Using IAM Identity Policies to Grant Access to DBSS

Prerequisites

Before granting permissions, learn about the DBSS permissions and select them as required. For details about the system-defined identity policies supported by DBSS, see Role/Policy-based Permissions Management. For details about the permissions of other services, see System-defined Permissions.

Process Flow

Figure 1 Process of granting DBSS permissions

1. On the IAM console, create an IAM user or create a user group.

   Create a user or user group on the IAM console.

2. Attach a system-defined identity policy (CBRReadOnlyPolicy as an example) to the user or user group.

   Grant the DBSS system-defined identity policy DBSSReadOnlyPolicy to a user or user group, or add the policy to the user or user group.

3. Log in as the IAM user and verify permissions.

   In the authorized region, perform the following operations:

   • Choose Database Security Service in the service list and click Buy DBSS on the DBSS console. If you cannot buy DBSS (assuming that the current permissions include only DBSSReadOnlyPolicy), the DBSSReadOnlyPolicy policy has already taken effect.
   • Choose another service from Service List. (The current policy contains only DBSSReadOnlyPolicy.) If a message is displayed, indicating insufficient permissions to access the service, the DBSSReadOnlyPolicy policy has already taken effect.

DBSS Example Custom Identity Policies

If the system-defined policies of DBSS cannot meet your needs, you can create custom identity policies. Then, you can add actions in custom identity policies. For details, see Actions Supported by Identity Policies.

You can create custom identity policies on Huawei Cloud in either of the following ways:

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Edit policies from scratch or based on an existing policy in JSON format.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see Actions Supported by Identity Policy-based Authorization. The following provides examples of custom identity policies.

• Example 1: Allowing a user to query the database audit list

  1 2 3 4 5 6 7 8 9 10 11

  { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dbss:auditInstance:list" ] } ] }

• Example 2: Denying database audit instance deletion

  A policy with only "Deny" permissions must be used together with other policies. If the policies assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  The following method can be used if you need to assign permissions of the DBSS FullAccess policy to a user but also forbid the user from deleting database audit instances. Create a custom policy to disallow audit instance deletion and assign both policies to the group the user belongs to. Then the user can perform all operations on DBSS except deleting database audit instances. The following is an example of a deny policy:

  1 2 3 4 5 6 7 8 9 10 11

  { "Version": "1.1", "Statement": [ { "Action": [ "dbss:auditInstance:delete" ], "Effect": "Deny" } ] }

• Example 3: Creating a custom policy containing multiple actions.

  A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

  { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dbss:defendInstance:eipOperate", "dbss:auditInstance:getSpecification" ] }, { "Effect": "Allow", "Action": [ "hss:accountCracks:unblock", "hss:commonIPs:set" ] } ] }