Updated on 2024-12-23 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise to access your SFS Turbo resources on Huawei Cloud, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use SFS Turbo resources but should not be allowed to delete the resources or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using SFS Turbo resources.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

SFS Turbo Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

You can grant permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant users only permission to manage a certain type of ECSs. Most policies define permissions based on APIs. For the API actions supported by SFS Turbo, see section "Permissions Policies and Supported Actions" in the Scalable File Service API Reference.
Table 1 lists all the system-defined permissions for SFS Turbo.
Table 1 System-defined permissions for SFS Turbo

Policy/Role Name

Description

Type

Dependencies

SFS Turbo FullAccess

Administrator permissions for SFS Turbo. Users with these permissions can perform any operation on all SFS Turbo resources under the account.

System-defined policy

None

SFS Turbo ReadOnlyAccess

Read-only permissions for SFS Turbo. Users with these permissions can only view SFS Turbo data.

System-defined policy

None

Table 2 lists the common operations supported by system-defined policies for SFS Turbo.

Table 2 Common operations supported by each system-defined policy of SFS Turbo

Operation

SFS Turbo FullAccess

SFS Turbo ReadOnlyAccess

Querying the AD domain configuration

Supported

Supported

Obtaining SFS Turbo specifications

Supported

Supported

Querying a specific permissions rule of a file system

Supported

Supported

Querying details of a file system

Supported

Supported

Obtaining details about a file system asynchronous task

Supported

Supported

Querying task status details

Supported

Supported

Querying NIC details of an SFS Turbo file system

Supported

Supported

Querying details of a storage backend

Supported

Supported

Querying details about an import or export task

Supported

Supported

Listing NICs of an SFS Turbo file system

Supported

Supported

Querying SFS Turbo quotas

Supported

Supported

Querying the LDAP configuration

Supported

Supported

Querying details of all file systems

Supported

Supported

Querying the resource usage of a directory

Supported

Supported

Querying quota limits of a directory

Supported

Supported

Checking whether a directory exists

Supported

Supported

Querying tags of a file system

Supported

Supported

Obtaining the AZ information

Supported

Supported

Modifying the LDAP configuration

Supported

Not supported

Joining an AD domain

Supported

Not supported

Deleting a directory from a file system

Supported

Not supported

Deleting tags from a file system

Supported

Not supported

Changing the billing mode of a file system from pay-per-use to yearly/monthly

Supported

Not supported

Deleting a permissions rule

Supported

Not supported

Deleting file systems

Supported

Not supported

Creating file systems

Supported

Not supported

Canceling and deleting an interworking task

Supported

Not supported

Modifying a permissions rule

Supported

Not supported

Configuring auto synchronization for an OBS backend

Supported

Not supported

Canceling or deleting an asynchronous task of a file system

Supported

Not supported

Removing quota limits from a directory

Supported

Not supported

Updating quota limits of a directory

Supported

Not supported

Creating quota limits for a directory

Supported

Not supported

Adding a storage backend

Supported

Not supported

Creating a permissions rule

Supported

Not supported

Adding a tag to a file system

Supported

Not supported

Adding NICs

Supported

Not supported

Updating a file system

Supported

Not supported

Creating directories

Supported

Not supported

Expanding the capacity or changing the security group of a file system

Supported

Not supported

Creating an asynchronous task for a file system

Supported

Not supported

Checking the name of a file system

Supported

Not supported

Batch adding tags to a file system

Supported

Not supported

Removing a storage backend

Supported

Not supported

Creating an import or export task

Supported

Not supported

Modifying the AD domain configuration

Supported

Not supported

Creating and binding the LDAP configuration

Supported

Not supported

Deleting the LDAP configuration

Supported

Not supported

Leaving an AD domain

Supported

Not supported

Removing NICs

Supported

Not supported

Querying the permissions rules of a file system

Supported

Supported

Listing storage backends

Supported

Supported

Listing the asynchronous tasks of a file system

Supported

Supported

Listing import and export tasks

Supported

Supported

Querying tags of all file systems of a tenant

Supported

Supported

Role/Policy Dependencies of the SFS Turbo Console

Table 3 Role/Policy dependencies of the SFS Turbo console

Console Function

Dependent Services

Role/Policy Required

Creating a file system

VPC

Billing Center

DSS

ECS

  • The permissions of the SFS Turbo FullAccess policy already include the permissions of VPC FullAccess, which are required for creating file systems. An IAM user assigned the SFS Turbo Full Access policy does not need to have the VPC FullAccess policy assigned explicitly.
  • To create yearly/monthly file systems, the BSS Administrator policy is required.
  • To create file systems in dedicated projects, the DSS FullAccess and ECS FullAccess policies are required.

Querying file system details

VPC

  • The permissions of the SFS Turbo ReadOnlyAccess policy already include the permissions of VPC ReadOnlyAccess, which are required for querying file system details. An IAM user assigned the SFS Turbo ReadOnlyAccess policy does not need to have the VPC ReadOnlyAccess policy assigned explicitly.

Adding an OBS backend

OBS

  • To add OBS buckets as storage backends, the OBS Administrator policy is required.