Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Permissions/ UCS Resource Permissions (IAM-based)/ Role/Policy-based Authorization (Old IAM Version)

Updated on 2025-12-22 GMT+08:00

View PDF

Role/Policy-based Authorization (Old IAM Version)

System-defined permissions in role/policy-based authorization provided by Identity and Access Management (IAM) let you control access to UCS. With IAM, you can:

Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing UCS resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust an account or a cloud service to perform efficient O&M on your UCS resources.

If your account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions for UCS. To grant permissions for other services, learn about all system-defined permissions supported by IAM.
A user with the Security Administrator role (for example, your account) has all IAM permissions except role switching. Only these users can view user groups and their permissions on the Permissions page on the UCS console.

Configuration Description

On the UCS console, when you choose Permissions > Add Permission to create a user or user group, you will be directed to the IAM console to complete the process. After the user or user group is created and the permissions are configured, you can view the information on the Permissions page of the cluster or fleet. This section describes the operations in IAM.

Process Flow

Figure 1 Process of granting UCS permissions

Create a user group and grant it permissions.
On the IAM console, create a user group and grant it UCS read-only permissions (UCS ReadOnlyAccess as an example).
Create an IAM user and add it to the user group.
On the IAM console, create a user and add it to the user group created in 1.
Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Ubiquitous Cloud Native Service. In the navigation pane, choose Infrastructure > Fleets. Create a fleet or register a cluster. If a message appears indicating that you have insufficient permissions to perform the operation, the UCS ReadOnlyAccess policy is in effect.
- Choose another service (such as Elastic Cloud Server) from Service List. If a message appears indicating that you have insufficient permissions to access the service, the UCS ReadOnlyAccess policy is in effect.

System-defined Roles

Roles are a coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Roles are not ideal for fine-grained authorization and least privilege access.

The system-defined role preset for UCS in IAM is UCS Administrator. When you grant permissions to a user group using this role, you also need to attach any existing role dependencies, such as Tenant Guest, Server Administrator, ELB Administrator, OBS Administrator, SFS Administrator, APM FullAccess, and SWR Admin. For more information about role dependencies, see System Permissions.

System-defined Policies

The system-defined policies preset for UCS in IAM include UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess.

UCS FullAccess: administrator permissions for UCS. Users with these permissions can perform all operations on UCS, including creating permission policies and security policies.

UCS FullAccess does not have the RBAC permissions of CCE clusters. Users need to go to the Permissions page to grant permissions for CCE clusters.
UCS CommonOperations: common operation permissions for UCS. Users with these permissions can create workloads, distribute traffic, and perform other operations.
UCS CIAOperations: administrator permissions for UCS CIA.
UCS ReadOnlyAccess: read-only permissions for UCS (excluding CIA).

You can check the content of a system-defined policy to learn about its supported actions. An action is in the format of {service-name}:{resource-type}:{action}. The wildcard (*) is allowed, indicating all actions.

The following shows the content of the UCS FullAccess policy. This policy contains all permissions for UCS, Cloud Container Engine (CCE), and SoftWare Repository for Container (SWR), and operation permissions on some resources of Application Operations Management (AOM), Simple Message Notification (SMN), Domain Name Service (DNS), and other services.

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "ucs:*:*",
                "cce:*:*",
                "swr:*:*",
                "aom:*:get",
                "aom:*:list",
                "smn:*:list",
                "dns:*:get*",
                "dns:*:list*",
                "dns:*:get",
                "dns:*:list",
                "dns:recordset:create",
                "dns:recordset:delete",
                "dns:recordset:update",
                "dns:tag:get",
                "lts:*:get",
                "lts:*:list",
                "apm:*:get",
                "apm:*:list",
                "vpcep:epservices:*",
                "vpcep:connections:*",
                "vpcep:endpoints:*",
                "elb:*:get",
                "elb:*:list",
                "vpc:*:get",
                "vpc:*:list",
                "ief:*:get",
                "ief:*:list",
                "cgs:images:operate",
                "cgs:*:get",
                "cgs:*:list"
            ],
            "Effect": "Allow"
        }
    ]
}

