Authorizing SecMaster

Scenario

You can authorize SecMaster to perform some operations on some cloud services on your behalf. For example, you can allow SecMaster to execute scheduling tasks and manage resources.

Your authorization is required when you use SecMaster for the first time. The following table lists the permissions you need to assign to SecMaster.

**Table 1** Agency permissions
Permission	Description	Assign To	When to Use
ECS FullAccess	All permissions for ECS	SecMaster_Agency	Used to work with security groups to block source IP address, execute playbooks that update security groups, and to query ECSs details.
WAF FullAccess	Web Application Firewall (WAF) administrator	SecMaster_Agency	Used to work with WAF blacklists and address groups to block malicious source IP addresses and to check websites protected with WAF for baseline settings.
SecMaster FullAccess	SecMaster administrator	SecMaster_Agency	Used to perform operations such as alert handling.
HSS FullAccess	All permissions for HSS	SecMaster_Agency	Used to execute playbooks related to vulnerability management and host isolation, and to obtain the HSS status from baseline checks.
EPS ReadOnlyAccess	Read-only permissions for EPS.	SecMaster_Agency	Used to execute WAF-related playbooks and workflows.
ECS ReadOnlyAccess	Read-only permissions for ECSs.	SecMaster_Agency	Used to query the number of ECSs during subscription and obtain ECS security settings for baseline checks.
Anti-DDoS ReadOnlyAccess	Read-only permissions for Anti-DDoS.	SecMaster_Agency	Used to obtain Anti-DDoS asset details for baseline checks.
IAM ReadOnlyAccess	Read-only permissions for IAM.	SecMaster_Agency	Used to obtain credential information during playbook and workflow execution.
WAF Administrator	WAF administrator, who has all permissions for WAF.	SecMaster_Agency	Used to execute WAF-related playbooks and workflows.
SMN FullAccess	All permissions for SMN.	SecMaster_Agency	Used to send playbook execution notifications.
RDS ReadOnlyAccess	Read-only permissions for RDS	SecMaster_Agency	Used to execute playbooks related to asset connections.
EIP ReadOnlyAccess	Read-only permissions for EIP	SecMaster_Agency	Used to execute asset connection playbooks and obtain EIP configurations for baseline checks.
Tenant Guest	Read-only permissions for all cloud services (except IAM)	SecMaster_Agency	Used to execute the HTTP plug-in in playbooks.
NAT ReadOnlyAccess	Read-only permissions for NAT Gateway.	SecMaster_Agency	Used to obtain NAT Gateway information for resource management.
VPC FullAccess	All permissions for VPC.	SecMaster_Agency	Used to execute asset connection playbooks and isolation workflows, and obtain VPC details for baseline checks.
OBS OperateAccess	Allows a user to perform the basic operations, such as viewing the bucket list, obtaining bucket metadata, listing objects in a bucket, querying bucket location, uploading objects, obtaining objects, deleting objects, and obtaining an object ACL.	SecMaster_Agency	Used to execute alert playbooks and obtain OBS asset details for baseline checks.
ELB ReadOnlyAccess	Read-only permissions for ELB.	SecMaster_Agency	Used to obtain ELB asset details for baseline checks.
CFW FullAccess	All permissions for CFW.	SecMaster_Agency	Used to execute preventive playbooks.
RMS ReadOnlyAccess	Read-only permissions for RMS.	SecMaster_Agency	Used by the playbooks of notifying of critical O&M operations.

Prerequisites

The IAM account has been authorized. For details, see How Do I Grant Permissions to an IAM User?
You have purchased SecMaster.

Procedure

Log in to the management console.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane on the left, choose Workspaces > Management.

Figure 1 Workspace page
In the upper part of the workspace management page, choose Entrusted Service Authorization - Current Tenant.

Figure 2 Authorizing for SecMaster
On the page for assigning permissions, select all required permissions (which are selected by default), select Agree to authorize, and click Confirm.