Permissions Management
If you need to grant your enterprise personnel permission to access your CAE resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud cloud resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use CAE resources but do not want them to be able to delete CAE resources or perform any other high-risk operations, you can create IAM users and grant permission to use CAE resources but not permission to delete them.
If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see the IAM Service Overview.
CAE Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-east-3) in the specified regions (for example, CN East-Shanghai1), the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.
You can grant permissions by using roles and policies.
- Roles: IAM's coarse-grained authorization that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.
Table 1 lists all the system-defined permissions for CAE.
|
Role/Policy Name |
Description |
Type |
Dependent System Permissions |
Service Dependency and Scenario |
|---|---|---|---|---|
|
CAE FullAccess |
Full permissions for CAE. |
System-defined policy |
Must be used together with these permissions:
|
Full permissions for CAE. |
|
CAE ReadOnlyAccess |
Read-only permissions for CAE. |
System-defined policy |
Must be used together with these permissions:
|
Read-only permissions for CAE. |
|
OBS Administrator |
OBS administrator. |
System-defined policy |
None |
Component deployment using OBS software package and cloud storage authorization unbinding |
|
AOM FullAccess |
Full permissions for AOM. |
System-defined policy |
None |
CAE environment creation |
|
SWR Admin |
SWR administrator, who has full permissions for this service. |
System-defined role |
None |
Component creation, deployment, upgrade, and rollback |
|
DNS Administrator |
DNS administrator, who has full permissions for this service. |
System-defined role |
|
Domain name query and configuration. This permission allows deletion of VPC Administrator and Tenant Guest roles. Deleting these two roles does not affect domain name configuration. |
|
BSS Finance |
Financial administrator of the Billing Center, who has full permissions for financial operations. |
System-defined role |
None |
Package purchase and payment |
|
KMS CMKFullAccess |
All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies. |
System-defined role |
None |
Permission to access the credential information in Cloud Secret Management Service (CSMS) for credential reference by CAE environment variables |
|
CSMS ReadonlyAccess |
Read-only permissions for Cloud Secret Management Service (CSMS) in DEW. Users with these permissions can perform all the operations allowed by policies. |
System-defined role |
None |
Permission to access the credential information in Cloud Secret Management Service (CSMS) for CAE credential configuration |
Policies are also customizable beyond permissions listed in Table 1 do not meet your requirements, as shown in Table 2.
|
Description |
CAE ReadOnlyAccess |
CAE FullAccess |
|---|---|---|
|
Buy a package |
x |
√ |
|
Create an environment |
x |
√ |
|
Query all environments |
√ |
√ |
|
Query environment information |
√ |
√ |
|
Delete an environment |
x |
√ |
|
Create an application |
x |
√ |
|
Query application information |
√ |
√ |
|
Query all applications |
√ |
√ |
|
Update application information |
x |
√ |
|
Delete an application |
x |
√ |
|
Create a component |
x |
√ |
|
Query component information |
√ |
√ |
|
Query component configurations |
√ |
√ |
|
Query component events |
√ |
√ |
|
Query all components and instances |
√ |
√ |
|
View usage data |
√ |
√ |
|
Modify component configurations |
x |
√ |
|
Scale, upgrade, roll back, stop, start, restart, and edit components |
x |
√ |
|
Delete a component |
x |
√ |
|
Deploy a demo with a few clicks |
x |
√ |
|
Enable certificate configuration |
x |
√ |
|
View certificate configurations |
√ |
√ |
|
Modify certificate configurations |
x |
√ |
|
Disable certificate configuration |
x |
√ |
|
Configure a domain name |
x |
√ |
|
View a domain name |
√ |
√ |
|
Cancel domain name configuration |
x |
√ |
|
Authorize cloud storage |
x |
√ |
|
Unbind cloud storage |
x |
√ |
|
Log in remotely |
x |
√ |
To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CAE as required. Table 3 describes fine-grained permission dependencies of CAE.
On the IAM console, choose Permissions > Policies/Roles > Create Custom Policy > Select service > CAE > Policy Content. Only the permissions (cae:environment:* and cae:application:*) listed in the following table apply to Huawei Cloud regions.
|
Permission Name |
Description |
Permission Dependency |
Scenarios (Actions) |
|---|---|---|---|
|
cae:environment:create |
Create an environment |
|
|
|
cae:environment:list |
Query all environments |
|
|
|
cae:environment:get |
Query environment information |
None |
|
|
cae:environment:delete |
Delete an environment |
|
|
|
cae:application:create |
Create an application |
|
|
|
cae:application:get |
Query application information |
|
|
|
cae:application:list |
Query all applications |
None |
|
|
cae:application:modify |
Update application information |
|
Component operations:
|
|
cae:application:delete |
Delete an application |
|
|
|
cae:application:createConsole |
Log in remotely |
|
Log in remotely |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