**Table 1** Permissions granted by the UCS FullAccess policy
Action	Specific Action	Description
ucs::	ucs:ciaInstances:create	Create a CIA instance.
	ucs:ciaDetectEngines:update	Update the inspection configuration.
	ucs:permissionsRules:create	Create a permission policy.
	ucs:commodityServiceRegions:create	Create a supported region.
	ucs:clustergroups:delete	Delete a cluster group.
	ucs:clustergroups:create	Create a cluster group.
	ucs:addonTemplates:create	Create an add-on template.
	ucs:traffic:create	Create a record set.
	ucs:serviceInstances:delete	Delete a service instance.
	ucs:ciaAlertRules:create	Create an alarm rule.
	ucs:clustergroups:update	Update the description of a cluster group, information about clusters associated with a cluster group, or information about policies associated with a cluster group.
	ucs:servicePlugins:operate	Operate a system plugin.
	ucs:addonTemplates:offline	Bring an add-on template offline.
	ucs:ciaMonitorDashboards:update	Update a dashboard in CIA.
	ucs:ciaMonitorDashboards:delete	Delete a dashboard in CIA.
	ucs:serviceSubscriptions:operate	Operate a service subscription, including adding, deleting, and modifying it.
	ucs:servicePackages:operate	Operate a service package.
	ucs:ciaMonitorDashboards:create	Create a dashboard in CIA.
	ucs:clusters:create	Create a cluster.
	ucs:ciaInstanceEndpoints:delete	Delete the endpoint for accessing a CIA instance.
	ucs:permissionsTemplates:update	Update a permission template.
	ucs:commodityServiceBuckets:operate	Operate the OBS bucket of a commodity service.
	ucs:permissionsTemplates:create	Create a permission template.
	ucs:addons:create	Create an add-on instance.
	ucs:ciaAlerts:update	Clear triggered alarm events.
	ucs:ciaInstances:update	Update a CIA instance.
	ucs:clusters:update	Update the location information of a cluster or activate a cluster.
	ucs:addonTemplatesVersion:offline	Bring an add-on template offline based on a specific version.
	ucs:serviceRegistry:delete	Delete a bound registry.
	ucs:ciaMonitorClusters:update	Update the configuration of the monitored cluster.
	ucs:serviceRegistry:check	Check whether the user is an administrator.
	ucs:commodityServices:operate	Operate a commodity service.
	ucs:addons:delete	Delete an add-on instance.
	ucs:ciaEvents:update	Update an event.
	ucs:ciaAlertRules:update	Update an alarm rule.
	ucs:serviceOperators:operate	Operate an Operator.
	ucs:serviceRegistry:create	Bind a registry.
	ucs:ciaAlertRules:delete	Delete an alarm rule.
	ucs:ciaInstances:delete	Delete a CIA instance.
	ucs:serviceInstances:update	Update a service instance.
	ucs:permissionsRules:update	Update a permission policy.
	ucs:serviceInstances:create	Create a service instance.
	ucs:permissionsTemplates:delete	Delete a permission template.
	ucs:addons:update	Update an add-on instance.
	ucs:ciaInstanceEndpoints:create	Create the endpoint for accessing a CIA instance
	ucs:addonTemplates:delete	Delete an add-on template.
	ucs:clusters:delete	Delete a cluster.
	ucs:permissionsRules:delete	Delete a permission policy.
	ucs:workloads:operate	Create, delete, and obtain a workload.
cce::	-	Perform all operations on CCE.
swr::	-	Perform all operations on SWR.
aom:*:get	-	View AOM resource details.
aom:*:list	-	List all AOM resources.
smn:*:list	-	List all SMN resources.
dns::get	-	View DNS resource details.
dns::list	-	List all DNS resources.
dns:recordset:create	-	Create a record set in DNS.
dns:recordset:delete	-	Delete a record set in DNS.
dns:recordset:update	-	Update a record set in DNS.
dns:tag:get	-	Query a resource tag in DNS.
lts:*:get	-	View LTS resource details.
lts:*:list	-	List all LTS resources.
apm:*:get	-	View APM resource details.
apm:*:list	-	List all APM resources.
vpcep:epservices:*	-	Operate all VPC endpoint services in VPC Endpoint.
vpcep:connections:*	-	Connect to all VPC endpoints in VPC Endpoint.
vpcep:endpoints:*	-	Operate all VPC endpoints in VPC Endpoint.
elb:*:get	-	View ELB resource details.
elb:*:list	-	List all ELB resources.
vpc:*:get	-	View VPC resource details.
vpc:*:list	-	List all VPC resources.
ief:*:get	-	View IEF resource details.
ief:*:list	-	List all IEF resources.
cgs:images:operate	-	Synchronize and scan images in CGS.
cgs:*:get	-	View CGS resource details.
cgs:*:list	-	List all CGS resources.
evs:types:get	-	Query EVS disk types in EVS.

**Table 2** Permissions granted by the UCS ReadOnlyAccess policy
Action	Specific Action	Description
ucs:*:get	ucs:clusters:get	Query details, access information, or certificate information of a cluster.
	ucs:clustergroups:get	Query details about a cluster group.
	ucs:workloads:get	Query details about a workload.
	ucs:permissionsRules:get	Query details about a permission policy.
	ucs:permissionsTemplates:get	Query details about a permission template.
	ucs:addonTemplates:get	Query details about an add-on template.
	ucs:addons:get	Query information of an add-on instance.
	ucs:serviceSubscriptions:get	Query details about a service subscription.
	ucs:serviceInstances:get	Query details about a service instance.
	ucs:servicePlugins:get	Query details about a system plugin.
	ucs:serviceOperators:get	Query an Operator.
	ucs:servicePackages:get	Query details about a service package and its version.
	ucs:serviceRegistry:get	Query a bound registry.
	ucs:commodityServices:get	Query details about a commodity service.
	ucs:commodityServiceRegions:get	Query details about a supported region.
ucs:*:list	ucs:clusters:list	List all clusters.
	ucs:clustergroups:list	List all cluster groups.
	ucs:workloads:list	List all workloads.
	ucs:permissionsRules:list	List all permission policies.
	ucs:permissionsTemplates:list	List all permission templates.
	ucs:traffic:list	List all record sets.
	ucs:serviceSubscriptions:list	List all service subscriptions.
	ucs:serviceInstances:list	List all service instances.
	ucs:servicePlugins:list	List all system plugins.
	ucs:serviceOperators:list	List all Operators.
	ucs:servicePackages:list	List all service packages.
	ucs:serviceRegistry:list	List all bound registries.
	ucs:commodityServices:list	List all commodity services.
	ucs:commodityServiceRegions:list	List all supported regions.
	ucs:commodityServiceBuckets:list	List all OBS buckets of a commodity service.
dns:*:get	-	View DNS resource details.
dns:*:list	-	List all DNS resources.
cce:*:get	-	View CCE resource details.
cce:*:list	-	List all CCE resources.
ief:*:get	-	View IEF resource details.
ief:*:list	-	List all IEF resources.
aom:*:get	-	View AOM resource details.
aom:*:list	-	List all AOM resources.
elb:*:get	-	View ELB resource details.
elb:*:list	-	List all ELB resources.
vpc:*:get	-	View VPC resource details. A cluster must run in a VPC. When creating a namespace, create or associate a VPC for the namespace so that all containers in the namespace run in the VPC.
vpc:*:list	-	List all VPC resources.
swr:*:get	-	View SWR resource details.
swr:*:list	-	List all SWR resources.
cgs:*:get	-	View CGS resource details.
cgs:*:list	-	List all CGS resources.

Least-Privilege Permissions for UCS Functions

Services on Huawei Cloud are interdependent, so UCS depends on other cloud services to implement some functions (such as image repositories and domain name resolution). The preceding four system-defined policies are often used together with the roles or policies of other cloud services for refined authorization. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 3 lists the least-privilege permissions required by the Administrator, Operator, and Viewer roles to use UCS functions.

If your Huawei Cloud account logs in to the UCS console for the first time, you need to grant permissions to the account. UCS will create an agency named ucs_admin_trust for you in IAM. Do not delete or modify the agency.
If no permissions are granted to the user group that an IAM user belongs to, access to the UCS console will be denied. Grant permissions by referring to Table 3.
UCS FullAccess does not have the RBAC permissions of CCE clusters. You need to go to the Permissions page to grant permissions for CCE clusters as described in the following table.

