How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
Symptom
You want to grant an IAM user permissions to place orders but disallow the user to pay for the orders.
Solutions
However, the system permissions of the Billing Center registered with IAM cannot meet your requirements. You need to create a custom policy containing the required permissions and use the policy to grant permissions to the IAM user.
Prerequisites
You have already created IAM user A and user group B and you have added the user to the user group. For details, see Creating an IAM User.
Procedure
- Log in to the Huawei Cloud management console.
- On the management console, hover over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
- On the IAM console, choose Permissions > Policies/Roles from the left navigation pane, and click Create Custom Policy in the upper right corner.
Figure 1 Creating a custom policy
- Set the policy name to BillingCenter_Orders.
Figure 2 Setting the policy name
- Select Visual editor.
- In the Policy Content area, configure permissions that allow the user to place orders but disallow the user to pay for the orders.
- Configuring permissions to disallow order payment
- Select Deny.
- For the cloud service, select BSS (BSS).
- In the Select action step, expand the ReadWrite area, and select the action bss:order:pay.
Figure 3 Configuring permissions to disallow order payment
- Set the resource type to All.
- Configuring permissions to allow order placement
- Select Allow.
- For the cloud service, select BSS (BSS).
- In the Select action step, expand the ReadWrite area, select the action bss:order:update, and select all the actions in the ReadOnly area.
Figure 4 Configuring permissions to allow order placement
- Set the resource type to All.
- Configuring permissions to disallow order payment
- Set a description for the policy, for example, "Permissions to place orders but disallow order payment."
- Click OK.
- Attach the policy to user group B. Users in the group inherit the permissions defined in this policy.
You can attach custom policies to a user group in the same way you attach system-defined policies. For details, see Creating a User Group and Assigning Permissions.
- Log in as IAM user A, choose Billing > Unpaid Orders, and check whether the Pay button is unavailable in the Operation column.
Figure 5 Pay button grayed out
Figure 6 Pay button available
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot