Permissions
If you need to assign different permissions to workforce identities in your enterprise to access IAM Identity Center resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources.
With IAM, you can create IAM users and assign permissions to control their access to specific resources.
You can skip this section if you do not need fine-grained permissions management.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see IAM Service Overview.
IAM Identity Center Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
IAM Identity Center is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access IAM Identity Center in all regions.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you may need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage ECSs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions.
Table 1 lists all the system-defined permissions for IAM Identity Center.
|
Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
IAM IdentityCenter FullAccess |
Administrator permissions for IAM Identity Center. Users with these permissions can perform all operations on IAM Identity Center. |
System-defined policy |
None |
|
IAM IdentityCenter ReadOnlyAccess |
Read-only permissions for viewing data on IAM Identity Center. |
System-defined policy |
None |
Table 2 lists the common operations supported by system-defined permissions for IAM Identity Center.
|
Operation |
IAM IdentityCenter FullAccess |
IAM IdentityCenter ReadOnlyAccess |
|---|---|---|
|
Creating a user |
√ |
x |
|
Viewing details about a user |
√ |
√ |
|
Modifying user information |
√ |
x |
|
Creating a group |
√ |
x |
|
Adding a user to or removing a user from a group |
√ |
x |
|
Deleting a group |
√ |
x |
|
Viewing details about a group |
√ |
√ |
|
Creating a permission set |
√ |
x |
|
Modifying a permission set |
√ |
x |
|
Deleting a permission set |
√ |
x |
|
Viewing details about a permission set |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
