If you need to grant your enterprise personnel permissions to access Enterprise Center, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control, allowing you to secure access to your Huawei Cloud resources. If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, you can use IAM to grant financial personnel in your enterprise permissions to view but not to manage your funds or budgets.
IAM supports role/policy-based authorization and identity policy-based authorization. The following table lists the differences between these two types of authorization.
Table 1 Differences between role/policy-based and identity policy-based authorization
|
Authorization Model |
Key Items |
Permissions |
Authorization Method |
Scenario |
|
Role/Policy-based authorization |
User-permission-authorization scope |
- System-defined roles
- System-defined policies
- Custom policies
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy-based authorization |
User-policy |
- System-defined identity policies
- Custom identity policies
|
- Assigning identity policies to principals
- Attaching identity policies to principals
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions of the two models, see Role/Policy-based Authorization and Identity Policy-based Authorization. For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
Enterprise Center supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to add them to at least one user group and then attach policies or roles to the user group. The users then inherit permissions from the user group and can perform specified operations on cloud services.
Table 2 lists all system-defined permissions for Enterprise Center. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
Table 2 System-defined permissions for Enterprise Center
|
Role/Policy Name |
Description |
Type |
Dependencies |
|
BSS Administrator |
Full permissions for Enterprise Center. This policy/role is generally granted to the administrator. |
System-defined roles |
None |
|
BSS ReadonlyAccess |
Permissions to view information, such as member accounts and financial information, in Enterprise Center. This is generally granted to development and operations personnel. |
System-defined policies |
None |
|
BSS FinanceAccess |
Financial permissions for Enterprise Center. Users with these permissions can perform all financial operations in Enterprise Center. This is generally granted to financial personnel. |
System-defined policies |
None |
Table 3 lists the common operations supported by system-defined permissions for Enterprise Center.
Table 3 Common operations supported by system-defined permissions for Enterprise Center
|
Operation |
BSS Administrator |
BSS ReadonlyAccess |
BSS FinanceAccess |
|
Enabling and disabling Enterprise Center |
√ |
× |
× |
|
Performing operations on members' bills |
√ |
× |
√ |
|
Viewing member bills |
√ |
√ |
√ |
|
Performing operations on bill details for enterprise members |
√ |
× |
√ |
|
Viewing details of member bills |
√ |
√ |
√ |
|
Viewing organizations and accounts |
√ |
√ |
√ |
|
Modifying organizations and accounts |
√ |
× |
√ |
|
Viewing organization accounting information |
√ |
√ |
√ |
|
Modifying organization accounting information |
√ |
× |
√ |
|
Modifying organization policies |
√ |
× |
× |
|
Viewing organization budgets |
√ |
√ |
√ |
|
Modifying organization budgets |
√ |
× |
√ |
Identity Policy-based Authorization
Table 4 lists all the system-defined identity policies for Enterprise Center.
Table 4 System-defined identity policies for Enterprise Center
|
Identity Policy Name |
Description |
Type |
|
BillingFullAccessPolicy |
Full permissions for Billing Center, Account Center, Cost Center, and Enterprise Center. This is generally granted to the administrator. |
System-defined identity policy |
|
BillingOperatorPolicy |
Permissions to view information in Billing Center, Account Center, Cost Center, and Enterprise Center, for example, to view the change, management, and use of cloud services. This policy does not have financial permissions. This is generally granted to development and operations personnel. |
System-defined identity policy |
|
BillingFinancePolicy |
Permissions for financial operations, including operations on payments, expenditures, invoices, and costs. This policy does not have the permissions to modify cloud services. This is generally granted to financial personnel. |
System-defined identity policy |
|
businessUnitCenterFullAccessPolicy |
Full permissions for Enterprise Center. This is generally granted to the administrator. |
System-defined identity policy |
|
businessUnitCenterReadOnlyPolicy |
Permissions for viewing data in Enterprise Center. This is generally granted to the enterprise members. |
System-defined identity policy |
|
businessUnitCenterMemberFinanceReadPolicy |
This policy is required for an enterprise master to view accounting information of their members. This is typically for the administrator. |
System-defined identity policy |
Table 5 lists the common operations supported by system-defined identity policies for Enterprise Center.
Table 5 Common operations supported by system-defined identity policies for Enterprise Center
|
Operation |
BillingFullAccessPolicy |
BillingOperatorPolicy |
BillingFinancePolicy |
businessUnitCenterFullAccessPolicy |
businessUnitCenterReadOnlyPolicy |
|
Enabling and disabling Enterprise Center |
√ |
× |
× |
√ |
× |
|
Managing bills for enterprise members |
√ |
√ |
√ |
√ |
× |
|
Viewing bills of member accounts |
√ |
√ |
√ |
√ |
√ |
|
Performing operations on bill details for enterprise members |
√ |
√ |
√ |
√ |
× |
|
Viewing bill details of member accounts |
√ |
√ |
√ |
√ |
√ |
|
Modifying organization accounting information |
√ |
× |
√ |
√ |
× |
|
Viewing organization accounting information |
√ |
× |
√ |
√ |
√ |
|
Modifying organizations and accounts |
√ |
√ |
√ |
√ |
× |
|
Viewing organizations and accounts |
√ |
√ |
√ |
√ |
√ |
|
Managing organization budgets |
√ |
× |
√ |
√ |
× |
|
Viewing organization budgets |
√ |
× |
√ |
√ |
√ |
|
Modifying organization policies |
√ |
× |
× |
√ |
× |
