Help Center/ SecMaster/ Service Overview/ Permissions Management
Updated on 2024-12-28 GMT+08:00

Permissions Management

If you want to assign different permissions to employees in your enterprise to access your SecMaster resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.

With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can use policies to grant different permissions to software developers in your enterprises to allow them to only use SecMaster but not perform certain high-risk operations, such as deletion of SecMaster data.

If your account does not need individual IAM users for permissions management, then you may skip over this section.

IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

SecMaster Permissions

By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.

SecMaster is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. To access SecMaster, the users need to switch to a region where they have been authorized to use cloud services.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you also need to assign dependency roles. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant SecMaster users only the permissions for managing a certain type of resources.

Table 1 lists all SecMaster system permissions.

Table 1 System-defined permissions supported by SecMaster

Policy Name

Description

Type

SecMaster FullAccess

All permissions of SecMaster.

System-defined policy

SecMaster ReadOnlyAccess

SecMaster read-only permission. Users granted with these permissions can only view SecMaster data but cannot configure SecMaster.

System-defined policy

Roles or Policies Required for Operations on the SecMaster Console

If you grant the region-level SecMaster FullAccess permission to an IAM user, you still need to grant the IAM user the permissions to create agencies and configure agency policies when authorizing SecMaster on its console. The details are as follows.

Table 2 Roles or policies required for SecMaster console operations

Console Function

Dependent Service

Role/Policy Required

Service authorization

Identity and Access Management (IAM)

If an IAM user has been assigned the region-level SecMaster FullAccess permission, you need to grant the permissions for creating agencies and configuring agency policies to the IAM user. For details, see Granting Permissions to an IAM User.

SecMaster FullAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "secmaster:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:vpcs:list",
                "vpc:subnets:get",
                "vpcep:endpoints:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "obs:bucket:ListBucketVersions"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:permissions:checkRoleForAgencyOnDomain",
                "iam:permissions:checkRoleForAgencyOnProject",
                "iam:permissions:checkRoleForAgency",
                "iam:permissions:grantRoleToAgency",
                "iam:permissions:grantRoleToAgencyOnDomain",
                "iam:permissions:grantRoleToAgencyOnProject",
                "iam:policies:*",
                "iam:agencies:*",
                "iam:roles:*",
                "iam:users:listUsers",
                "iam:tokens:assume"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "organizations:organizations:get",
                "organizations:delegatedAdministrators:list",
                "organizations:roots:list",
                "organizations:ous:list",
                "organizations:accounts:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:cloudServers:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sts:agencies:assume"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "lts:log*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}

SecMaster ReadOnlyAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "secmaster:*:get*",
                "secmaster:*:list*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:vpcs:list",
                "vpc:subnets:get",
                "vpcep:endpoints:get",
                "vpcep:endpoints:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "obs:bucket:ListBucketVersions"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:permissions:checkRoleForAgencyOnDomain",
                "iam:permissions:checkRoleForAgencyOnProject",
                "iam:permissions:checkRoleForAgency",
                "iam:policies:get*",
                "iam:policies:list*",
                "iam:agencies:get*",
                "iam:agencies:list*",
                "iam:roles:get*",
                "iam:roles:list*",
                "iam:users:listUsers"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "organizations:organizations:get",
                "organizations:delegatedAdministrators:list",
                "organizations:roots:list",
                "organizations:ous:list",
                "organizations:accounts:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:cloudServers:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "lts:log*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}

Granting Permissions to an IAM User

SecMaster is a project-level service deployed and accessed in specific physical regions. So, during authorization, you need to select Region-specific projects for Scope first. Then, you can specify specific projects for which you want the permission to work.

After SecMaster FullAccess is granted to an IAM user for a region-level project, you need to grant global action permissions to the IAM user because SecMaster depends on other cloud service resources. The permissions to be added are as follows:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:roles:listRoles",
                "iam:agencies:listAgencies",
                "iam:permissions:checkRoleForAgencyOnDomain",
                "iam:permissions:checkRoleForAgencyOnProject",
                "iam:permissions:checkRoleForAgency",
                "iam:agencies:createAgency",
                "iam:permissions:grantRoleToAgencyOnDomain",
                "iam:permissions:grantRoleToAgencyOnProject",
                "iam:permissions:grantRoleToAgency"
            ]
        }
    ]
}

iam:permissions:grantRoleToAgencyOnDomain, iam:permissions:grantRoleToAgency, iam:permissions:grantRoleToAgencyOnProject, and iam:agencies:createAgency are permissions required for using SecMaster. You need to grant such permissions when you authorize SecMaster. They are not mandatory for IAM users. Configure them as required. The authorization details are as follows:

  • Unauthorized: Only the account used to create the IAM user can authorize SecMaster. If an IAM user attempts to authorize SecMaster, an error message will be displayed.
  • Authorized: Both IAM users and the account used to create them can authorize SecMaster.