Help Center/ Enterprise Management/ User Guide/ Enterprise Center/ Permissions/ Using IAM to Grant Access to Enterprise Center/ Using IAM Identity Policies to Grant Access to Enterprise Center
Updated on 2025-11-24 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to Enterprise Center

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to Enterprise Center. With IAM, you can:

  • Create IAM users or user groups for personnel based on your organizational structure. Each IAM user has their own identity credentials for accessing Enterprise Center.
  • Grant only the permissions required for users to perform a specific task.
  • Entrust a Huawei Cloud account to perform efficient O&M on your Enterprise Center.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about system-defined permissions for Enterprise Center in Identity Policy-based Authorization. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting permissions in Enterprise Center

  1. On the IAM console, create an IAM user or a user group.

  2. Attach a system-defined identity policy (businessUnitCenterReadOnlyPolicy as an example) to the user or user group created.

  3. Log in as the IAM user and verify permissions.

    • Click Enterprise > Organizations and Accounts. If the Organizations and Accounts page is displayed, he businessUnitCenterReadOnlyPolicy policy is in effect.
    • Add or edit a resource. If a message appears indicating that you have insufficient permissions to perform the operation, the businessUnitCenterReadOnlyPolicy is in effect.

Example Custom Identity Policies

You can create custom identity policies to supplement system-defined identity policies of Enterprise Center. For details about actions supported by custom identity policies, see Actions Supported by Identity Policy-based Authorization.

You can create custom identity policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

The following provides examples of custom identity policies in Enterprise Center.

  • Example1: The policy granting permissions for viewing organizations and accounts 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "businessUnitCenter:businessUnit:view"
            ]
        }
    ]
}
  • Example 2: The policy granting permissions for modifying organizations and accounts, modifying organization accounting information, and viewing expenditure overview.

    A custom policy can contain the actions on one or multiple services. The following is an example policy containing actions of multiple services:

    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "businessUnitCenter:businessUnit:update",
                "businessUnitCenter:businessUnitFinance:update",
                "billing:bill:view"
            ]
        }
    ]
}