Help Center/ Cloud Service Engine/ User Guide/ Creating a User and Granting CSE Permissions
Updated on 2025-08-29 GMT+08:00

Creating a User and Granting CSE Permissions

This section describes how to use IAM to implement fine-grained permissions control for your CSE resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials for access to CSE resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust a Huawei Cloud account or cloud service to perform professional and efficient O&M on your CSE resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

Before assigning permissions to user groups, you should learn about CSE policies and select the policies based on service requirements.

  • For details about system permissions supported by CSE, see Permissions.
  • To grant permissions for other services, learn about all permissions supported by IAM by referring to System-defined Permissions.

Process Flow

Figure 1 Process of granting CSE permissions
  1. Create a user group and grant permissions to it.

    Create a user group on the IAM console, and grant the CSE ReadOnlyAccess policy to the group.

  2. Create a user and add it to the user group.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in to CSE and verify permissions.

    Log in to the CSE console as the created user, and verify that it has the read-only permission for CSE.

    • In Service List, choose Cloud Service Engine. On the console, choose ServiceComb > Buy Exclusive Microservice Engine. If a message is displayed indicating insufficient permissions, the ReadOnlyAccess policy has taken effect.
    • Choose any other service in Service List. If a message is displayed indicating insufficient permissions to access the service, the ReadOnlyAccess policy has taken effect.

CSE Custom Policies

Custom policies can be created as a supplement to the system-defined policies of CSE.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following section contains examples of common CSE custom policies.

Example Custom Policies

This procedure creates a policy that an IAM user is prohibited to create and delete a microservice engine.
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cse:*:*"
                        ],
                        "Effect": "Allow"
                },
                {
                        "Action": [
                                "cse:engine:create",
                                "cse:engine:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}

A policy with only "Deny" permissions must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

You can verify your granted permissions using the console or REST APIs.

The following uses the custom policy as an example to describe how to verify that a user is not allowed to create microservice engines on the console.

  1. Log in to Huawei Cloud as an IAM user.
    • Tenant name: Name of the account used to create the IAM user
    • IAM username and IAM user password: Username and password specified during IAM user creation using the Tenant name
  2. Create a microservice engine on the CSE console. If error 403 is returned, the permissions are correct and are in effect.