Help Center/ Data Security Center/ Service Overview/ DSC Permissions Management
Updated on 2025-12-02 GMT+08:00
View PDF
Share

DSC Permissions Management

If you need to assign different permissions to employees in your enterprise to access your DSC resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control. If your Huawei Cloud account works good for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, some developers in your enterprise need to use DSC but you do not want them have permissions to high-risk operations such as deleting DSC. To achieve such purpose, you can use IAM to grant them only the permissions to use DSC, but not delete DSC. With IAM, you can control their usage of DSC resources.

There are two types of IAM authorization: role/policy-based authorization and identity policy-based authorization.

The differences and relationships between the two authorization models are as follows:

Table 1 Differences between role/policy-based authorization and identity policy-based authorization

Name

Authorization Using

Permission

Authorization Method

Application Scenario

Role/Policy-based authorization

User-permission-authorization scope
  • System role
  • System-defined policy
  • Custom policies

Granting a role or policy to a subject

To authorize a user, add it to a user group and specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization granted by user groups and a limited number of condition keys. This method is suitable for small and medium-sized enterprises.

Identity policy-based authorization

User-Policy
  • System-defined policy
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

To authorize a user, grant an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users the permissions needed to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, you need to create two custom policies and assign them to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the principals or grant the principals access to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. Role/Policy-based Permissions Management and Identity Policy-based Permissions Management describe the system permissions of the two models.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

DSC supports the role-based authorization model. By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.

DSC is a project-level service deployed and accessed in specific physical regions. To assign Secmaster permissions to a user group, specify the scope as region-specific projects and select projects (such as ap-southeast-2) for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. To access DSC, the users need to switch to a region where they have been authorized to use cloud services.

Table 2 lists all DSC system permissions. System-defined policies in RBAC and ABAC are not interoperable.

Table 2 DSC system-defined policies

System Role/Policy Name

Description

Type

Dependency

DSC FullAccess

All DSC permissions

System-defined policy

None

DSC ReadOnlyAccess

DSC Read-only permissions. Users granted these permissions can only view data in DSC but cannot configure DSC.

System-defined policy

None

DSC DashboardReadOnlyAccess

Read-only permissions for the overview page of DSC

System-defined policy

None

Table 3 describes the common operations supported by each system-defined permission of DSC. Select the permissions as needed.

Table 3 Common operations supported by each system policy or role

Operation

DSCFullAccess

DSCReadOnlyAccess

DSC DashboardReadOnlyAccess

Viewing the alarm list

x

Changing alarm status

x

x

Authorize or cancel asset authorization.

x

Adding assets in batches

x

x

Downloading a template for batch import

Viewing the big data asset list

x

Adding big data assets

x

x

Updating big data assets

x

x

Deleting big data assets

x

x

Adding RDS databases in batches

x

x

Deleting database assets in batches

x

x

Deleting a DB instance

x

x

Updating database assets

x

x

Deleting databases

x

x

Adding databases

x

x

Adding an OBS bucket

x

x

Deleting an OBS bucket

x

x

Listing buckets

x

x

Adding an OBS bucket

x

x

Viewing the device list

x

Viewing device status

x

Deleting a device

x

x

Querying assets

x

Adding masking configuration

x

x

Modifying masking configurations

x

x

Testing the algorithm and returning the masking result

x

x

Deleting an algorithm

x

x

Editing an algorithm

x

x

Creating an Elasticsearch masking task

x

x

Editing an Elasticsearch data masking task

x

x

Creating a database masking task

x

x

Editing a database masking template

x

x

Testing a masking rule

x

x

Viewing the scan job list

x

Creating a sensitive data scanning task

x

x

Enabling a sensitive data scanning task

x

x

Disabling a sensitive data scanning task

x

x

Deleting a sensitive data scanning task

x

x

Viewing the rule list

x

Adding a sensitive data identification rule

x

x

Deleting a sensitive data identification rule

x

x

Adding a customized identification rule group

x

x

Deleting a customized identification rule group

x

x

Viewing an identification template

x

Creating a customized identification template

x

x

Creating a watermark embedding task

x

x

Deleting a watermark embedding task

x

x

Creating a watermark extraction task

x

x

Deleting a watermark extraction task

x

x

Roles or Policies Required for Operations on the DSC Console

When using DSC, you may need to view resources of or use other cloud services. So you need to obtain required permissions for dependent services so that you can view resources or use DSC functions on DSC Console. To that end, make sure you have the DSC FullAccess or DSC ReadOnlyAccess assigned first.

Table 4 Roles or policies that are required for performing operations on DSC Console

Console Function

Dependent Service

Policy/Role Required

Enabling DSC alarm notifications

Simple Message Notification (SMN)

The SMN ReadOnlyAccess system policy is required to obtain SMN topic groups.

Identity Policy-based Permissions Management

DSC supports identity policy authorization. Table 1 lists all the system-defined identity policies for DSC. System-defined identity policies are independent from system policies in role/policy-based authorization.

Table 5 DSC System policies

Policy Name

Description

Policy Type

DSCFullAccessPolicy

All DSC permissions

System-defined policy

DSCReadOnlyPolicy

DSC Read-only permissions

System-defined policy

DSCDashboardReadOnlyPolicy

Read-only permissions for the overview page of DSC

System-defined policy

Table 6 lists the common operations supported by each system policy of DSC. Please choose proper system policies according to this table.

Table 6 Common operations supported by system-defined identity policies

Operation

DSCFullAccessPolicy

DSCReadOnlyPolicy

DSCDashboardReadOnlyPolicy

Viewing the alarm list

x

Changing alarm status

x

x

Authorize or cancel asset authorization.

x

Adding assets in batches

x

x

Downloading a template for batch import

Viewing the big data asset list

x

Adding big data assets

x

x

Updating big data assets

x

x

Deleting big data assets

x

x

Adding RDS databases in batches

x

x

Deleting database assets in batches

x

x

Deleting a DB instance

x

x

Updating database assets

x

x

Deleting databases

x

x

Adding databases

x

x

Adding an OBS bucket

x

x

Deleting an OBS bucket

x

x

Listing buckets

x

x

Adding an OBS bucket

x

x

Viewing the device list

x

x

Viewing device status

x

x

Deleting a device

x

x

Querying assets

x

x

Adding masking configuration

x

x

Modifying masking configurations

x

x

Testing the algorithm and returning the masking result

x

x

Deleting an algorithm

x

x

Editing an algorithm

x

x

Creating an Elasticsearch masking task

x

x

Editing an Elasticsearch data masking task

x

x

Creating a database masking task

x

x

Editing a database masking template

x

x

Testing a masking rule

x

x

Viewing the scan job list

x

x

Creating a sensitive data scanning task

x

x

Enabling a sensitive data scanning task

x

x

Disabling a sensitive data scanning task

x

x

Deleting a sensitive data scanning task

x

x

Adding a sensitive data identification rule

x

x

Deleting a sensitive data identification rule

x

x

Adding a customized identification rule group

x

x

Deleting a customized identification rule group

x

x

Viewing an identification template

x

Creating a customized identification template

x

x

Creating a watermark embedding task

x

x

Deleting a watermark embedding task

x

x

Creating a watermark extraction task

x

x

Deleting a watermark extraction task

x

x

Helpful Links