Help Center/ SecMaster/ User Guide/ Authorizing SecMaster
Updated on 2024-12-12 GMT+08:00

Authorizing SecMaster

Scenario

SecMaster depends on some other cloud services. To better use SecMaster, you can authorize SecMaster to perform some operations on some cloud services on your behalf. For example, you can allow SecMaster to execute scheduling tasks and manage resources.

Your authorization is required first time you try to use SecMaster. The following table lists the permissions you need to assign to SecMaster.

Table 1 Agency permissions

Permission

Description

Assign To

When to Use

ECS FullAccess

All permissions for ECS

SecMaster_Agency

Used to work with security groups to block source IP address, execute playbooks that update security groups, and to query ECSs details.

WAF FullAccess

Web Application Firewall (WAF) administrator

SecMaster_Agency

Used to work with WAF blacklists and address groups to block malicious source IP addresses and to check websites protected with WAF for baseline settings.

SecMaster FullAccess

SecMaster administrator

SecMaster_Agency

Used to perform operations such as alert handling.

HSS FullAccess

Host Security Service (HSS) administrator

SecMaster_Agency

Used to execute playbooks related to vulnerability management and host isolation, and to obtain the HSS status for servers during baseline inspections.

EPS ReadOnlyAccess

Read-only permissions for EPS.

SecMaster_Agency

Used to execute WAF-related playbooks and workflows.

ECS ReadOnlyAccess

Read-only permissions for ECSs.

SecMaster_Agency

Used to query the number of ECSs during subscription and obtain ECS security settings for baseline checks.

Anti-DDoS ReadOnlyAccess

Read-only permissions for Anti-DDoS.

SecMaster_Agency

Used to obtain Anti-DDoS asset details for baseline checks.

IAM ReadOnlyAccess

Read-only permissions for IAM.

SecMaster_Agency

Used to obtain credential information during playbook and workflow execution.

WAF Administrator

WAF administrator, who has all permissions for WAF.

SecMaster_Agency

Used to execute WAF-related playbooks and workflows.

SMN FullAccess

All permissions for SMN.

SecMaster_Agency

Used to send playbook execution notifications.

RDS ReadOnlyAccess

Read-only permissions for RDS

SecMaster_Agency

Used to execute playbooks related to asset connections.

EIP ReadOnlyAccess

Read-only permissions for EIP

SecMaster_Agency

Used to execute asset connection playbooks and obtain EIP configurations for baseline checks.

Tenant Guest

Read-only permissions for all cloud services (except IAM)

SecMaster_Agency

Used to execute the HTTP plug-in in playbooks.

NAT ReadOnlyAccess

Read-only permissions for NAT Gateway.

SecMaster_Agency

Used to obtain NAT Gateway information for resource management.

VPC FullAccess

All permissions for VPC.

SecMaster_Agency

Used to execute asset connection playbooks and isolation workflows, and obtain VPC details for baseline checks.

OBS OperateAccess

Allows a user to perform the basic operations, such as viewing the bucket list, obtaining bucket metadata, listing objects in a bucket, querying bucket location, uploading objects, obtaining objects, deleting objects, and obtaining an object ACL.

SecMaster_Agency

Used to execute alert playbooks and obtain OBS asset details for baseline checks.

ELB ReadOnlyAccess

Read-only permissions for ELB.

SecMaster_Agency

Used to obtain ELB asset details for baseline checks.

CFW FullAccess

All permissions for CFW.

SecMaster_Agency

Used to execute preventive playbooks.

RMS ReadOnlyAccess

Read-only permissions for RMS.

SecMaster_Agency

Used by the playbooks of notifying of critical O&M operations.

Prerequisites

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Workspaces > Management.

    Figure 1 Workspaces > Management

  5. (Optional) In the upper part of the workspace management page, click Entrusted Service Authorization - Current Tenant.

    The service authorization page is automatically displayed the first time you log in.

  6. On the page for assigning permissions, select all required permissions (which are selected by default), select Agree to authorize, and click Confirm.