Permission Dependency of the WAF Console

When using WAF, you may need to view resources of or use other cloud services. So you need to obtain required permissions for dependent services so that you can view resources or use WAF functions on WAF Console. To that end, make sure you have the WAF FullAccess or WAF ReadOnlyAccess assigned first. For details, see Creating a User Group and Granting Permissions.

Dependency Policy Configuration

To grant an IAM user the permissions to view or use resources of other cloud services on the WAF console, you must first grant the WAF Administrator, WAF FullAccess, or WAF ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies listed in Table 1 to the user. These dependency policies will allow the IAM user to access resources of other cloud services.

**Table 1** WAF console dependency policies and roles
Console Function	Dependent Services	Policy/Role Required
Dashboard	Enterprise Project Management Service (EPS)	You can view the data on the Dashboard page of an enterprise project only after obtaining the EPS ReadOnlyAccess system policy.
Buying a dedicated waf instance	Identity and Access Management (IAM) Network Console VPC Elastic Cloud Server (ECS) Tag Management Service (TMS)	If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user. The IAM system role Security Administrator is required for first-time buyers. For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The VPC ReadOnlyAccess system policy is required to select a VPC, subnet, and security group. The ECS ReadOnlyAccess system policy is required to select ECS for WAF instance type. The TMS ReadOnlyAccess system policy is required to view predefined tags.
Buying a WAF instance (for Dedicated Cloud)	Elastic Volume Service (EVS)	The EVS ReadOnlyAccess system policy is required to query EVS disks you have.
Dedicated WAF engine management	Network Console VPC Elastic IP (EIP) Elastic Load Balance (ELB)	The VPC ReadOnlyAccess system policy is required to query VPCs you have. The EIP ReadOnlyAccess system policy is required to query EIPs bound to dedicated WAF instance. The ELB ReadOnlyAccess system policy is required to query information about ELB load balancers bound to dedicated WAF instance.
Adding a website to WAF (ELB mode)	Elastic Load Balance (ELB)	The ELB Administrator system role is required along with the ELB FullAccess and ELB ReadOnlyAccess permissions to query load balancers bound to dedicated WAF instances.
Instance group management	Elastic Load Balance (ELB)	The ELB ReadOnlyAccess system policy is required to query load balancers used for a WAF instance group.
Adding a website to WAF (cloud and dedicated modes)	Cloud Certificate Manager (CCM)	The SCM ReadOnlyAccess system policy is required to query certificate details.
Editing server information	Cloud Certificate Manager (CCM)
Website settings	Cloud Certificate Manager (CCM)
Notifications	Simple Message Notification (SMN)	The SMN ReadOnlyAccess system policy is required to obtain SMN topic groups.
Enabling LTS for WAF logging	Log Tank Service (LTS)	The LTS ReadOnlyAccess system policy is required to select log group and log stream names created in LTS.