Actions
This section describes fine-grained permissions management for your HSS instances. If your HUAWEI CLOUD account does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.
Supported Actions
DNS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Actions supported by policies are specific to APIs. Common concepts related to policies include:
- Permission: A statement in a policy that allows or denies certain operations.
- Action: Specific operations that are allowed or denied.
- Dependent actions: When assigning an action to users, you also need to assign dependent permissions for that action to take effect.
- IAM projects or enterprise project: Scope of users a permission is granted to. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect in IAM. Such policies will not take effect if they are assigned to user groups in Enterprise Management.
√: supported; x: not supported
A range of HSS actions can be defined in custom policies.
Actions
Permission |
Action |
Dependent Permission |
IAM Project |
Enterprise project |
---|---|---|---|---|
Query the protected server list |
hss:hosts:list |
vpc:ports:get vpc:publicIps:list ecs:cloudServers:list |
√ |
√ |
Enable or disable protection on servers |
hss:hosts:switchVersion |
- |
√ |
√ |
Manual scan |
hss:hosts:manualDetect |
- |
√ |
√ |
Check the status of a manual scan |
hss:manualDetectStatus:get |
- |
√ |
√ |
Query weak password scan reports |
hss:weakPwds:list |
- |
√ |
√ |
Query account cracking protection reports |
hss:accountCracks:list |
- |
√ |
√ |
Unblock an IP address that was blocked during account cracking prevention |
hss:accountCracks:unblock |
- |
√ |
√ |
Query malicious program scan results |
hss:maliciousPrograms:list |
- |
√ |
√ |
Query remote login scan results |
hss:abnorLogins:list |
- |
√ |
√ |
Query important file change reports |
hss:keyfiles:list |
- |
√ |
√ |
Query the open port list |
hss:ports:list |
- |
√ |
√ |
Query the vulnerability list |
hss:vuls:list |
- |
√ |
√ |
Perform batch operations on vulnerabilities |
hss:vuls:operate |
- |
√ |
√ |
Query the account list |
hss:accounts:list |
- |
√ |
√ |
Query the software list |
hss:softwares:list |
- |
√ |
√ |
Query the web path list |
hss:webdirs:list |
- |
√ |
√ |
Query the process list |
hss:processes:list |
- |
√ |
√ |
Query configuration scan reports |
hss:configDetects:list |
- |
√ |
√ |
Query web shell scan results |
hss:webshells:list |
- |
√ |
√ |
Query risky account scan reports |
hss:riskyAccounts:list |
- |
√ |
√ |
Obtain server risk statistics |
hss:riskyDashboard:get |
- |
√ |
√ |
Query password complexity policy scan reports |
hss:complexityPolicys:list |
- |
√ |
√ |
Perform batch operations on malicious programs |
hss:maliciousPrograms:operate |
- |
√ |
√ |
Perform batch operations on open ports |
hss:ports:operate |
- |
√ |
√ |
Perform operations on detected unsafe settings |
hss:configDetects:operate |
- |
√ |
√ |
Perform batch operations on web shells |
hss:webshells:operate |
- |
√ |
√ |
Set common login locations |
hss:commonLocations:set |
- |
√ |
√ |
Query common login locations |
hss:commonLocations:list |
- |
√ |
√ |
Set common login IP addresses |
hss:commonIPs:set |
- |
√ |
√ |
Query common login IP addresses |
hss:commonIPs:list |
- |
√ |
√ |
Set the login IP address whitelist |
hss:whiteIps:set |
- |
√ |
√ |
Query the login IP address whitelist |
hss:whiteIps:list |
- |
√ |
√ |
Set weak passwords |
hss:weakPwds:set |
- |
√ |
√ |
Query weak passwords |
hss:weakPwds:get |
- |
√ |
√ |
Set web paths |
hss:webDirs:set |
- |
√ |
√ |
Query web paths |
hss:webDirs:get |
- |
√ |
√ |
Obtain the list of servers where 2FA is enabled |
hss:twofactorAuth:list |
- |
√ |
√ |
Set 2FA |
hss:twofactorAuth:set |
- |
√ |
√ |
Enable or disable automatic isolation and killing of malicious programs |
hss:automaticKillMp:set |
- |
√ |
√ |
Query the programs that have been automatically isolated and killed |
hss:automaticKillMp:get |
- |
√ |
√ |
Subscribe to security reports |
hss:safetyReport:set |
- |
√ |
√ |
Query security reports |
hss:safetyReport:list |
- |
√ |
√ |
Query yearly/monthly quota |
hss:quotas:get |
- |
√ |
√ |
Purchase quota |
hss:quotas:set |
- |
√ |
√ |
Query the agent download address |
hss:installAgent:get |
- |
√ |
√ |
Uninstall the agent |
hss:agent:uninstall |
- |
√ |
√ |
Query HSS alarms |
hss:alertConfig:get |
- |
√ |
√ |
Set HSS alarms |
hss:alertConfig:set |
- |
√ |
√ |
Query the WTP list |
hss:wtpHosts:list |
vpc:ports:get vpc:publicIps:list ecs:cloudServers:list |
√ |
√ |
Enable or disable WTP |
hss:wtpProtect:switch |
- |
√ |
√ |
Set backup servers |
hss:wtpBackup:set |
- |
√ |
√ |
Query backup servers |
hss:wtpBackup:get |
- |
√ |
√ |
Set protected directories |
hss:wtpDirectorys:set |
- |
√ |
√ |
Query the protected directory list |
hss:wtpDirectorys:list |
- |
√ |
√ |
Query WTP records |
hss:wtpReports:list |
- |
√ |
√ |
Set privileged processes |
hss:wtpPrivilegedProcess:set |
- |
√ |
√ |
Query the privileged process list |
hss:wtpPrivilegedProcesses:list |
- |
√ |
√ |
Set a protection mode |
hss:wtpProtectMode:set |
- |
√ |
√ |
Query the protection mode |
hss:wtpProtectMode:get |
- |
√ |
√ |
Set a protected file system |
hss:wtpFilesystems:set |
- |
√ |
√ |
Query the protected file system list |
hss:wtpFilesystems:list |
- |
√ |
√ |
Set scheduled protection |
hss:wtpScheduledProtections:set |
- |
√ |
√ |
Query scheduled protection |
hss:wtpScheduledProtections:get |
- |
√ |
√ |
Setting WTP alarms |
hss:wtpAlertConfig:set |
- |
√ |
√ |
Query WTP alarms |
hss:wtpAlertConfig:get |
- |
√ |
√ |
Query WTP statistics |
hss:wtpDashboard:get |
- |
√ |
√ |
Query policy group |
hss:policy:get |
- |
√ |
√ |
Set policy group |
hss:policy:set |
- |
√ |
√ |
Query Application Recognition Service (ARS) |
hss:ars:get |
- |
√ |
√ |
Set ARS |
hss:ars:set |
- |
√ |
√ |
Query the detected intrusion list |
hss:event:get |
- |
√ |
√ |
Perform operations on intrusions |
hss:event:set |
- |
√ |
√ |
Query server groups |
hss:hostGroup:get |
- |
√ |
√ |
Set server groups |
hss:hostGroup:set |
- |
√ |
√ |
Monitor file integrity |
hss:keyfiles:set |
- |
√ |
√ |
Query important file change reports |
hss:keyfiles:list |
- |
√ |
√ |
Query the auto-startup list |
hss:launch:list |
- |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot