Resource O&M Permissions and Supported Actions
This section describes fine-grained permissions management for your COC resources. If your Huawei Cloud account does not need individual IAM users, then you may skip over this section.
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups and assign policies or roles to these groups. The users then inherit permissions from the groups The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
You can grant users permissions by using You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions that match users' job responsibilities. Policies are a fine-grained authorization strategy that defines permissions required to perform certain operations on specific cloud resources under certain conditions. This type of authorization is API-based and is ideal for least privilege access.
For details about the COC system policies, see COC Permission Management.
If you want to allow or deny the access to an API, use policy-based authorization.
Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions can call the API successfully. For example, if an IAM user wants to call an API to query ECSs, the user must be granted the permissions allowing for action ecs:servers:list.
Actions
COC provides system-defined policies that can be used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Actions supported by policies are specific to APIs. Common concepts related to policies include:
- Permissions: allow or deny operations on specified resources under specific conditions.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: specific operations that are allowed or denied.
- Related actions: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM or enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions supported by both IAM and enterprise projects can take effect for user groups of both IAM and Enterprise Management. Policies that contain actions only supported by IAM projects can only take effect for IAM user groups.
For details about the differences between IAM and enterprise projects, see Differences Between IAM and Enterprise Management.
- Authorization by instance or tag: application scope of custom policies. For APIs that support both authorization by instance and authorization by tag, custom policies take effect for both authorized instances and instances with tags defined in the policies. For APIs that only support authorization by tag, custom policies take effect only for instances with specified tags.
Currently, this function is unavailable in the CN North-Ulanqab1 region.
In the table for supported actions, the check mark (√) indicates that an action can take effect for the corresponding type of projects, and the cross symbol (x) indicates that an action cannot take effect.
COC supports the following actions that can be defined in custom policies:
|
Functions |
Action |
Description |
Dependency |
IAM Project |
Enterprise Project |
Authorization by Instance |
Authorization by Tag |
|---|---|---|---|---|---|---|---|
|
Resource Synchronization |
coc:instance:listResources |
Grants permission to query the resource list. |
- |
√ |
x |
x |
x |
|
coc:application:listResources |
Grants permission to query the application resource list. |
- |
√ |
x |
x |
x |
|
|
coc:instance:syncResources |
Grants permission to synchronize the resource list. |
√ |
x |
x |
x |
||
|
Scheduled O&M |
coc:schedule:list |
Grants permission to query the scheduled task list. |
- |
√ |
x |
x |
x |
|
coc:schedule:enable |
Grants permission to enable scheduled tasks. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:update |
Grants permission to update scheduled tasks. |
- |
√ |
√ |
x |
x |
|
|
coc:schedule:disable |
Grants permission to disable the scheduled task list. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:approve |
Grants permission to review the scheduled task list. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:create |
Grants permission to create a scheduled task list. |
- |
√ |
√ |
x |
x |
|
|
coc:schedule:delete |
Grants permission to delete scheduled tasks. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:count |
Grants permission to query the number of scheduled tasks. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:get |
Grants permission to query the scheduled task records. |
- |
√ |
x |
x |
x |
|
|
coc:schedule:getHistories |
Grants permission to query the execution history of a scheduled task. |
- |
√ |
x |
x |
x |
|
|
In-Depth Diagnosis |
coc:application:GetDiagnosisTaskDetails |
Grants permission to query application resource diagnosis tasks. |
aom:uniagentAgent:install; aom:uniagentAgent:uninstall; |
√ |
x |
x |
x |
|
coc:application:CreateDiagnosisTask |
Grants permission to create application diagnosis tasks. |
√ |
x |
x |
x |
||
|
coc:job:action |
Grants permission to operate service tickets. |
√ |
x |
x |
x |
||
|
Script/Job Management |
coc:document:create |
Grants permission to create documents. |
aom:uniagentAgent:install; aom:uniagentAgent:list; aom:uniagentInstallHost:list; aom:uniagentProxyRegion:get; iam:agencies:list; |
√ |
x |
x |
x |
|
coc:document:listRunbookAtomics |
Grants permission to view the atomic capability list of a job. |
√ |
x |
x |
x |
||
|
coc:document:getRunbookAtomicDetails |
Grants permission to query details about an atomic capability of a job. |
√ |
x |
x |
x |
||
|
coc:document:list |
Grants permission to query the document list. |
√ |
x |
x |
x |
||
|
coc:document:delete |
Grants permission to delete documents. |
√ |
x |
x |
x |
||
|
coc:document:update |
Grants permission to modify documents. |
√ |
x |
x |
x |
||
|
coc:document:get |
Grants permission to view documents. |
√ |
x |
x |
x |
||
|
coc:document:analyzeRisk |
Grants permission to analyze document risks. |
√ |
x |
x |
x |
||
|
coc:instance:executeDocument |
Grants permission to execute documents on an ECS. |
√ |
x |
x |
x |
||
|
Batch management of cloud phone servers and cloud phones |
coc:instance:autoBatchInstances |
Grants permission to enable automatic instance batching. |
ecs:serverKeypairs:list;(IAM V3) ecs:servers:get; ecs:cloudServers:list; ecs:cloudServers:rebuild; ecs:cloudServers:changeOS; ecs:cloudServers:showServer; ecs:cloudServers:stop; ecs:cloudServers:reboot; ecs:cloudServers:start; ims:images:get; ims:images:list; bss:order:view; billing:contract:viewDiscount; |
√ |
x |
x |
x |
|
coc:instance:executeDocument |
Grants permission to execute documents on an ECS. |
√ |
x |
x |
x |
||
|
coc:instance:startRDSInstance |
Grants permission to enable RDS DB instances. |
√ |
√ |
x |
x |
||
|
coc:instance:stopRDSInstance |
Grants permission to stop an RDS DB instance. |
√ |
√ |
x |
x |
||
|
coc:instance:restartRDSInstance |
Grants permission to reboot an RDS DB instance. |
√ |
√ |
x |
x |
||
|
coc:instance:start |
Grants permission to start ECSs. |
√ |
√ |
x |
x |
||
|
coc:instance:reboot |
Grants permission to restart ECSs. |
√ |
√ |
x |
x |
||
|
coc:instance:stop |
Grants permission to disable ECSs. |
√ |
√ |
x |
x |
||
|
coc:instance:reinstallOS |
Grants permission to reinstall ECS OSs. |
√ |
√ |
x |
x |
||
|
coc:instance:changeOS |
Grants permission to change the OS of an ECS. |
√ |
√ |
x |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
