Permissions
If you need to grant your enterprise personnel permission to access your OA resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use OA resources but do not want them to delete OA resources or perform any other high-risk operations, you can create IAM users and grant permission to use OA resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
---|---|---|---|---|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
OA supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
OA is a global service deployed for all regions. When the authorization scope is set to Global services, you have the permission to access OA resources in all regions.
Table 2 lists all system-defined permissions for OA. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
Role/Policy Name |
Description |
Type |
Dependencies |
---|---|---|---|
OA FullAccessPolicy |
Has all permissions of OA. |
System-defined policies |
None |
OA AdvancedOperationsPolicy |
Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, cross-account availability check is available. |
System-defined policies |
None |
OA CommonOperationsPolicy |
Has the permissions to perform regular operations using OA, such as performing availability check. Cross-account availability check is unavailable for users with this policy. |
System-defined policies |
None |
OA ReadOnlyAccessPolicy |
Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks. |
System-defined policies |
None |
Table 3 lists the common operations supported by system-defined policies for OA.
Function |
Operation |
OA FullAccessPolicy |
OA AdvancedOperationsPolicy |
OA CommonOperationsPolicy |
OA ReadOnlyAccessPolicy |
---|---|---|---|---|---|
Risk check overview |
Viewing the risk check result overview |
Supported |
Supported |
Supported |
Supported |
Enabling or disabling automatic check |
Supported |
Supported |
Supported |
Not supported |
|
Viewing a notification topic |
Supported |
Supported |
Supported |
Supported |
|
Selecting accounts |
Supported |
Supported |
Not supported |
Not supported |
|
Performing a check |
Supported |
Supported |
Supported |
Not supported |
|
Downloading the risk check report |
Supported |
Supported |
Supported |
Supported |
|
Risk check dimensions |
Viewing risk check dimensions |
Supported |
Supported |
Supported |
Supported |
Viewing the check result details of a single check Item |
Supported |
Supported |
Supported |
Supported |
|
Performing a check for a single item. |
Supported |
Supported |
Supported |
Not supported |
|
Downloading the check report of a single check item. |
Supported |
Supported |
Supported |
Supported |
|
Architecture design |
Viewing the architecture list |
Supported |
Supported |
Supported |
Supported |
Viewing architectures in the recycle bin |
Supported |
Supported |
Supported |
Supported |
|
Viewing details about the architectures in the recycle bin |
Supported |
Supported |
Supported |
Supported |
|
Restoring architectures from the recycle bin |
Supported |
Supported |
Supported |
Not supported |
|
Deleting architectures from the recycle bin |
Supported |
Supported |
Supported |
Not supported |
|
Creating an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Renaming an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Exporting an architecture |
Supported |
Supported |
Supported |
Supported |
|
Copying an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Deleting an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Enabling capacity risk monitoring |
Supported |
Supported |
Supported |
Not supported |
|
Viewing details of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Editing an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Viewing the historical editing records of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Viewing the historical editing details of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Restoring a historical architecture |
Supported |
Supported |
Supported |
Not supported |
|
Deleting the historical records of an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Viewing all links of a diagram element |
Supported |
Supported |
Supported |
Supported |
|
Viewing selected resources |
Supported |
Supported |
Supported |
Supported |
|
Exporting selected resources |
Supported |
Supported |
Supported |
Supported |
|
Associating resources to a diagram element |
Supported |
Supported |
Supported |
Not supported |
|
Capacity optimization |
Viewing the summary of capacity optimization analysis results |
Supported |
Supported |
Supported |
Supported |
Viewing the details of capacity optimization analysis results |
Supported |
Supported |
Supported |
Supported |
|
Deleting capacity optimization analysis results |
Supported |
Supported |
Supported |
Not supported |
|
Viewing monitoring details of a capacity optimization analysis result |
Supported |
Supported |
Supported |
Supported |
|
Performing re-identification |
Supported |
Supported |
Supported |
Not supported |
|
Stopping analysis |
Supported |
Supported |
Supported |
Not supported |
|
Exporting a capacity optimization analysis report |
Supported |
Supported |
Supported |
Supported |
|
Querying capacity optimization analysis settings |
Supported |
Supported |
Supported |
Supported |
|
Modifying capacity optimization analysis settings |
Supported |
Supported |
Supported |
Not supported |
|
Querying the list of capacity optimization analysis reports |
Supported |
Supported |
Supported |
Supported |
|
Deleting a capacity optimization analysis report |
Supported |
Supported |
Supported |
Not supported |
|
Resource groups |
Viewing resource groups |
Supported |
Supported |
Supported |
Supported |
Viewing resource group details |
Supported |
Supported |
Supported |
Supported |
|
Modifying a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Deleting a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Adding a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Viewing the resource list |
Supported |
Supported |
Supported |
Supported |
|
Monthly service reports |
Viewing the monthly report list |
Supported |
Supported |
Supported |
Supported |
Viewing monthly report details |
Supported |
Supported |
Supported |
Supported |
|
Exporting a monthly report |
Supported |
Supported |
Supported |
Supported |
|
Risk check history |
Viewing risk check reports |
Supported |
Supported |
Supported |
Supported |
Viewing risk check result details |
Supported |
Supported |
Supported |
Supported |
|
Exporting a risk check report |
Supported |
Supported |
Supported |
Supported |
|
Custom rules |
Viewing the check item list |
Supported |
Supported |
Supported |
Supported |
Enabling check items |
Supported |
Supported |
Supported |
Not supported |
|
Disabling check items |
Supported |
Supported |
Supported |
Not supported |
|
Initializing configurations |
Supported |
Supported |
Supported |
Not supported |
|
Customizing configurations |
Supported |
Supported |
Supported |
Not supported |
|
Permission authorization |
Viewing the user authorization list |
Supported |
Supported |
Supported |
Supported |
Enabling or disabling authorization |
Supported |
Not supported |
Not supported |
Not supported |
|
Disabling services |
Supported |
Not supported |
Not supported |
Not supported |
Identity Policy-based Authorization
OA supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for OA. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
Identity Policy Name |
Description |
Type |
---|---|---|
OA FullAccessPolicy |
Has all permissions of OA. |
System-defined identity policies |
OA AdvancedOperationsPolicy |
Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, cross-account availability check is available. |
System-defined identity policies |
OA CommonOperationsPolicy |
Has the permissions to perform regular operations using OA, such as performing availability check. Cross-account availability check is unavailable for users with this policy. |
System-defined identity policies |
OA ReadOnlyAccessPolicy |
Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks. |
System-defined identity policies |
Table 5 lists the common operations supported by system-defined identity policies for OA.
Function |
Operation |
OA FullAccessPolicy |
OA AdvancedOperationsPolicy |
OA CommonOperationsPolicy |
OA ReadOnlyAccessPolicy |
---|---|---|---|---|---|
Risk check overview |
Viewing the risk check result overview |
Supported |
Supported |
Supported |
Supported |
Enabling or disabling automatic check |
Supported |
Supported |
Supported |
Not supported |
|
Viewing a notification topic |
Supported |
Supported |
Supported |
Supported |
|
Selecting accounts |
Supported |
Supported |
Not supported |
Not supported |
|
Performing a check |
Supported |
Supported |
Supported |
Not supported |
|
Downloading the risk check report |
Supported |
Supported |
Supported |
Supported |
|
Risk check dimensions |
Viewing risk check dimensions |
Supported |
Supported |
Supported |
Supported |
Viewing the check result details of a single check Item |
Supported |
Supported |
Supported |
Supported |
|
Performing a check for a single item. |
Supported |
Supported |
Supported |
Not supported |
|
Downloading the check report of a single check item |
Supported |
Supported |
Supported |
Supported |
|
Architecture design |
Viewing the architecture list |
Supported |
Supported |
Supported |
Supported |
Viewing architectures in the recycle bin |
Supported |
Supported |
Supported |
Supported |
|
Viewing details about the architectures in the recycle bin |
Supported |
Supported |
Supported |
Supported |
|
Restoring architectures from the recycle bin |
Supported |
Supported |
Supported |
Not supported |
|
Deleting architectures from the recycle bin |
Supported |
Supported |
Supported |
Not supported |
|
Creating an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Renaming an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Exporting an architecture |
Supported |
Supported |
Supported |
Supported |
|
Copying an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Deleting an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Enabling capacity risk monitoring |
Supported |
Supported |
Supported |
Not supported |
|
Viewing details of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Editing an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Viewing the historical editing records of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Viewing the historical editing details of an architecture |
Supported |
Supported |
Supported |
Supported |
|
Restoring a historical architecture |
Supported |
Supported |
Supported |
Not supported |
|
Deleting the historical records of an architecture |
Supported |
Supported |
Supported |
Not supported |
|
Viewing all links of a diagram element |
Supported |
Supported |
Supported |
Supported |
|
Viewing selected resources |
Supported |
Supported |
Supported |
Supported |
|
Exporting selected resources |
Supported |
Supported |
Supported |
Supported |
|
Associating resources to a diagram element |
Supported |
Supported |
Supported |
Not supported |
|
Capacity optimization |
Viewing the summary of capacity optimization analysis results |
Supported |
Supported |
Supported |
Supported |
Viewing the details of capacity optimization analysis results |
Supported |
Supported |
Supported |
Supported |
|
Deleting capacity optimization analysis results |
Supported |
Supported |
Supported |
Not supported |
|
Viewing monitoring details of a capacity optimization analysis result |
Supported |
Supported |
Supported |
Supported |
|
Performing re-identification |
Supported |
Supported |
Supported |
Not supported |
|
Stopping analysis |
Supported |
Supported |
Supported |
Not supported |
|
Exporting a capacity optimization analysis report |
Supported |
Supported |
Supported |
Supported |
|
Querying capacity optimization analysis settings |
Supported |
Supported |
Supported |
Supported |
|
Modifying capacity optimization analysis settings |
Supported |
Supported |
Supported |
Not supported |
|
Querying the list of capacity optimization analysis reports |
Supported |
Supported |
Supported |
Supported |
|
Deleting a capacity optimization analysis report |
Supported |
Supported |
Supported |
Not supported |
|
Resource groups |
Viewing resource groups |
Supported |
Supported |
Supported |
Supported |
Viewing resource group details |
Supported |
Supported |
Supported |
Supported |
|
Modifying a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Deleting a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Adding a resource group |
Supported |
Supported |
Supported |
Not supported |
|
Viewing the resource list |
Supported |
Supported |
Supported |
Supported |
|
Monthly service reports |
Viewing the monthly report list |
Supported |
Supported |
Supported |
Supported |
Viewing monthly report details |
Supported |
Supported |
Supported |
Supported |
|
Exporting a monthly report |
Supported |
Supported |
Supported |
Supported |
|
Risk check history |
Viewing risk check reports |
Supported |
Supported |
Supported |
Supported |
Viewing risk check result details |
Supported |
Supported |
Supported |
Supported |
|
Exporting a risk check report |
Supported |
Supported |
Supported |
Supported |
|
Custom rules |
Viewing the check item list |
Supported |
Supported |
Supported |
Supported |
Enabling check items |
Supported |
Supported |
Supported |
Not supported |
|
Disabling check items |
Supported |
Supported |
Supported |
Not supported |
|
Initializing configurations |
Supported |
Supported |
Supported |
Not supported |
|
Customizing configurations |
Supported |
Supported |
Supported |
Not supported |
|
Permission authorization |
Viewing the user authorization list |
Supported |
Supported |
Supported |
Supported |
Enabling or disabling authorization |
Supported |
Not supported |
Not supported |
Not supported |
|
Disabling services |
Supported |
Not supported |
Not supported |
Not supported |
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot