Key IAM Operations Supported by CTS
Scenarios
Cloud Trace Service (CTS) records operations performed on cloud resources in your account. The operation logs can be used to perform security analysis, track resource changes, perform compliance audits, and locate faults.
It is recommended that you enable the CTS service to record key IAM operations, such as creating and deleting users.
Procedure
- Log in to the management console.
- If you log in to Huawei Cloud using an account, go to Step 3. If you log in as an IAM user, request the administrator to grant you the following permissions:
- Security Administrator
- CTS FullAccess
For details, see Assigning Permissions to an IAM User.
- Choose Service List > Management & Governance > Cloud Trace Service.
- On the displayed authorization page, click Enable and Authorize.
- When using CTS, you must have the required permissions for relevant operations, but do not need to be granted the Security Administrator role again.
- After you enable CTS, the system automatically creates two trackers to record management traces, that is, operations (such as creation, login, and deletion) performed on all cloud resources.
- In the current region, a tracker is created to record management traces of all project-level services deployed in this region.
- In the CN-Hong Kong region, a tracker is created to record management traces of all global services, such as IAM.
|
Operation |
Resource Type |
Trace Name |
|---|---|---|
|
User login |
user |
login |
|
User login failed (Account login failures not included) |
user |
loginFailed |
|
User logout |
user |
logout |
|
Login using a QR code |
user |
scanQRCodeLogin |
|
Login using a QR code failed |
user |
scanQRCodeLoginFailed |
|
Login via OpenID succeeded |
user |
oidcLoginSuccess |
|
Login via OpenID Connect failed |
user |
oidcLoginFailed |
|
Login via SSO succeeded |
user |
iamUserSsoLoginSuccess |
|
Login via SSO failed |
user |
iamUserSsoLoginFailed |
|
Resetting the password |
user |
fpwdResetSuccess |
|
Creating an IAM user |
user |
createUser |
|
Changing the email address or mobile number |
user |
updateUser |
|
Deleting a user |
user |
deleteUser |
|
Changing the password |
user |
updateUserPwd |
|
Setting a password for a user (by the administrator) |
user |
updateUserPwd |
|
Modifying login protection of an IAM user |
user |
modifyLoginProtect |
|
Changing the mobile number using an email |
user |
changeMobileByEmail |
|
Changing the password using an email |
user |
updateUserPwdByEmail |
|
Initial federated login succeeded |
user |
tenantLoginBySamlSuccess |
|
Federated login using a custom identity broker succeeded |
user |
federationLoginNoPwdSuccess |
|
Federated login using a custom identity broker failed |
user |
federationLoginNoPwdFailed |
|
Downloading user passwords |
user |
generateRandomPassword |
|
Querying users in a group |
user |
listUsers |
|
Querying login user information |
user |
showUser |
|
Querying IAM user details |
user |
showUser |
|
Administrator querying the IAM users in a group |
user |
listUsersForGroup |
|
Querying the login protection configurations of IAM users |
user |
listLoginProtects |
|
Querying the login protection configuration of an IAM user |
user |
showLoginProtect |
|
Listing IAM users |
users |
listUsers |
|
Checking whether an IAM user belongs to a user group |
users |
checkUserInGroup |
|
Listing users associated with an enterprise project |
users |
listUsersOnEnterpriseProject |
|
Creating a user group |
userGroup |
createGroup |
|
Modifying a user group |
userGroup |
updateGroup |
|
Deleting a user group |
userGroup |
deleteGroup |
|
Adding users to a user group |
userGroup |
addUserToGroup |
|
Removing users from a user group |
userGroup |
removeUserFromGroup |
|
Unbinding a virtual MFA device |
MFA |
UnBindMFA |
|
Binding a virtual MFA device |
MFA |
BindMFA |
|
Querying MFA device information of IAM users |
MFA |
listMFA |
|
Querying the MFA device information of an IAM user |
MFA |
showMFA |
|
Creating a security key |
mfa |
createWebauthnMfaDevice |
|
Enabling security key |
mfa |
enableWebauthnMfaDevice |
|
Creating a project |
project |
createProject |
|
Modifying a project |
project |
updateProject |
|
Deleting a project |
project |
deleteProject |
|
Querying basic sub-project information |
project |
showProject |
|
Creating an agency |
agency |
createAgency |
|
Modifying an agency |
agency |
updateAgency |
|
