Updated on 2025-09-05 GMT+08:00

Permissions

If you need to grant your enterprise personnel permission to access your OA resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use OA resources but do not want them to delete OA resources or perform any other high-risk operations, you can create IAM users and grant permission to use OA resources but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

Table 1 Differences between role/policy-based and identity policy-based authorization

Authorization Model

Core Relationship

Permissions

Authorization Method

Scenario

Role/Policy

User-permission-authorization scope

  • System-defined roles
  • System-defined policies
  • Custom policies

Assigning roles or policies to principals

To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.

Identity policy

User-policy

  • System-defined identity policies
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Authorization

OA supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

OA is a global service deployed for all regions. When the authorization scope is set to Global services, you have the permission to access OA resources in all regions.

Table 2 lists all system-defined permissions for OA. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

Table 2 System-defined permissions for OA

Role/Policy Name

Description

Type

Dependencies

OA FullAccessPolicy

Has all permissions of OA.

System-defined policies

None

OA AdvancedOperationsPolicy

Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, cross-account availability check is available.

System-defined policies

None

OA CommonOperationsPolicy

Has the permissions to perform regular operations using OA, such as performing availability check. Cross-account availability check is unavailable for users with this policy.

System-defined policies

None

OA ReadOnlyAccessPolicy

Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks.

System-defined policies

None

Table 3 lists the common operations supported by system-defined policies for OA.

Table 3 Common operations supported by system-defined permissions

Function

Operation

OA FullAccessPolicy

OA AdvancedOperationsPolicy

OA CommonOperationsPolicy

OA ReadOnlyAccessPolicy

Risk check overview

Viewing the risk check result overview

Supported

Supported

Supported

Supported

Enabling or disabling automatic check

Supported

Supported

Supported

Not supported

Viewing a notification topic

Supported

Supported

Supported

Supported

Selecting accounts

Supported

Supported

Not supported

Not supported

Performing a check

Supported

Supported

Supported

Not supported

Downloading the risk check report

Supported

Supported

Supported

Supported

Risk check dimensions

Viewing risk check dimensions

Supported

Supported

Supported

Supported

Viewing the check result details of a single check Item

Supported

Supported

Supported

Supported

Performing a check for a single item.

Supported

Supported

Supported

Not supported

Downloading the check report of a single check item.

Supported

Supported

Supported

Supported

Architecture design

Viewing the architecture list

Supported

Supported

Supported

Supported

Viewing architectures in the recycle bin

Supported

Supported

Supported

Supported

Viewing details about the architectures in the recycle bin

Supported

Supported

Supported

Supported

Restoring architectures from the recycle bin

Supported

Supported

Supported

Not supported

Deleting architectures from the recycle bin

Supported

Supported

Supported

Not supported

Creating an architecture

Supported

Supported

Supported

Not supported

Renaming an architecture

Supported

Supported

Supported

Not supported

Exporting an architecture

Supported

Supported

Supported

Supported

Copying an architecture

Supported

Supported

Supported

Not supported

Deleting an architecture

Supported

Supported

Supported

Not supported

Enabling capacity risk monitoring

Supported

Supported

Supported

Not supported

Viewing details of an architecture

Supported

Supported

Supported

Supported

Editing an architecture

Supported

Supported

Supported

Not supported

Viewing the historical editing records of an architecture

Supported

Supported

Supported

Supported

Viewing the historical editing details of an architecture

Supported

Supported

Supported

Supported

Restoring a historical architecture

Supported

Supported

Supported

Not supported

Deleting the historical records of an architecture

Supported

Supported

Supported

Not supported

Viewing all links of a diagram element

Supported

Supported

Supported

Supported

Viewing selected resources

Supported

Supported

Supported

Supported

Exporting selected resources

Supported

Supported

Supported

Supported

Associating resources to a diagram element

Supported

Supported

Supported

Not supported

Capacity optimization

Viewing the summary of capacity optimization analysis results

Supported

Supported

Supported

Supported

Viewing the details of capacity optimization analysis results

Supported

Supported

Supported

Supported

Deleting capacity optimization analysis results

Supported

Supported

Supported

Not supported

Viewing monitoring details of a capacity optimization analysis result

Supported

Supported

Supported

Supported

Performing re-identification

Supported

Supported

Supported

Not supported

Stopping analysis

Supported

Supported

Supported

Not supported

Exporting a capacity optimization analysis report

Supported

Supported

Supported

Supported

Querying capacity optimization analysis settings

Supported

Supported

Supported

Supported

Modifying capacity optimization analysis settings

Supported

Supported

Supported

Not supported

Querying the list of capacity optimization analysis reports

Supported

Supported

Supported

Supported

Deleting a capacity optimization analysis report

Supported

Supported

Supported

Not supported

Resource groups

Viewing resource groups

Supported

Supported

Supported

Supported

Viewing resource group details

Supported

Supported

Supported

Supported

Modifying a resource group

Supported

Supported

Supported

Not supported

Deleting a resource group

Supported

Supported

Supported

Not supported

Adding a resource group

Supported

Supported

Supported

Not supported

Viewing the resource list

Supported

Supported

Supported

Supported

Monthly service reports

Viewing the monthly report list

Supported

Supported

Supported

Supported

Viewing monthly report details

Supported

Supported

Supported

Supported

Exporting a monthly report

Supported

Supported

Supported

Supported

Risk check history

Viewing risk check reports

Supported

Supported

Supported

Supported

Viewing risk check result details

Supported

Supported

Supported

Supported

Exporting a risk check report

Supported

Supported

Supported

Supported

Custom rules

Viewing the check item list

Supported

Supported

Supported

Supported

Enabling check items

Supported

Supported

Supported

Not supported

Disabling check items

Supported

Supported

Supported

Not supported

Initializing configurations

Supported

Supported

Supported

Not supported

Customizing configurations

Supported

Supported

Supported

Not supported

Permission authorization

Viewing the user authorization list

Supported

Supported

Supported

Supported

Enabling or disabling authorization

Supported

Not supported

Not supported

Not supported

Disabling services

Supported

Not supported

Not supported

Not supported

Identity Policy-based Authorization

OA supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for OA. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

Table 4 System-defined identity policies for OA

Identity Policy Name

Description

Type

OA FullAccessPolicy

Has all permissions of OA.

System-defined identity policies

OA AdvancedOperationsPolicy

Has the permissions to perform advanced operations using OA, such as performing availability check. With this policy, cross-account availability check is available.

System-defined identity policies

OA CommonOperationsPolicy

Has the permissions to perform regular operations using OA, such as performing availability check. Cross-account availability check is unavailable for users with this policy.

System-defined identity policies

OA ReadOnlyAccessPolicy

Read-only permissions for OA. Users who are assigned this policy can only view check results and resource groups, but cannot create or execute tasks.

System-defined identity policies

Table 5 lists the common operations supported by system-defined identity policies for OA.

Table 5 Common operations supported by system-defined policies

Function

Operation

OA FullAccessPolicy

OA AdvancedOperationsPolicy

OA CommonOperationsPolicy

OA ReadOnlyAccessPolicy

Risk check overview

Viewing the risk check result overview

Supported

Supported

Supported

Supported

Enabling or disabling automatic check

Supported

Supported

Supported

Not supported

Viewing a notification topic

Supported

Supported

Supported

Supported

Selecting accounts

Supported

Supported

Not supported

Not supported

Performing a check

Supported

Supported

Supported

Not supported

Downloading the risk check report

Supported

Supported

Supported

Supported

Risk check dimensions

Viewing risk check dimensions

Supported

Supported

Supported

Supported

Viewing the check result details of a single check Item

Supported

Supported

Supported

Supported

Performing a check for a single item.

Supported

Supported

Supported

Not supported

Downloading the check report of a single check item

Supported

Supported

Supported

Supported

Architecture design

Viewing the architecture list

Supported

Supported

Supported

Supported

Viewing architectures in the recycle bin

Supported

Supported

Supported

Supported

Viewing details about the architectures in the recycle bin

Supported

Supported

Supported

Supported

Restoring architectures from the recycle bin

Supported

Supported

Supported

Not supported

Deleting architectures from the recycle bin

Supported

Supported

Supported

Not supported

Creating an architecture

Supported

Supported

Supported

Not supported

Renaming an architecture

Supported

Supported

Supported

Not supported

Exporting an architecture

Supported

Supported

Supported

Supported

Copying an architecture

Supported

Supported

Supported

Not supported

Deleting an architecture

Supported

Supported

Supported

Not supported

Enabling capacity risk monitoring

Supported

Supported

Supported

Not supported

Viewing details of an architecture

Supported

Supported

Supported

Supported

Editing an architecture

Supported

Supported

Supported

Not supported

Viewing the historical editing records of an architecture

Supported

Supported

Supported

Supported

Viewing the historical editing details of an architecture

Supported

Supported

Supported

Supported

Restoring a historical architecture

Supported

Supported

Supported

Not supported

Deleting the historical records of an architecture

Supported

Supported

Supported

Not supported

Viewing all links of a diagram element

Supported

Supported

Supported

Supported

Viewing selected resources

Supported

Supported

Supported

Supported

Exporting selected resources

Supported

Supported

Supported

Supported

Associating resources to a diagram element

Supported

Supported

Supported

Not supported

Capacity optimization

Viewing the summary of capacity optimization analysis results

Supported

Supported

Supported

Supported

Viewing the details of capacity optimization analysis results

Supported

Supported

Supported

Supported

Deleting capacity optimization analysis results

Supported

Supported

Supported

Not supported

Viewing monitoring details of a capacity optimization analysis result

Supported

Supported

Supported

Supported

Performing re-identification

Supported

Supported

Supported

Not supported

Stopping analysis

Supported

Supported

Supported

Not supported

Exporting a capacity optimization analysis report

Supported

Supported

Supported

Supported

Querying capacity optimization analysis settings

Supported

Supported

Supported

Supported

Modifying capacity optimization analysis settings

Supported

Supported

Supported

Not supported

Querying the list of capacity optimization analysis reports

Supported

Supported

Supported

Supported

Deleting a capacity optimization analysis report

Supported

Supported

Supported

Not supported

Resource groups

Viewing resource groups

Supported

Supported

Supported

Supported

Viewing resource group details

Supported

Supported

Supported

Supported

Modifying a resource group

Supported

Supported

Supported

Not supported

Deleting a resource group

Supported

Supported

Supported

Not supported

Adding a resource group

Supported

Supported

Supported

Not supported

Viewing the resource list

Supported

Supported

Supported

Supported

Monthly service reports

Viewing the monthly report list

Supported

Supported

Supported

Supported

Viewing monthly report details

Supported

Supported

Supported

Supported

Exporting a monthly report

Supported

Supported

Supported

Supported

Risk check history

Viewing risk check reports

Supported

Supported

Supported

Supported

Viewing risk check result details

Supported

Supported

Supported

Supported

Exporting a risk check report

Supported

Supported

Supported

Supported

Custom rules

Viewing the check item list

Supported

Supported

Supported

Supported

Enabling check items

Supported

Supported

Supported

Not supported

Disabling check items

Supported

Supported

Supported

Not supported

Initializing configurations

Supported

Supported

Supported

Not supported

Customizing configurations

Supported

Supported

Supported

Not supported

Permission authorization

Viewing the user authorization list

Supported

Supported

Supported

Supported

Enabling or disabling authorization

Supported

Not supported

Not supported

Not supported

Disabling services

Supported

Not supported

Not supported

Not supported