CodeArts Console Permissions
If you need to assign different permissions to employees in your enterprise to access your CodeArts packages purchased on Huawei Cloud, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can assign permissions to users to control their access to specific Huawei Cloud resources. For example, some software developers need to use the CodeArts console but should not be allowed to unsubscribe from CodeArts or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for viewing basic information about purchased CodeArts packages.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Model |
Core Relationship |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Granting roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
Users - Policies |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With RBAC, the administrator needs to create two custom policies and attach both to the IAM users. With ABAC, the administrator only needs to create one custom policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. ABAC is more flexible than RBAC.
Policies and actions in the two authorization models are not interoperable. You are advised to use ABAC. For details about system-defined permissions of the two models, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Permissions Management
The CodeArts console supports role/policy-based authorization. By default, new IAM users do not have any permissions. You need to add them to one or more groups, and then attach policies or roles to these groups. The users inherit permissions from their groups and can then perform specified operations on cloud services.
CodeArts is a project-level service deployed and accessed in specific physical regions. If you set Scope to All resources, users have permissions for CodeArts resources in all region-specific projects. When accessing the CodeArts console, the users need to switch to a region where they have been authorized.
Table 2 lists all system-defined permissions for the CodeArts console. System-defined policies in RBAC and ABAC are not interoperable.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
DevCloud Console FullAccess |
All permissions for the CodeArts console. Users with these permissions can buy CodeArts packages and authorize enterprise accounts. If an IAM user wants to purchase CodeArts, they must also have one of the BSS Administrator, BSS Finance, and BSS Operator permissions in addition to this permission. |
System-defined policy |
|
DevCloud Console ReadOnlyAccess |
Read-only permissions for the CodeArts console. Users with these permissions can only view the usage of CodeArts services. |
System-defined policy |
Table 3 lists the common operations supported by system-defined permissions for the CodeArts console. Select the permissions as required.
|
Operation |
DevCloud Console FullAccess |
DevCloud Console ReadOnlyAccess |
|---|---|---|
|
Check CodeArts Req resource usage |
√ |
√ |
|
Check CodeArts Repo resource usage |
√ |
√ |
|
Check CodeArts Check resource usage |
√ |
√ |
|
Check CodeArts Build resource usage |
√ |
√ |
|
Check CodeArts TestPlan – Test Management resource usage |
√ |
√ |
|
Check CodeArts TestPlan – APITest resource usage |
√ |
√ |
|
Check CodeArts Artifact resource usage |
√ |
√ |
|
Check CodeArts IDE Online resource usage |
√ |
√ |
|
Check Classroom resource usage |
√ |
√ |
|
Buy a CodeArts package |
√ |
× |
|
Change CodeArts package specifications |
√ |
× |
|
Subscribe to CodeArts Req with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Repo with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Check with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Build with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts TestPlan – Test Management with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts TestPlan – APITest with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Artifact with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts IDE Online with pay-per-use billing |
√ |
× |
|
Subscribe to Classroom with pay-per-use billing |
√ |
× |
|
Buy the Agile and DevOps Training service |
√ |
× |
|
Buy a pay-per-use package on the console |
√ |
× |
|
Subscribe to a pay-per-use package |
√ |
× |
|
Unsubscribe from CodeArts Req with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Repo with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Check with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Build with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts TestPlan – Test Management with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts TestPlan – APITest with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Artifact with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts IDE Online with pay-per-use billing |
√ |
× |
|
Unsubscribe from Classroom with pay-per-use billing |
√ |
× |
|
Unsubscribe from a pay-per-use package |
√ |
× |
|
View CodeArts Req resources |
√ |
√ |
|
View CodeArts Check resources |
√ |
√ |
|
View CodeArts Repo resources |
√ |
√ |
|
View CodeArts Build resources |
√ |
√ |
|
View CodeArts TestPlan – Test Management resources |
√ |
√ |
|
View CodeArts TestPlan – APITest resources |
√ |
√ |
|
View CodeArts Artifact resources |
√ |
√ |
|
View CodeArts IDE Online resources |
√ |
√ |
|
View pay-per-use package subscription records |
√ |
√ |
|
View Classroom resources |
√ |
√ |
|
View resources of the Agile and DevOps Training service |
√ |
√ |
|
View CodeArts package resource details |
√ |
√ |
|
View details of a pay-per-use package |
√ |
√ |
|
View CodeArts Req subscription records |
√ |
√ |
|
View CodeArts Repo subscription records |
√ |
√ |
|
View CodeArts Check subscription records |
√ |
√ |
|
View CodeArts Build subscription records |
√ |
√ |
|
View CodeArts TestPlan – Test Management subscription records |
√ |
√ |
|
View CodeArts TestPlan – APITest subscription records |
√ |
√ |
|
View CodeArts Artifact subscription records |
√ |
√ |
|
View CodeArts IDE Online subscription records |
√ |
√ |
|
View Classroom subscription records |
√ |
√ |
|
View the authorization list |
√ |
√ |
|
Authorize an enterprise account |
√ |
× |
|
Cancel the authorization granted to an enterprise account |
√ |
× |
|
Accept or reject authorization to an enterprise account |
√ |
× |
- Pay-per-use billing and viewing enabling records are not supported.
- CodeArts IDE Online (previously "CloudIDE"), Classroom, and Agile and DevOps Training will be available soon.
Identity Policy-based Permissions Management
The CodeArts console supports identity policy-based authorization. Table 4 lists all system-defined policies for the CodeArts console with ABAC. System-defined policies in RBAC and ABAC are not interoperable.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
CODEARTSFullAccessPolicy |
All permissions for the CodeArts console. Users with these permissions can buy CodeArts packages and authorize enterprise accounts. |
System-defined identity policy |
|
CODEARTSReadOnlyPolicy |
Read-only permissions for the CodeArts console. Users with these permissions can only view the usage of CodeArts services. |
System-defined identity policy |
Table 5 lists the common operations supported by system-defined policies for the CodeArts console.
|
Operation |
CODEARTSFullAccessPolicy |
CODEARTSReadOnlyPolicy |
|---|---|---|
|
Check CodeArts Req resource usage |
√ |
√ |
|
Check CodeArts Repo resource usage |
√ |
√ |
|
Check CodeArts Check resource usage |
√ |
√ |
|
Check CodeArts Build resource usage |
√ |
√ |
|
Check CodeArts TestPlan – Test Management resource usage |
√ |
√ |
|
Check CodeArts TestPlan – APITest resource usage |
√ |
√ |
|
Check CodeArts Artifact resource usage |
√ |
√ |
|
Check CodeArts IDE Online resource usage |
√ |
√ |
|
Check Classroom resource usage |
√ |
√ |
|
Buy a CodeArts package |
√ |
× |
|
Change CodeArts package specifications |
√ |
× |
|
Subscribe to CodeArts Req with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Repo with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Check with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Build with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts TestPlan – Test Management with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts TestPlan – APITest with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts Artifact with pay-per-use billing |
√ |
× |
|
Subscribe to CodeArts IDE Online with pay-per-use billing |
√ |
× |
|
Subscribe to Classroom with pay-per-use billing |
√ |
× |
|
Subscribe to a pay-per-use package |
√ |
× |
|
Unsubscribe from CodeArts Req with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Repo with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Check with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Build with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts TestPlan – Test Management with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts TestPlan – APITest with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts Artifact with pay-per-use billing |
√ |
× |
|
Unsubscribe from CodeArts IDE Online with pay-per-use billing |
√ |
× |
|
Unsubscribe from Classroom with pay-per-use billing |
√ |
× |
|
Unsubscribe from a pay-per-use package |
√ |
× |
|
View CodeArts package resource details |
√ |
√ |
|
View CodeArts Req resources |
√ |
√ |
|
View CodeArts Repo resources |
√ |
√ |
|
View CodeArts Check resources |
√ |
√ |
|
View CodeArts Build resources |
√ |
√ |
|
View CodeArts TestPlan – Test Management resources |
√ |
√ |
|
View CodeArts TestPlan – APITest resources |
√ |
√ |
|
View CodeArts Artifact resources |
√ |
√ |
|
View CodeArts IDE Online resources |
√ |
√ |
|
View Classroom resources |
√ |
√ |
|
View resources of the Agile and DevOps Training service |
√ |
√ |
|
View details of a pay-per-use package |
√ |
√ |
|
View CodeArts Req subscription records |
√ |
√ |
|
View CodeArts Repo subscription records |
√ |
√ |
|
View CodeArts Check subscription records |
√ |
√ |
|
View CodeArts Build subscription records |
√ |
√ |
|
View CodeArts TestPlan – Test Management subscription records |
√ |
√ |
|
View CodeArts TestPlan – APITest subscription records |
√ |
√ |
|
View CodeArts Artifact subscription records |
√ |
√ |
|
View pay-per-use package subscription records |
√ |
√ |
|
View Classroom subscription records |
√ |
√ |
|
View CodeArts IDE Online subscription records |
√ |
√ |
|
View the authorization list |
√ |
√ |
|
Authorize an enterprise account |
√ |
× |
|
Cancel the authorization granted to an enterprise account |
√ |
× |
|
Accept or reject authorization to an enterprise account |
√ |
× |
- Pay-per-use billing and viewing enabling records are not supported.
- CodeArts IDE Online (previously "CloudIDE"), Classroom, and Agile and DevOps Training will be available soon.
Service Name Mapping
The service names in permission policies (Table 3 and Table 5) may differ from those on the console. The mapping relationship between these names is shown in Table 6.
|
Service Name in Permission Policies |
Service Name on the Console |
|---|---|
|
DevCloud |
CodeArts |
|
ProjectMan |
CodeArts Req |
|
CodeHub |
CodeArts Repo |
|
CodeCheck |
CodeArts Check |
|
CloudBuild |
CodeArts Build |
|
CloudDeploy |
CodeArts Deploy |
|
CloudArtifact |
CodeArts Artifact |
|
CloudTest |
CodeArts TestPlan |
|
CloudPipeline |
CodeArts Pipeline |
|
CloudIDE |
CodeArts IDE Online |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
