Updated on 2024-12-25 GMT+08:00

Permissions

If you need to assign different permissions for IAM to employees in your organization, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

With IAM, you can create IAM users and grant them permissions to access only specific resources. For example, you can grant permissions to allow certain project planners in your enterprise to view IAM data but disallow them to perform any high-risk operations, for example, deleting IAM users and projects. For all permissions of the services supported by IAM, see System-defined Permissions.

IAM Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

IAM is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access IAM in all regions.

You can grant permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Cloud services depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only the permissions required to manage ECSs of a certain type. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by IAM, see Permissions and Supported Actions.

Table 1 lists all the system-defined permissions for IAM.

Table 1 System-defined permissions for IAM

Role/Policy Name

Description

Type

Content

FullAccess

Full permissions for all services that support policy-based authorization. Users with these permissions can perform operations on all services.

System-defined policy

Content of the FullAccess Policy

IAM ReadOnlyAccess

Read-only permissions for IAM. Users with these permissions can only view IAM data.

System-defined policy

Content of the IAM ReadOnlyAccess Policy

Security Administrator

IAM administrator with full permissions, including permissions to create and delete IAM users.

System-defined role

Content of the Security Administrator Role

Agent Operator

IAM operator (delegated party) with permissions to switch roles and access resources of a delegating party.

System-defined role

Content of the Agent Operator Role

Tenant Guest

Read-only permissions for all services except IAM.

System-defined policy

Content of the Tenant Guest Role

Tenant Administrator

Administrator permissions for all services except IAM.

System-defined policy

Content of the Tenant Administrator Role

Table 2 lists the common operations supported by system-defined permissions for IAM.

Tenant Guest and Tenant Administrator are basic roles provided by IAM and do not contain any specific permissions for IAM. Therefore, the two roles are not listed in the following table.

Table 2 Common operations supported by system-defined permissions

Operation

Security Administrator

Agent Operator

FullAccess

IAM ReadOnlyAccess

Creating IAM users

Supported

Not supported

Supported

Not supported

Querying IAM user details

Supported

Not supported

Supported

Supported

Modifying IAM user information

Supported

Not supported

Supported

Not supported

Querying security settings of IAM users

Supported

Not supported

Supported

Supported

Modifying security settings of IAM users

Supported

Not supported

Supported

Not supported

Deleting IAM users

Supported

Not supported

Supported

Not supported

Creating user groups

Supported

Not supported

Supported

Not supported

Querying user group details

Supported

Not supported

Supported

Supported

Modifying user group information

Supported

Not supported

Supported

Not supported

Adding users to user groups

Supported

Not supported

Supported

Not supported

Removing users from user groups

Supported

Not supported

Supported

Not supported

Deleting user groups

Supported

Not supported

Supported

Not supported

Assigning permissions to user groups

Supported

Not supported

Supported

Not supported

Removing permissions of user groups

Supported

Not supported

Supported

Not supported

Creating custom policies

Supported

Not supported

Supported

Not supported

Modifying custom policies

Supported

Not supported

Supported

Not supported

Deleting custom policies

Supported

Not supported

Supported

Not supported

Querying permission details

Supported

Not supported

Supported

Supported

Creating agencies

Supported

Not supported

Supported

Not supported

Querying agencies

Supported

Not supported

Supported

Supported

Modifying agencies

Supported

Not supported

Supported

Not supported

Switching roles

Not supported

Supported

Supported

Not supported

Deleting agencies

Supported

Not supported

Supported

Not supported

Granting permissions to agencies

Supported

Not supported

Supported

Not supported

Removing permissions of agencies

Supported

Not supported

Supported

Not supported

Creating projects

Supported

Not supported

Supported

Not supported

Querying projects

Supported

Not supported

Supported

Supported

Modifying projects

Supported

Not supported

Supported

Not supported

Deleting projects

Supported

Not supported

Supported

Not supported

Creating identity providers

Supported

Not supported

Supported

Not supported

Importing metadata files

Supported

Not supported

Supported

Not supported

Querying metadata files

Supported

Not supported

Supported

Supported

Querying identity providers

Supported

Not supported

Supported

Supported

Querying protocols

Supported

Not supported

Supported

Supported

Querying mappings

Supported

Not supported

Supported

Supported

Updating identity providers

Supported

Not supported

Supported

Not supported

Updating protocols

Supported

Not supported

Supported

Not supported

Updating mappings

Supported

Not supported

Supported

Not supported

Deleting identity providers

Supported

Not supported

Supported

Not supported

Deleting protocols

Supported

Not supported

Supported

Not supported

Deleting mappings

Supported

Not supported

Supported

Not supported

Querying quotas

Supported

Not supported

Supported

Not supported

Access key management is disabled by default. When access key management is enabled, only administrators can manage access keys. If IAM users need to create, enable, disable, or delete their own access keys, they need to ask the administrator to disable access key management.

If an IAM user wants to manage the access keys of other IAM users, see Table 3. For example, if IAM user A wants to create an access key for IAM user B, IAM user A must have the Security Administrator or FullAccess permission.

Table 3 Access key operations supported by system-defined policies or roles

Operation

Security Administrator

Agent Operator

FullAccess

IAM ReadOnlyAccess

Creating access keys (for other IAM users)

Supported

Not supported

Supported

Not supported

Querying access keys (of other IAM users)

Supported

Not supported

Supported

Supported

Modifying access keys (for other IAM users)

Supported

Not supported

Supported

Not supported

Deleting access keys (for other IAM users)

Supported

Not supported

Supported

Not supported

Content of the FullAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "*:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}

Content of the IAM ReadOnlyAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "iam:*:get*",
                "iam:*:list*",
                "iam:*:check*"
            ],
            "Effect": "Allow"
        }
    ]
}

Content of the Security Administrator Role

{
    "Version": "1.0",
    "Statement": [
        {
            "Action": [
                "iam:agencies:*",
                "iam:credentials:*",
                "iam:groups:*",
                "iam:identityProviders:*",
                "iam:mfa:*",
                "iam:permissions:*",
                "iam:projects:*",
                "iam:quotas:*",
                "iam:roles:*",
                "iam:users:*",
                "iam:securitypolicies:*"
            ],
            "Effect": "Allow"
        }
    ]
}

Content of the Agent Operator Role

{
    "Version": "1.0",
    "Statement": [
        {
            "Action": [
                "iam:tokens:assume"
            ],
            "Effect": "Allow"
        }
    ]
}

Content of the Tenant Guest Role

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:*:get*",
                "obs:*:list*",
                "obs:*:head*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringNotEqualsIgnoreCase": {
                    "g:ServiceName": [
                        "iam"
                    ]
                }
            },
            "Action": [
                "*:*:get*",
                "*:*:list*",
                "*:*:head*"
            ],
            "Effect": "Allow"
        }
    ]
}

Content of the Tenant Administrator Role

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringNotEqualsIgnoreCase": {
                    "g:ServiceName": [
                        "iam"
                    ]
                }
            },
            "Action": [
                "*:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}