Updated on 2022-08-30 GMT+08:00

Actions

This section describes fine-grained permissions management for your HSS instances. If your HUAWEI CLOUD account does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.

Supported Actions

DNS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Actions supported by policies are specific to APIs. Common concepts related to policies include:

  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.
  • Dependent actions: When assigning an action to users, you also need to assign dependent permissions for that action to take effect.
  • IAM projects or enterprise project: Scope of users a permission is granted to. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect in IAM. Such policies will not take effect if they are assigned to user groups in Enterprise Management.

√: supported; x: not supported

A range of HSS actions can be defined in custom policies.

Actions

Permission

Action

Dependent Permission

IAM Project

Enterprise project

Query the protected server list

hss:hosts:list

vpc:ports:get

vpc:publicIps:list

ecs:cloudServers:list

Enable or disable protection on servers

hss:hosts:switchVersion

-

Manual scan

hss:hosts:manualDetect

-

Check the status of a manual scan

hss:manualDetectStatus:get

-

Query weak password scan reports

hss:weakPwds:list

-

Query account cracking protection reports

hss:accountCracks:list

-

Unblock an IP address that was blocked during account cracking prevention

hss:accountCracks:unblock

-

Query malicious program scan results

hss:maliciousPrograms:list

-

Query remote login scan results

hss:abnorLogins:list

-

Query important file change reports

hss:keyfiles:list

-

Query the open port list

hss:ports:list

-

Query the vulnerability list

hss:vuls:list

-

Perform batch operations on vulnerabilities

hss:vuls:operate

-

Query the account list

hss:accounts:list

-

Query the software list

hss:softwares:list

-

Query the web path list

hss:webdirs:list

-

Query the process list

hss:processes:list

-

Query configuration scan reports

hss:configDetects:list

-

Query web shell scan results

hss:webshells:list

-

Query risky account scan reports

hss:riskyAccounts:list

-

Obtain server risk statistics

hss:riskyDashboard:get

-

Query password complexity policy scan reports

hss:complexityPolicys:list

-

Perform batch operations on malicious programs

hss:maliciousPrograms:operate

-

Perform batch operations on open ports

hss:ports:operate

-

Perform operations on detected unsafe settings

hss:configDetects:operate

-

Perform batch operations on web shells

hss:webshells:operate

-

Set common login locations

hss:commonLocations:set

-

Query common login locations

hss:commonLocations:list

-

Set common login IP addresses

hss:commonIPs:set

-

Query common login IP addresses

hss:commonIPs:list

-

Set the login IP address whitelist

hss:whiteIps:set

-

Query the login IP address whitelist

hss:whiteIps:list

-

Set weak passwords

hss:weakPwds:set

-

Query weak passwords

hss:weakPwds:get

-

Set web paths

hss:webDirs:set

-

Query web paths

hss:webDirs:get

-

Obtain the list of servers where 2FA is enabled

hss:twofactorAuth:list

-

Set 2FA

hss:twofactorAuth:set

-

Enable or disable automatic isolation and killing of malicious programs

hss:automaticKillMp:set

-

Query the programs that have been automatically isolated and killed

hss:automaticKillMp:get

-

Subscribe to security reports

hss:safetyReport:set

-

Query security reports

hss:safetyReport:list

-

Query yearly/monthly quota

hss:quotas:get

-

Purchase quota

hss:quotas:set

-

Query the agent download address

hss:installAgent:get

-

Uninstall the agent

hss:agent:uninstall

-

Query HSS alarms

hss:alertConfig:get

-

Set HSS alarms

hss:alertConfig:set

-

Query the WTP list

hss:wtpHosts:list

vpc:ports:get

vpc:publicIps:list

ecs:cloudServers:list

Enable or disable WTP

hss:wtpProtect:switch

-

Set backup servers

hss:wtpBackup:set

-

Query backup servers

hss:wtpBackup:get

-

Set protected directories

hss:wtpDirectorys:set

-

Query the protected directory list

hss:wtpDirectorys:list

-

Query WTP records

hss:wtpReports:list

-

Set privileged processes

hss:wtpPrivilegedProcess:set

-

Query the privileged process list

hss:wtpPrivilegedProcesses:list

-

Set a protection mode

hss:wtpProtectMode:set

-

Query the protection mode

hss:wtpProtectMode:get

-

Set a protected file system

hss:wtpFilesystems:set

-

Query the protected file system list

hss:wtpFilesystems:list

-

Set scheduled protection

hss:wtpScheduledProtections:set

-

Query scheduled protection

hss:wtpScheduledProtections:get

-

Setting WTP alarms

hss:wtpAlertConfig:set

-

Query WTP alarms

hss:wtpAlertConfig:get

-

Query WTP statistics

hss:wtpDashboard:get

-

Query policy group

hss:policy:get

-

Set policy group

hss:policy:set

-

Query Application Recognition Service (ARS)

hss:ars:get

-

Set ARS

hss:ars:set

-

Query the detected intrusion list

hss:event:get

-

Perform operations on intrusions

hss:event:set

-

Query server groups

hss:hostGroup:get

-

Set server groups

hss:hostGroup:set

-

Monitor file integrity

hss:keyfiles:set

-

Query important file change reports

hss:keyfiles:list

-

Query the auto-startup list

hss:launch:list

-