- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
- User Guide
- Best Practices
- SDK Reference
-
FAQs
-
Product Consulting
- What Does SA Do?
- Why Is There No Attack Data or Only A Small Amount of Attack Data?
- What Is the Data Source of Situation Awareness?
- How Do I Get Information About the Most Vulnerable Assets?
- What Are the Dependencies and Differences Between SA and Other Security Services?
- What Are the Differences Between SA and HSS?
- Why Cannot the Total ECS Quota Be Less Than the Number of Existing ECSs?
- Can SA Be Used Across Accounts?
- How Do I Update My Security Score?
- How Do I Handle a Brute-force Attack?
- How Do I Assign Operation Permissions to an Account?
- How Do I Handle the 403 forbidden Error Reported by SA?
- Why Is the Event Data in SA Inconsistent with That in WAF and HSS?
- What Are Differences Between SA and SecMaster?
- Purchase Consulting
- Regions and AZs
-
Product Consulting
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Edition Upgrade
- Permissions Management
- Editions
- Security Overview
- Resource Manager
- Threat Alarms
- Baseline Inspection
- Events
- Logs
- Integrations
- Settings
-
FAQs
-
Product Consulting
- What Does SA Do?
- Why Is There No Attack Data or Only A Small Amount of Attack Data?
- What Is the Data Source of Situation Awareness?
- How Do I Get Information About the Most Vulnerable Assets?
- What Are the Dependencies and Differences Between SA and Other Security Services?
- Why Cannot the Total ECS Quota Be Less Than the Number of Existing ECSs?
- How Do I Update My Security Score?
- How Do I Handle a Brute-force Attack?
- How Do I Assign Operation Permissions to an Account?
- Why Is the Event Data in SA Inconsistent with That in WAF and HSS?
- Purchase Consulting
-
Product Consulting
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Show all
Copied.
Creating a User and Granting Permissions
This section describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your SA resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials to access to SA resources.
- Grant only the permissions required for users to perform a task.
- Entrust an account or cloud service to perform professional and efficient O&M on your SA resources.
If your account does not require individual IAM users, skip over this section.
The following walks you through how to grant permissions. Figure 1 shows the process.
Prerequisites
Learn about the permissions supported by SA and choose policies or roles based on your requirements. For details, see SA permissions.
Table 1 lists all the system-defined roles and policies supported by SA.
Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
SA FullAccess |
All permissions for SA |
System-defined policy |
None |
SA ReadOnlyAccess |
Read-only permission for SA. Users with the read-only permission can only query SA information but cannot perform configuration in SA. |
System-defined policy |
None |
Currently, the SA FullAccess or SA ReadOnlyAccess permission can be used only when you have the Tenant Guest permission. The details are as follows:
- Configure all SA permissions: SA FullAccess and Tenant Guest.
To use SA Resource Manager and Baseline Inspection, configure the following permissions:
- Resource Manager: Configure SA FullAccess and Tenant Administrator. For details, see How Do I Assign Operation Permissions to an Account?
- Baseline Inspection: Configure SA FullAccess, Tenant Administrator, and IAM permissions. For details, see How Do I Assign Operation Permissions to an Account?
- Configure SA read-only permissions: Configure SA ReadOnlyAccess and Tenant Guest.
Authorization Process
- Create a user group and assign permissions.
Create a user group on the IAM console. Then, assign the SA FullAccess and Tenant Guest permissions to the group.
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify the permissions.
Log in to the SA console as the created user, and verify that the user only has read permissions for SA.
Choose any other service from Service List. If a message appears indicating that you do not have permissions to access the service, the SA FullAccess policy has already taken effect.
- Configure an agency.
To use SA Resource Manager and Baseline Inspection, configure the following permissions:
- Resource Manager: Configure SA FullAccess and Tenant Administrator. For details, see How Do I Assign Operation Permissions to an Account?
- Baseline Inspection: Configure SA FullAccess, Tenant Administrator, and IAM permissions. For details, see How Do I Assign Operation Permissions to an Account?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot