Updated on 2024-11-05 GMT+08:00

WAF Permissions and Supported Actions

This topic describes fine-grained permissions management for your WAF instances. If your Huawei ID does not need individual IAM users, then you may skip over this section.

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

Supported Actions

WAF provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.

Permission

Action

IAM Project

Enterprise Project

Querying an information leakage prevention rule

waf:antiLeakageRule:get

Querying a web tamper protection rule

waf:antiTamperRule:get

Querying a CC attack protection rule

waf:ccRule:get

Querying a precise protection rule

waf:preciseProtectionRule:get

Querying a global protection whitelist rule

waf:falseAlarmMaskRule:get

Querying a data masking rule

waf:privacyRule:get

Querying a blacklist or whitelist rule

waf:whiteBlackIpRule:get

Querying a geolocation access control rule

waf:geoIpRule:get

Querying a certificate

waf:certificate:get

Modifying WAF certificates

waf:certificate:put

Applying a certificate to a domain name

waf:certificate:apply

Querying a protection event

waf:event:get

Querying a protected domain

waf:instance:get

Querying a protection policy

waf:policy:get

Querying quota package information

waf:bundle:get

Querying the protection event download link

waf:dumpEventLink:get

Querying configurations

waf:consoleConfig:get

Querying the back-to-source IP address segment

waf:sourceIp:get

Updating an information leakage prevention rule

waf:antiLeakageRule:put

Updating a web tamper protection rule

waf:antiTamperRule:put

Updating a CC attack protection rule

waf:ccRuleRule:put

Updating a precise protection rule

waf:preciseProtectionRule:put

Updating a global protection whitelist rule

waf:falseAlarmMaskRule:put

Updating a data masking rule

waf:privacyRule:put

Updating an IP address blacklist or whitelist rule

waf:whiteBlackIpRule:put

Updating a geolocation access control rule

waf:geoIpRule:put

Updating a protected domain

waf:instance:put

Updating a protection policy

waf:policy:put

Deleting an information leakage prevention rule

waf:antiLeakageRule:delete

Deleting a web tamper protection rule

waf:antiTamperRule:delete

Deleting a CC attack protection rule

waf:ccRule:delete

Configuring a precise protection rule

waf:preciseProtectionRule:delete

Deleting a global protection whitelist rule

waf:falseAlarmMaskRule:delete

Deleting a data masking rule

waf:privacyRule:delete

Deleting a blacklist or whitelist rule

waf:whiteBlackIpRule:delete

Deleting a geolocation access control rule

waf:geoIpRule:delete

Deleting a protected domain from WAF

waf:instance:delete

Deleting a protection policy

waf:policy:delete

Adding an information leakage prevention rule

waf:antiLeakageRule:create

Adding a web tamper protection rule

waf:antiTamperRule:create

Adding a CC attack protection rules

waf:ccRule:create

Adding a precise protection rule

waf:preciseProtectionRule:create

Creating a global protection whitelist rule

waf:falseAlarmMaskRule:create

Adding a data masking rule

waf:privacyRule:create

Adding a blacklist or whitelist rule

waf:whiteBlackIpRule:create

Adding a geolocation access control rule

waf:geoIpRule:create

Adding a certificate

waf:certificate:create

Adding a domain

waf:instance:create

Adding a policy

waf:policy:create

x

Querying information leakage prevention rules

waf:antiLeakageRule:list

Querying web tamper protection rules

waf:antiTamperRule:list

Querying CC attack protection rules

waf:ccRuleRule:list

Querying precise protection rules

waf:preciseProtectionRule:list

Querying the global protection whitelist rule list

waf:falseAlarmMaskRule:list

Querying data masking rules

waf:privacyRule:list

Querying blacklist and whitelist rules

waf:whiteBlackIpRule:list

Querying geolocation access control rules

waf:geoIpRule:list

Querying the protection domains

waf:instance:list

Querying protection policies

waf:policy:list

Querying cloud-mode billing items

waf:subscription:get

Querying alarm notification configuration

waf:alert:get

Updating alarm notification configuration

waf:alert:put

Querying log quotas

waf:ltsConfig:get

Updating log quotas

waf:ltsConfig:put

Creating a yearly/monthly order for a cloud-mode instance

waf:prepaid:create

Enabling the pay-per-use billing for a WAF cloud-mode instance

waf:postpaid:create

Disabling the pay-per-use billing for a WAF cloud-mode instance

waf:postpaid:delete

Viewing details of a WAF instance group

waf:pool:get

Modifying WAF instance group configuration

waf:pool:put

Creating a WAF instance group

waf:pool:create

Deleting a WAF instance group

waf:pool:delete

Viewing the WAF instance group list

waf:pool:list

Querying binding details of a WAF instance group

waf:poolBinding:get

Binding a WAF instance group

waf:poolBinding:create

Unbinding a WAF instance group

waf:poolBinding:delete

Querying binding details of a WAF instance group

waf:poolBinding:list

Querying health check configurations of a WAF instance group

waf:poolHealthMonitor:get

Modifying the health check configuration of a WAF instance group

waf:poolHealthMonitor:put

Configuring health check for a WAF instance group

waf:poolHealthMonitor:create

Deleting health check configuration for a WAF instance group

waf:poolHealthMonitor:delete

Querying health check configurations for WAF instance groups

waf:poolHealthMonitor:list

Modifying a shared IP address group

waf:ipGroupShare:put

Batch updating known attack source rules

waf:punishmentRule:batch-delete

Querying DNS domain names

waf:dnsDomain:get

Querying IP address groups with the same names

waf:duplicateIpGroup:list