Effect to Deny, and assign both this and the KMS Administrator policies to the group the user belongs to. Then the user can perform all operations except deleting key tags. The following is a policy for denying key pair tags.
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "kms:cmkTag:delete"
            ]
        }
    ]
}
```

Example: authorizing users to use keys

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:dek:crypto",
                "kms:cmk:get",
                "kms:cmk:crypto",
                "kms:cmk:generate",
                "kms:cmk:list"
            ]
        }
    ]
}

Example: multi-action policy

A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:task:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:dek:crypto",
                "kms:cmk:get",
                "kms:cmk:crypto",
                "kms:cmk:generate",
                "kms:cmk:list"
            ]
        }
    ]
}

Parent Topic: Using IAM to Grant Access to DEW

Previous topic: Using IAM Roles or Policies to Grant Access to DEW

Next topic: Critical Operation Protection