**Table 3** Least-privilege permissions for UCS functions
Function	Permission Type	Permission Scope	Least-Privilege Permission
Fleets	Administrator	Creating and deleting a fleet Registering a Huawei Cloud cluster (CCE standard cluster or CCE Turbo cluster), an on-premises cluster, or an attached cluster Unregistering a cluster Adding a cluster to or removing a cluster from a fleet Adding permissions for a cluster or fleet Enabling cluster federation and managing the federation (such as creating a workload and creating a DNS policy)	UCS FullAccess
Fleets	Viewer	Querying all clusters and fleets or their details	UCS ReadOnlyAccess
Huawei Cloud clusters	Administrator	Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services) in the clusters	UCS FullAccess + CCE Administrator
	Developer	Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects in the clusters and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas	UCS CommonOperations + CCE Administrator
	Viewer	Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services) in the clusters	UCS ReadOnlyAccess + CCE Administrator
On-premises/Attached clusters	Administrator	Read-write permissions on on-premises/attached clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services) in the clusters	UCS FullAccess
	Developer	Read-write permissions on on-premises/attached clusters and most Kubernetes resource objects in the clusters and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas	UCS CommonOperations + UCS RBAC (including the list permission on namespaces)
	Viewer	Read-only permissions on on-premises/attached clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services) in the clusters	UCS ReadOnlyAccess + UCS RBAC (including the list permission on namespaces)
Image Repositories	Administrator	All permissions on SWR, including creating organizations, pushing images, viewing all images or their details, and pulling images	SWR Administrator
Permissions	Administrator	Creating and deleting a permission Viewing all permissions or their details NOTE: When creating permissions, you need to grant the permissions defined in the IAM ReadOnlyAccess policy (read-only permissions on IAM) to IAM users for obtaining the IAM user list.	UCS FullAccess + IAM ReadOnlyAccess
Permissions	Viewer	Viewing all permissions or their details	UCS ReadOnlyAccess + IAM ReadOnlyAccess
Policy Center	Administrator	Enabling Policy Center Creating or disabling a policy instance Viewing the policy list Viewing policy implementation details	UCS FullAccess
Policy Center	Viewer	For fleets and clusters with Policy Center enabled, users with such permissions can view the policy list and policy implementation details.	UCS CommonOperations or UCS ReadOnlyAccess
Traffic Distribution	Administrator	Operations such as creating a traffic policy as well as suspending and deleting a scheduling policy	(Recommended) UCS CommonOperations + DNS Administrator Alternative: UCS FullAccess + DNS Administrator
Traffic Distribution	Viewer	Viewing all traffic policies or their details	UCS ReadOnlyAccess + DNS Administrator
Container Intelligent Analysis	Administrator	Connecting clusters to a fleet and canceling cluster connection Viewing the monitoring data of infrastructures, workloads, and other resources	UCS CIAOperations

Custom Policies

You can create custom policies to supplement the system-defined policies of UCS. For details about actions supported in custom policies, see Permissions and Supported Actions.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common UCS custom policies.

Examples:

Example 1: Grant permission to create a cluster.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ucs:clusters:create"
            ]
        }
    ]
}

Example 2: Grant permission to deny cluster deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

Assume that you want to grant the permissions of the UCSFullAccess policy to a user but want to prevent the user from deleting clusters (ucs:clusters:delete). You can create a custom policy for denying cluster deletion, and attach this policy together with the UCSFullAccess policy to the user. As an explicit "Deny" policy overrides any "Allow" policy, the user can perform all operations on clusters excepting deleting them. Example policy denying cluster deletion:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ucs:clusters:delete"
            ]
        }
    ]
}
```

Example 3: Create a custom policy containing multiple actions.

A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). Example policy containing multiple actions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ucs:clustergroups:create",
                "ucs:ciaEvents:update",
                "ucs:addonTemplates:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:GetBucketInventoryConfiguration",
                "obs:bucket:CreateBucket"
            ]
        }
    ]
}

Parent topic: UCS Resource Permissions (IAM-based)

Previous topic: UCS Resource Permissions (IAM-based)

Next topic: Identity Policy-based Authorization (New IAM Version)

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot