Permissions Management
If you want to assign different permissions to employees in your enterprise to access your SecMaster resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.
With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can use policies to grant different permissions to software developers in your enterprises to allow them to only use SecMaster but not perform certain high-risk operations, such as deletion of SecMaster data.
If your account does not need individual IAM users for permissions management, then you may skip over this section.
IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
SecMaster Permissions
By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.
SecMaster is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. To access SecMaster, the users need to switch to a region where they have been authorized to use cloud services.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you also need to assign dependency roles. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant SecMaster users only the permissions for managing a certain type of resources.
Table 1 lists all SecMaster system permissions.
Policy Name |
Description |
Type |
---|---|---|
SecMaster FullAccess |
All permissions of SecMaster. |
System-defined policy |
SecMaster ReadOnlyAccess |
SecMaster read-only permission. Users granted with these permissions can only view SecMaster data but cannot configure SecMaster. |
System-defined policy |
Roles or Policies Required for Operations on the SecMaster Console
If you grant the region-level SecMaster FullAccess permission to an IAM user, you still need to grant the IAM user the permissions to create agencies and configure agency policies when authorizing SecMaster on its console. The details are as follows.
Console Function |
Dependent Service |
Role/Policy Required |
---|---|---|
Service authorization |
Identity and Access Management (IAM) |
If an IAM user has been assigned the region-level SecMaster FullAccess permission, you need to grant the permissions for creating agencies and configuring agency policies to the IAM user. For details, see Granting Permissions to an IAM User. |
Related Topics
SecMaster FullAccess Policy
{ "Version": "1.1", "Statement": [ { "Action": [ "secmaster:*:*" ], "Effect": "Allow" }, { "Action": [ "vpc:vpcs:list", "vpc:subnets:get", "vpcep:endpoints:*" ], "Effect": "Allow" }, { "Action": [ "obs:bucket:ListBucketVersions" ], "Effect": "Allow" }, { "Action": [ "iam:permissions:checkRoleForAgencyOnDomain", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:grantRoleToAgencyOnProject", "iam:policies:*", "iam:agencies:*", "iam:roles:*", "iam:users:listUsers", "iam:tokens:assume" ], "Effect": "Allow" }, { "Action": [ "organizations:organizations:get", "organizations:delegatedAdministrators:list", "organizations:roots:list", "organizations:ous:list", "organizations:accounts:list" ], "Effect": "Allow" }, { "Action": [ "ecs:cloudServers:list" ], "Effect": "Allow" }, { "Action": [ "sts:agencies:assume" ], "Effect": "Allow" }, { "Action": [ "lts:log*:list*" ], "Effect": "Allow" } ] }
SecMaster ReadOnlyAccess Policy
{ "Version": "1.1", "Statement": [ { "Action": [ "secmaster:*:get*", "secmaster:*:list*" ], "Effect": "Allow" }, { "Action": [ "vpc:vpcs:list", "vpc:subnets:get", "vpcep:endpoints:get", "vpcep:endpoints:list" ], "Effect": "Allow" }, { "Action": [ "obs:bucket:ListBucketVersions" ], "Effect": "Allow" }, { "Action": [ "iam:permissions:checkRoleForAgencyOnDomain", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:checkRoleForAgency", "iam:policies:get*", "iam:policies:list*", "iam:agencies:get*", "iam:agencies:list*", "iam:roles:get*", "iam:roles:list*", "iam:users:listUsers" ], "Effect": "Allow" }, { "Action": [ "organizations:organizations:get", "organizations:delegatedAdministrators:list", "organizations:roots:list", "organizations:ous:list", "organizations:accounts:list" ], "Effect": "Allow" }, { "Action": [ "ecs:cloudServers:list" ], "Effect": "Allow" }, { "Action": [ "lts:log*:list*" ], "Effect": "Allow" } ] }
Granting Permissions to an IAM User
SecMaster is a project-level service deployed and accessed in specific physical regions. So, during authorization, you need to select Region-specific projects for Scope first. Then, you can specify specific projects for which you want the permission to work.
After SecMaster FullAccess is granted to an IAM user for a region-level project, you need to grant global action permissions to the IAM user because SecMaster depends on other cloud service resources. The permissions to be added are as follows:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:roles:listRoles", "iam:agencies:listAgencies", "iam:permissions:checkRoleForAgencyOnDomain", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:checkRoleForAgency", "iam:agencies:createAgency", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:grantRoleToAgency" ] } ] }
iam:permissions:grantRoleToAgencyOnDomain, iam:permissions:grantRoleToAgency, iam:permissions:grantRoleToAgencyOnProject, and iam:agencies:createAgency are permissions required for using SecMaster. You need to grant such permissions when you authorize SecMaster. They are not mandatory for IAM users. Configure them as required. The authorization details are as follows:
- Unauthorized: Only the account used to create the IAM user can authorize SecMaster. If an IAM user attempts to authorize SecMaster, an error message will be displayed.
- Authorized: Both IAM users and the account used to create them can authorize SecMaster.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot