Updated on 2024-04-17 GMT+08:00

Creating a User Group and Granting Permissions

This topic describes how to use IAM to implement fine-grained permissions control for your WAF resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to WAF resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust an account or cloud service to perform professional and efficient O&M on your WAF resources.

If your account does not require individual IAM users, skip this chapter.

This topic describes the procedure for granting permissions (see Figure 1).


Learn about the permissions supported by WAF in Table 1 and choose policies or roles based on your requirements. For the system policies of other services, see System Permissions.

Table 1 System policies supported by WAF

Role/Policy Name




WAF Administrator

Administrator permissions for WAF

System-defined role

Dependent on the Tenant Guest and Server Administrator roles.

  • Tenant Guest: A global role, which must be assigned in the global project.
  • Server Administrator: A project-level role, which must be assigned in the same project.

WAF FullAccess

All permissions for WAF

System-defined policy


WAF ReadOnlyAccess

Read-only permissions for WAF.

System-defined policy

Process Flow

Figure 1 Process for granting permissions
  1. Create a user group and assign permissions.

    Create a user group on the IAM console, and attach the WAF Administrator permission to the group.

  2. Create a user and add the user to the user group.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in to the management console as the created user and verify the permissions.

    Log in to the WAF console by using the newly created user, and verify that the user only has WAF Administrator permissions for WAF.

    Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the WAF Administrator policy has already taken effect.