Help Center/ DataArts Fabric/ User Guide/ Preparations/ Configuring DataArtsFabric Service Agency Permissions
Updated on 2025-07-08 GMT+08:00

Configuring DataArtsFabric Service Agency Permissions

Current cloud services provide multiple functions. Different functions require different agency permissions. For details, see Table 1.

Prerequisites

You have a valid Huawei Cloud account.

Procedure

  1. Log in to DataArtsFabric Workspace Management Console and click Service Authorization.
  2. Authorize an agency on the Service Authorization page. You can configure the agency permissions based on the policy as required.

    Table 1 Agency policy

    Agency Policy Name

    Permission Item

    Mandatory (Yes/No)

    Function

    FABRIC_COMMON_POLICY

    iam:agencies:listAgencies

    iam:roles:getRole

    iam:permissions:listRolesForAgency

    obs:bucket:ListAllMyBuckets

    obs:bucket:ListBucket

    obs:object:GetObjectVersion

    obs:object:GetObject

    Yes

    • IAM permissions: Only some read-only permissions are assigned to enable the service to compare the user's agency with the required agency. The user will be prompted to update the agency if necessary.
    • OBS permissions: All services, including jobs and inference, require the permission to read OBS files. With this permission, job files can be pulled from the user's OBS bucket for execution and model files can be deployed. For OBS permissions, the user can manually modify the OBS-related part in the fabric_admin_trust agency on the IAM agency page to restrict the access to OBS resources. For details, see the Example Custom Policies part in IAM Permissions.

    FABRIC_LTS_POLICY

    lts:groups:create

    lts:groups:get

    lts:groups:list

    lts:topics:create

    lts:topics:get

    lts:topics:list

    Yes

    Permissions required by the DataArtsFabric service to configure dumping logs.

    FABRIC_SELF_POLICY

    DataArtsFabric:workspace:list

    DataArtsFabric:workspace:listRoute

    DataArtsFabric:workspace:showSession

    DataArtsFabric:workspace:listMessagePolicy

    DataArtsFabric:endpoint:show

    DataArtsFabric:endpoint:list

    DataArtsFabric:job:dropJobInstance

    DataArtsFabric:job:listJobInstance

    Yes

    Permissions required by the DataArtsFabric service to help users manage resources.

    FABRIC_LAKEFORMATION_POLICY

    lakeformation:accessTenant:grant

    lakeformation:access:delete

    lakeformation:access:create

    lakeformation:access:describe

    lakeformation:agreement:grant

    lakeformation:agreement:describe

    lakeformation:agreement:cancel

    lakeformation:agency:create

    lakeformation:agency:drop

    lakeformation:agency:describe

    No

    Permissions required by the DataArtsFabric service to use LakeFormation. If LakeFormation needs to be interconnected, enable this policy.

    FABRIC_SMN_POLICY

    smn:topic:publish

    No

    Permissions required by the DataArtsFabric service to use simple message notification service. If the message notification capability is required, enable this policy.

    FABRIC_SWR_POLICY

    swr:repo:listRepoDomains

    swr:repo:listRepoTags

    swr:repo:createRepoDomain

    No

    Permissions required by the DataArtsFabric service to use images shared by users.

    FABRIC_VPCEP_POLICY

    vpcep:epservices:get

    vpcep:connections:update

    vpcep:permissions:update

    vpcep:permissions:list

    No

    Permissions required by the DataArtsFabric service to connect to the user network.

    FABRIC_OBS_POLICY

    obs:bucket:PutLifecycleConfiguration

    obs:bucket:ListBucketMultipartUploads

    obs:object:GetObject

    obs:bucket:HeadBucket

    obs:bucket:DeleteBucket

    obs:bucket:CreateBucket

    obs:bucket:ListAllMyBuckets

    obs:bucket:ListBucket

    obs:object:PutObject

    No

    Permissions required by the DataArtsFabric service to use the OBS bucket.

    All agency permissions except the mandatory ones can be canceled.

  3. Add an agency to the bucket policy.

    The DataArtsFabric service uses the fabric_admin_trust agency to access files in the OBS bucket of the user. Therefore, the agency needs to access the OBS bucket of the user.

    Users need to check whether a bucket policy is configured for the OBS bucket used by the DataArtsFabric service. If a bucket policy is configured, ensure that the agency is not denied by the existing bucket policy and perform the following steps to add the agency to the bucket policy:

    1. Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
    2. On the Buckets page, click the bucket name to access its Objects tab page.
    3. In the navigation pane on the left, choose Permissions > Bucket Policies. Then, click Create.
    4. On the Create Bucket Policy page, customize the policy name, set Principal to Other accounts, and enter the agency account (in the format of Account ID/Agency name). The agency name is fabric_admin_trust. Example: s3a7973a07cf4725abf5ba0b6d7*****/fabric_admin_trust.

  4. Check whether server-side encryption is configured for OBS.

    If server-side encryption is configured for the OBS bucket and the encryption mode is SSE-KMS, add the KMS Administrator permission to the agency fabric_admin_trust. For details, see Why Cannot an Authorized Account or User Upload or Download KMS Encrypted Objects?

    Due to security management requirements, DataArtsFabric cannot directly configure the KMS Administrator permission for users. Users need to perform the following steps to confirm and add the permission:

    1. Log in to OBS Console and choose Resources > Buckets in the navigation pane on the left.
    2. On the Buckets page, click the bucket name to access its Objects tab page.
    3. In the navigation pane on the left, choose Overview.
    4. In the Basic Configurations area, check whether Server-Side Encryption is configured and Encryption Method is SSE-KMS.
      • If Encryption Mode is not SSE-KMS, skip the following steps.
      • If Encryption Mode is SSE-KMS, go to the next step.
    5. Configure the KMS Administrator permission.
      1. In the upper right corner of OBS Console, hover the mouse over the username and click Identity and Access Management.
      2. In the navigation pane of the Identity and Access Management console, click Agencies.
      3. On the Agencies page, search for the agency name fabric_admin_trust in the text box. On the right of the fabric_admin_trust agency, click Authorize.
      4. In the text box in the upper right corner of the Authorize Agency page, search for the policy name KMS Administrator, select the policy, click Next, and click OK to complete the authorization.