CNAD Basic
If you need to assign different permissions to employees in your enterprise to access your CNAD Basic resources, IAM is an ideal choice for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control the access to Huawei Cloud resources through authorization. For example, if you want certain software developers in your enterprise to use CNAD Basic without the ability to delete resources or perform high-risk operations, you can grant them only the necessary permissions for using CNAD Basic resources.
IAM supports role/policy-based authorization and identity policy-based authorization.
The differences and relationships between the two authorization models are as follows:
|
Authorization Model |
Core Relationship |
Permission |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy-based Authorization |
User-permission-authorization scope |
|
Granting a role or policy to a subject |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity Policy-based Authorization |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permissions needed to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the principals or grant the principals the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies/identity policies and actions in the two authorization scenarios are not interoperable. You are advised to use the identity policy-based authorization model. Role/Policy-based Permissions Management and Identity Policy-based Permissions Management describe the system permissions of the two models.
For details about IAM, see IAM Service Overview.
Role/Policy-based Permissions Management
CNAD Basic supports role/policy-based authorization. By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
CNAD Basic is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing Anti-DDoS, the users need to switch to a region where they have been authorized.
Table 1 lists all CNAD Basic system permissions. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
Anti-DDoS Administrator |
Administrator permissions for CNAD Basic. |
System-defined role |
|
Anti-DDoS FullAccess |
All permissions for CNAD Basic |
System-defined policy |
|
Anti-DDoS ReadOnlyAccess |
Read-only permissions for CNAD Basic |
System-defined policy |
Table 3 lists the common operations supported by each system-defined policy or role of CNAD Basic. Select the policies or roles as required.
|
Operation |
Anti-DDoS Administrator |
Anti-DDoS FullAccess |
Anti-DDoS ReadOnlyAccess |
|---|---|---|---|
|
Querying the default protection policy of CNAD Basic |
√ |
√ |
√ |
|
Configuring the default protection policy of CNAD Basic |
√ |
√ |
× |
|
Deleting the default protection policy of CNAD Basic |
√ |
√ |
× |
|
Querying CNAD Basic specifications |
√ |
√ |
√ |
|
Querying configured CNAD Basic policies |
√ |
√ |
√ |
|
Updating CNAD Basic policies |
√ |
√ |
× |
|
Enabling CNAD Basic |
√ |
√ |
× |
|
Querying weekly defense statistics |
√ |
√ |
√ |
|
Querying the traffic of a specified EIP |
√ |
√ |
√ |
|
Querying events of a specified EIP |
√ |
√ |
√ |
|
Querying the defense status of a specified EIP |
√ |
√ |
√ |
|
Querying the list of defense statuses of EIPs |
√ |
√ |
√ |
|
Querying Anti-DDoS tasks |
√ |
√ |
√ |
|
Querying alarm configuration |
√ |
√ |
√ |
|
Updating alarm configuration |
√ |
√ |
× |
|
Querying LTS configurations |
√ |
√ |
√ |
|
Updating LTS configurations |
√ |
√ |
× |
|
Querying quotas |
√ |
√ |
√ |
|
Querying resource tags |
√ |
√ |
√ |
Roles or policies on which the Cloud Native Anti-DDoS Basic console depends
|
Console Function |
Dependent Services |
Policy/Role Required |
|---|---|---|
|
Configuring CNAD Basic logs on LTS |
Log Tank Service (LTS) |
The LTS ReadOnlyAccess system policy is required to select log group and log stream names created in LTS. |
|
Enabling alarm notifications |
Simple Message Notification (SMN) |
The SMN ReadOnlyAccess system policy is required to obtain SMN topic groups. |
|
Querying tags |
Tag Management Service (TMS) |
The TMS ReadOnlyAccess system policy is required to query tags. |
Identity Policy-based Permissions Management
CNAD Basic supports identity policy-based authorization. Table shows all system-defined identity policies of CNAD Basic. System-defined identity policies and system-defined policies in the two authorization models are not interoperable.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
Anti-DDoSFullAccessPolicy |
All permissions for CNAD Basic. |
System-defined |
|
Anti-DDoSReadOnlyPolicy |
Read-only permissions for CNAD Basic. Users granted these permissions can only view CNAD Basic information. |
System-defined |
Table 6 lists the common operations supported by CNAD Basic system-defined identity policies.
|
Operation |
Anti-DDoSFullAccessPolicy |
Anti-DDoSReadOnlyPolicy |
|---|---|---|
|
Querying the default protection policy of CNAD Basic |
√ |
√ |
|
Configuring the default protection policy of CNAD Basic |
√ |
× |
|
Deleting the default protection policy of CNAD Basic |
√ |
× |
|
Querying CNAD Basic specifications |
√ |
√ |
|
Querying configured CNAD Basic policies |
√ |
√ |
|
Updating CNAD Basic policies |
√ |
× |
|
Enabling CNAD Basic |
√ |
× |
|
Querying weekly defense statistics |
√ |
√ |
|
Querying the traffic of a specified EIP |
√ |
√ |
|
Querying events of a specified EIP |
√ |
√ |
|
Querying the defense status of a specified EIP |
√ |
√ |
|
Querying the list of defense statuses of EIPs |
√ |
√ |
|
Querying Anti-DDoS tasks |
√ |
√ |
|
Querying alarm configuration |
√ |
√ |
|
Updating alarm configuration |
√ |
× |
|
Querying LTS configurations |
√ |
√ |
|
Updating LTS configurations |
√ |
× |
|
Querying quotas |
√ |
√ |
|
Querying resource tags |
√ |
√ |
Identity Policies on Which Console Functions Depend
|
Console Function |
Dependent Services |
Identity Policy Required |
|---|---|---|
|
Configuring Anti-DDoS logs on LTS |
Log Tank Service (LTS) |
The log groups and log streams created in LTS can be selected only after the LTSReadOnlyAccessPolicy system identity policy is added. |
|
Enabling alarm notifications |
Simple Message Notification (SMN) |
SMN topic groups can be obtained only after the SMNReadOnlyPolicy system identity policy is added. |
|
Querying tags |
Tag Management Service (TMS) |
Tags can be queried only after the system identity policy TMSReadOnlyPolicy is added. |
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
