Help Center/ SecMaster/ Service Overview/ Permissions Management
Updated on 2024-02-05 GMT+08:00

Permissions Management

If you want to assign different permissions to employees in your enterprise to access your SecMaster resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.

With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can use policies to grant different permissions to software developers in your enterprises to allow them to only use SecMaster but not perform certain high-risk operations, such as deletion of SecMaster data.

If your account does not need individual IAM users for permissions management, then you may skip over this section.

IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

SecMaster Permissions

By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.

SecMaster is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. To access SecMaster, the users need to switch to a region where they have been authorized to use cloud services.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you also need to assign dependency roles. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant SecMaster users only the permissions for managing a certain type of resources.

Table 1 lists all SecMaster system permissions.

Table 1 System-defined permissions supported by SecMaster

Policy Name

Description

Type

Dependency

SecMaster FullAccess

All permissions of SecMaster.

System-defined policy

None

SecMaster ReadOnlyAccess

SecMaster read-only permission. Users granted with these permissions can only view SecMaster data but cannot configure SecMaster.

System-defined policy

None

SecMaster FullAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "secmaster:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:vpcs:list",
                "vpc:subnets:get",
                "vpcep:endpoints:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "obs:bucket:ListBucketVersions"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:permissions:checkRoleForAgencyOnDomain",
                "iam:permissions:checkRoleForAgencyOnProject",
                "iam:permissions:checkRoleForAgency",
                "iam:permissions:grantRoleToAgency",
                "iam:permissions:grantRoleToAgencyOnDomain",
                "iam:permissions:grantRoleToAgencyOnProject",
                "iam:policies:*",
                "iam:agencies:*",
                "iam:roles:*",
                "iam:users:listUsers",
                "iam:tokens:assume"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "organizations:organizations:get",
                "organizations:delegatedAdministrators:list",
                "organizations:roots:list",
                "organizations:ous:list",
                "organizations:accounts:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:cloudServers:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sts:agencies:assume"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "lts:log*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}

SecMaster ReadOnlyAccess Policy

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "secmaster:*:get*",
                "secmaster:*:list*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:vpcs:list",
                "vpc:subnets:get",
                "vpcep:endpoints:get",
                "vpcep:endpoints:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "obs:bucket:ListBucketVersions"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:permissions:checkRoleForAgencyOnDomain",
                "iam:permissions:checkRoleForAgencyOnProject",
                "iam:permissions:checkRoleForAgency",
                "iam:policies:get*",
                "iam:policies:list*",
                "iam:agencies:get*",
                "iam:agencies:list*",
                "iam:roles:get*",
                "iam:roles:list*",
                "iam:users:listUsers"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "organizations:organizations:get",
                "organizations:delegatedAdministrators:list",
                "organizations:roots:list",
                "organizations:ous:list",
                "organizations:accounts:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:cloudServers:list"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "lts:log*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}