Help Center/ Huawei Cloud Astro Zero/ User Guide (Low-Code)/ Huawei Cloud Astro Zero Management Center/ Managing Users and Permissions/ Creating a Service Permission Credential
Updated on 2025-08-15 GMT+08:00
View PDF
Share

Creating a Service Permission Credential

A service permission credential controls API access permissions. On the service permission credential page, you can create, view, and manage service permission credentials.

Why Do I Need to Add a Service Permission Credential?

The service permission credential can control the access permission of Huawei Cloud Astro Zero users on customized public APIs. If a user permission contains a service permission credential, the user can call the customized public API configured with the corresponding service permission credential.

What Is a Service Permission Credential?

Service permission credentials are used to control API access permissions. Huawei Cloud Astro Zero provides two methods to control API access permissions: configuring permission scripts and configuring APIs. Profile scripts should be preferentially used for verification. You can decide on the next operation based on the return value of the script.

  • If an API has a service permission credential, a user's profile must be accessible to the service permission credential to call the API.
    • If a user has no service permission credential, the system verifies the data permission in the profile (for example, running flows and scripts, adding, deleting, modifying, and querying objects, and API read and write permissions).
    • If a portal user has no service permission credential, an error is reported when the API is called without verifying the data permissions in the profile.
  • If no service permission credential is configured for an API, check the value of the API's built-in parameter bingo.permission.customapi.check. This parameter controls the logic when no service permission credential is bound to a public API.
    • If this parameter is set to true and no service permission credential is bound to a public API, portal users cannot access the API. For users, the system verifies the data permissions in the profile.
    • If this parameter is set to false and no service permission credential is bound to a public API, portal users can access the API without verification. For users, the system verifies the data permissions in the profile.

    For example, if the built-in parameter bingo.permission.customapi.check is set to true, and the service permission credential is not bound to an API, portal users cannot perform operations on object data even if they have API read and write permissions. To allow portal users to perform operations on object data, set this parameter to false.

    To view and configure this parameter, choose System Settings > System Parameters in the Huawei Cloud Astro Zero environment configuration page, and choose the Built-in System Parameters tab page.

    Figure 1 Built-in system parameters

Adding a Service Permission Credential to a Portal User

  1. Create a service permission credential.

    1. Log in to the Huawei Cloud Astro Zero console and click Access Homepage. The application development page is displayed.
    2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
    3. Choose Maintenance from the main menu.
    4. In the navigation pane, choose Global Elements > Service Permissions Credentials.
    5. Click Create.
    6. Set Label and Name to cs and click Save and New.

  2. Create a profile.

    The permissions of portal users are configured and extended based on Portal User Profile. A new profile inherits all permissions from the profile based on which it is created. When new portal users are registered, assign them the corresponding profile. The portal users then obtain the permissions in the profile.

    The following describes how to create a portal user profile csProfile in application A.

    1. Choose Configuration from the main menu.
    2. In the navigation pane, choose User Security > Profiles. Then click New.
    3. Set Existing Profile to Portal User Profile, Clone Mode to Normal, and Profile Name to csProfile. Click Save.
      Figure 2 Creating a profile based on Portal User Profile
      • When Clone Mode is set to Inherited, the edit button is hidden for permissions except basic information and service permission credentials.
      • If you select Normal, all information about the new profile can be edited.
    4. In the profile list, click csProfile to go to its details page.
    5. On the Basic Information tab page, click to configure permissions.
      For details about the functions of each permission item, see Table 1.

      In this example, the new profile inherits permissions from Portal User Profile. You can also configure other permissions that meet your service requirements.

    6. On the Service Permissions Credentials tab page, click , select cs, and click to save the settings.
      Figure 3 Configuring service credential permissions

  3. Configure portal user permissions.

    After a portal user is added, the portal user does not have any permission to use the services provided by Huawei Cloud Astro Zero. To enable the portal user to use Huawei Cloud Astro Zero, you need to configure necessary profiles for this portal user. The following describes how to assign csProfile to the portal user test_cs in application A.

    1. Choose Maintenance from the main menu.
    2. In the navigation pane, choose Global Elements > Portal Users.
    3. In the portal user list, click the portal user test_cs.
    4. On the details page, click Edit.
    5. In the displayed dialog box, select csProfile in the list on the left, click to add the selected profile to the list on the right, and click Save.
      • csProfile is a permission set created based on Portal User Profile. Except csProfile, other profiles are preset in the system. You are advised not to modify the preset profiles. The profile (such as csProfile) created based on the preset profile inherit all the preset permissions.
      • If Overwrite Profile is selected, the portal user only has the permissions configured in the permission set. If you do not select this option, the portal user has both permissions in Portal User Profile and the permissions configured in the permission set.

Adding a Service Permission Credential to an API

To grant a user or portal user API access via permissions, you must assign service permission credentials to the API. Here's a step-by-step guide using Application A as an example to illustrate the process of adding service permission credentials to an API.

  1. Log in to the Huawei Cloud Astro Zero console and click Access Homepage. The application development page is displayed.
  2. On the Homepage > All Apps page, click Edit next to an application to access the application designer.
  3. In the navigation pane, choose Settings.
  4. In the Application Settings page, choose Permissions. The Service Permissions Credential page is displayed.
  5. Click Import, select the service permission certificate to be imported, and click Import.

    The service permission credential is imported to the application because the required cs service credential has been created in 1. If the required service certificate has not been created, click Create to create a service certificate.

  6. In the navigation pane of the application designer, choose Integrations.
  7. In the Open API area, click the name of the API for which you want to configure a service credential. The API details page is displayed.
  8. Click the edit button in the service permission credential area. In the service permission credential list area, select the service permission credentials to be added, click to add the selected service permission credentials to the list on the right, and click Save.

    Figure 4 Editing a service permission credential

Parent Topic: Managing Users and Permissions