Help Center> Host Security Service (New)> User Guide> Granting Permissions on Associated Cloud Services

Updated on 2024-06-28 GMT+08:00

View PDF

Granting Permissions on Associated Cloud Services

Scenario

Some HSS functions depend on other cloud services. To use these functions, you need to assign HSS the permissions for the cloud services.

When you log in to the HSS console for the first time, HSS prompts you to assign permissions. After the permissions are assigned, HSS will create a cloud service agency in IAM, granting HSS the permissions to perform operations on other cloud service resources under your account.

The agency automatically created by HSS is hss_policy_trust. For more information, see Table 1.

To use HSS in multiple regions, request for cloud resource permissions in each region. To view the delegation records of each region, go to the IAM console, choose Agencies, and click hss_policy_trust.

**Table 1** hss_policy_trust agency description
Function	Permission	Cloud Service Permission		Usage
Function	Permission	Permission	Action	Usage
Container audit (image repository audit)	CTSOperatePolicy	Query audit events	cts:trace:list	Obtain image operation logs (CTS logs of SWR).
Installation and configuration on servers	VPCOperatePolicy	Create a port	vpc:ports:create	Create network interface cards (NICs) and modify security groups to ensure that the port used for installing the agent is accessible.
		Delete a port	vpc:ports:delete
		Create a security group rule	vpc:securityGroupRules:create
		Delete a security group rule	vpc:securityGroupRules:delete
		Query ports or details about a port	vpc:ports:get
		Query networks or details about a network	vpc:networks:get
		Query subnets or details about a subnet	vpc:subnets:get
	VPCEPOperatePolicy	Create an endpoint	vpcep:endpoints:create	Maintain the network channel Between the agent and the HSS cloud protection center (master).
		Query endpoints	vpcep:endpoints:list
		Delete a VPC endpoint	vpcep:endpoints:delete
Installation and configuration on containers	CCEOperatePolicy	Create /{hss-namespace}/Daemonset	-	Manage the lifecycle of HSS-Daemonset and Configmap in a CCE cluster.
		Create /{hss-namespace}/Configmap	-
		Delete /{hss-namespace}/Demonset	-
		Delete /{hss-namespace}/Configmap	-
		Update /{hss-namespace}/Daemonset	-
		Update /{hss-namespace}/Configmap	-
		Create an HSS namespace	-
		Delete an HSS namespace	-

Prerequisites

You have purchased and enabled HSS. For details, see Accessing HSS.
To let an IAM user perform operations, assign the Security Administrator system role or the HSS AgencyOperatePolicy system policy to the user. For details, see Creating a User Group and Granting Permissions.

Assigning Permissions

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.

In the navigation pane, choose Installation & Configuration > Permissions Management.
Click Assign. The Assign dialog box is displayed.

Figure 1 Assigning permissions
Select permissions and click OK.

The Container Audit, Server Install & Config, and Container Install & Config pages cannot work properly if required permissions are not assigned. You can click Assign in the reminder on the top of the pages to assign permissions.

Removing Permissions

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Installation & Configuration > Permissions Management.
Locate a permission and click Remove in the Operation column. The Remove Permissions dialog box is displayed.
Alternatively, select multiple permissions and click Remove above the list.

Figure 2 Removing permissions
Confirm the permission information, enter DELETE in the dialog box, and click OK.
If the permission is no longer displayed in the permission list, it indicates the permission has been removed.