Updated on 2026-07-06 GMT+08:00

Using IAM Identity Policies to Grant Access to AAD

You can use IAM to manage permissions for AAD. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing AAD resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust a Huawei Cloud account or cloud service to perform professional and efficient O&M to your AAD resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about the AAD permissions and select them as required. For details about the system policies supported by AAD, see Actions Supported by Identity Policy-based Authorization. For more information about the permissions supported by other services, see Actions Supported by Identity Policy-based Authorization.

Process

Figure 1 Process for granting AAD permissions
  1. Creating a User or Creating a User Group

    Log in to the IAM console to create a user or user group.

  2. Attach a system identity policy to a user or user group.

    Grant the AADReadOnlyAccessPolicy system identity policy to the user or user group, or attach the identity policy to the user or user group.

  3. Log in and verify the user's permissions.

    Log in to the console as an authorized user and test the permissions.

    • Choose Service List > Anti-DDoS Service > Advanced Anti-DDoS. Then click Buy AAD on the Instances tab page. If a message appears indicating insufficient permissions, the AAD ReadOnlyAccessPolicy policy has already taken effect.
    • Choose any other service in the Service List. (Assume that the current policy contains only AAD ReadOnlyPolicy.) If a message appears indicating insufficient permissions, the AAD ReadOnlyPolicy policy has already taken effect.

Examples of Custom AAD Identity Policies

You can create custom identity policies to supplement the system-defined identity policies of AAD. For details about the actions supported by custom identity policies, see Actions Supported by Identity Policy-based Authorization.

You can create custom identity policies in either of the following ways:

When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see Actions Supported by Identity Policy-based Authorization. The following provides examples of custom identity policies for AAD Advanced.

  • Example 1: Granting the permission to query details about a protected domain name
    {
        "Version": "5.0",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "aad:domain:get"
                ]
            }
        ]
    }
  • Example 2: Creating a custom policy containing multiple actions.

    A custom identity policy can contain the actions of multiple services. The example is as follows:

    {
        "Version": "5.0",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "aad:domain:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "tms:predefineTags:create"
                ]
            }
        ]
    }