Updated on 2024-07-22 GMT+08:00

Permissions

If you need to assign different permissions to personnel in your management account, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources.

With IAM, you can create IAM users and assign permissions enabling them to control their access to specific resources. For example, if you want some of your employees to invite member accounts to join an organization but do not want them to manage policies, you can create IAM users in the management account and grant permission to invite member accounts but not permission to create or modify policies.

If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

For more information about IAM, see Identity and Access Management Service Overview.

System-defined Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach permissions policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

Organizations is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access Organizations in all regions.

You can grant permissions by using roles and policies.
  • Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by Organizations, see Permissions and Supported Actions.

Table 1 lists all the system-defined permissions for Organizations.

Table 1 System-defined permissions for Organizations

Role/Policy Name

Description

Type

Dependencies

Organizations FullAccess

Users with these permissions can create, modify, delete, and view any information about Organizations.

System-defined policy

N/A

Organizations ReadOnlyAccess

Users with these permissions can view organization information, but not make any changes.

System-defined policy

N/A

Table 2 lists the common operations supported by system-defined permissions for Organizations.

Table 2 Common operations supported by system-defined permissions

Operation

Organizations FullAccess

Organizations ReadOnlyAccess

Creating an organization

Supported

Not supported

Viewing details about an organization

Supported

Supported

Deleting an organization

Supported

Not supported

Creating an OU

Supported

Not supported

Modifying an OU

Supported

Not supported

Viewing details about an OU

Supported

Supported

Deleting an OU

Supported

Not supported

Inviting an account to join your organization

Supported

Not supported

Creating an Account

Supported

Not supported

Closing an account

Supported

Not supported

Moving an account to another OU

Supported

Not supported

Viewing details about an account

Supported

Supported

Removing a member account from your organization

Supported

Not supported

Enabling SCP

Supported

Not supported

Disabling SCP

Supported

Not supported

Creating an SCP

Supported

Not supported

Modifying an SCP

Supported

Not supported

Viewing details about an SCP

Supported

Supported

Deleting an SCP

Supported

Not supported

Attaching an SCP

Supported

Not supported

Detaching an SCP

Supported

Not supported

Enabling a trusted service

Supported

Not supported

Disabling a trusted service

Supported

Not supported

Configuring a delegated administrator

Supported

Not supported

Adding a tag

Supported

Not supported

Editing a tag

Supported

Not supported

Viewing tag details

Supported

Supported

Deleting a tag

Supported

Not supported