Help Center/ Cloud Firewall/ FAQs/ Troubleshooting/ Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?
Updated on 2024-07-31 GMT+08:00
View PDF
Share

Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?

Certain CFW functions depend on cloud services such as Elastic Cloud Server (ECS) and Virtual Private Cloud (VPC). Some functions of these cloud services do not support enterprise projects, so some permissions may become invalid after the CFW FullAccess and CFW ReadOnlyAccess system policies are granted to enterprise projects.

To avoid this problem, log in to your Huawei Cloud account to create two system policies. For details, see Creating Custom Policies.

  • For the cloud services that CFW depends on, if they do not support enterprise projects, add the following content to grant permissions to them. For Log Tank Service (LTS), grant all permissions to it on the CFW page. 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:quotas:list",
                "vpc:publicipTags:get"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:availabilityZones:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lts:groups:list",
                "lts:groups:get",
            ]
        }
    ]
}
  • CFW depends on the following global service permissions: 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eps:resources:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tms:predefineTags:list"
            ]
        }
    ]
}
Parent topic: Troubleshooting