Help Center/ Enterprise Router/ User Guide/ Using IAM to Grant Access to Enterprise Router/ Using IAM Roles or Policies to Grant Access to Enterprise Router
Updated on 2025-11-11 GMT+08:00
View PDF
Share

Using IAM Roles or Policies to Grant Access to Enterprise Router

In this topic, you can learn how to use IAM to implement fine-grained permissions control for your Enterprise Router resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to Enterprise Router resources.
  • Grant only the minimum permissions required for users to perform a given task.
  • Entrust a HUAWEI ID or a cloud service to perform professional and efficient O&M on your Enterprise Router resources.

If your account does not require individual IAM users, skip this topic.

Figure 1 shows the process of authorization with policies/roles.

Prerequisites

You have learned about the permissions supported by Enterprise Router. For details, see Role/Policy-based Authorization.

To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting Enterprise Router permissions

  1. Create a user group and assign permissions to it.

    Create a user group on the IAM console, and assign the ER ReadOnlyAccess permission to the group.

  2. Create an IAM user and add it to the user group.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in to the management console as the created user, switch to the authorized region, and verify that the user has only the ER ReadOnlyAccess permission.
    1. Click Service List and choose Enterprise Router. Then click Create Enterprise Router in the upper right corner. If the enterprise router fails to be created, the ER ReadOnlyAccess permission has taken effect.
    2. Choose any other service in the Service List. If a message appears indicating insufficient permissions to access the service, the ER ReadOnlyAccess permission has already taken effect.

Example Custom Policies

Custom policies can be created to supplement system-defined policies of Enterprise Router. For the actions supported by custom policies, see Permission Policies and Supported Actions.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details about how to create custom policies, see Creating a Custom Policy. The following are examples of common Enterprise Router custom policies.

  • Example 1: Allowing users to create and delete enterprise routers 
    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "er:instances:create",
                                "er:instances:delete"
                        ]
                }
        ]
}
  • Example 2: Denying enterprise router deletion

    A policy with only "Deny" permissions must be used together with other policies. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    The following method can be used if you need to assign the ER FullAccess permission to a user but also forbid the user from deleting enterprise routers. Create a custom policy for denying enterprise router deletion, and assign both policies to the group the user belongs to. Then the user can perform all operations on Enterprise Router except deleting enterprise routers. The following is an example of a deny policy:

    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Deny",
                        "Action": [
                                "er:instances:delete"
                        ]
                }
        ]
}
  • Example 3: Defining permissions for multiple services in a policy

    A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

    { 
        "Version": "1.1", 
        "Statement": [ 
                { 
                        "Effect": "Allow",
                        "Action": [ 
                                "er:*:get*",                                
                                "er:*:list*",                                
                                "vpc:vpcs:get",                                
                                "vpc:vpcs:list",                                
                                "vpc:subnets:get",                                
                                "vpc:subnets:list",                                
                                "dcaas:vgw:get",                                
                                "dcaas:vgw:list",                                
                                "cc:networkInstances:get",                                
                                "cc:networkInstances:list",                                
                                "cc:cloudConnections:get",                                
                                "cc:cloudConnections:list"
                        ]
                } 
        ] 
}