Deleting an agency |
agency |
deleteAgency |
|
Switching an agency |
agency |
switchRole |
|
Assigning all project permissions to an agency |
agency |
updateAgencyInheritedGrants |
|
Revoking all project permissions from an agency |
agency |
deleteAgencyInheritedGrants |
|
Assigning global service permissions to an agency |
agency |
updateAgencyAssignsByRole |
|
Querying the agency list of a specified tenant delegating this tenant |
agency |
listAgencies |
|
Querying the cloud service agency list |
agency |
listServiceAgency |
|
Accessing an agency |
agency |
switchAgency |
|
Querying agency switching information |
agency |
assumeAgency |
|
Assigning global service permissions to an agency (API) |
roleAgencyDomain |
assignRoleToAgencyOnDomain |
|
Updating agency permissions |
agency |
updateAgencyAssignsByRole |
|
Querying agency details |
agency |
showAgency |
|
Querying the agency list |
agency |
listAgencies |
|
Listing agencies meeting specified conditions |
agencies |
listAgencies |
|
Registering an identity provider |
identityProvider |
createIdentityProvider |
|
Modifying an identity provider |
identityProvider |
updateIdentityProvider |
|
Deleting an identity provider |
identityProvider |
deleteIdentityProvider |
|
Updating an identity conversion rule |
identityProvider |
updateMapping |
|
Updating the identity provider metadata |
identityProvider |
metadataConfiguration |
|
Manually editing metadata of a preset IdP |
identityProvider |
metadataConfiguration |
|
Registering a mapping |
mapping |
createMapping |
|
Updating a mapping |
mapping |
updateMapping |
|
Deleting a mapping |
mapping |
deleteMapping |
|
Registering a protocol |
identityProvider |
createProtocol |
|
Updating a protocol |
identityProvider |
updateProtocol |
|
Deleting a protocol |
identityProvider |
deleteProtocol |
|
Revoking global service permissions from an agency |
roleAgencyDomain |
unassignRoleToAgencyOnDomain |
|
Assigning project permissions to an agency |
roleAgencyProject |
assignRoleToAgencyOnProject |
|
Revoking project permissions from an agency |
roleAgencyProject |
unassignRoleToAgencyOnProject |
|
Modifying the login authentication policy |
SecurityPolicy |
modifySecurityPolicy |
|
Modifying the password policy |
SecurityPolicy |
modifySecurityPolicy |
|
Modifying the ACL |
SecurityPolicy |
modifySecurityPolicy |
|
Creating an account |
domain |
createDomain |
|
Update an account |
domain |
updateDomain |
|
Delete an account |
domain |
deleteDomain |
|
Logging failed via OpenID Connect |
domain |
oidcLoginFailed |
|
Creating a custom policy |
Policy |
createRole |
|
Modifying a custom policy |
Policy |
updateRole |
|
Deleting a custom policy |
Policy |
deleteRole |
|
Assigning global service permissions to a user group (API) |
assignment |
createAssignment |
|
Assigning global service permissions to a user group |
group |
updateGroupAssignsByRole |
|
Revoking global service permissions from a user group |
assignment |
deleteAssignment |
|
Querying authorization records |
assignment |
showAssignment |
|
Querying the authorization list |
assignment |
showAssignment |
|
Creating a permanent AK/SK |
credential |
createCredential |
|
Updating a permanent access key (AK/SK) |
credential |
updateCredential |
|
Deleting a permanent access key (AK/SK) |
credential |
deleteCredential |
|
Disabling or enabling an access key (AK/SK) |
credential |
updateCredential |
|
Querying a permanent access key |
credential |
showCredential |
|
Listing all permanent access keys |
credentials |
listCredentials |
|
Creating temporary access keys on the console as a federated user |
credential |
CreateTemporaryAccessKeyFromConsole |
|
Assigning permissions to users or enterprise projects |
assignment |
grantRoleToUserOnEnterpriseProject |
|
Revoking permissions from users or enterprise projects |
enterpriseProject |
revokeRoleFromUserOnEnterpriseProject |
|
Updating user group permissions for enterprise projects |
enterpriseProject |
updateRoleFromGroupOnEnterpriseProject |
|
Obtaining user groups associated with a specified enterprise project |
group |
showGroupAssignedOnEp |
|
Querying user group details |
group |
showGroup |
|
Querying the user groups which an IAM user belongs to |
group |
listGroupsForUser |
|
Querying the user group where an IAM user belongs |
groups |
listGroupsForUser |
|
Querying user groups |
group |
listGroups |
|
Querying the user groups associated with an enterprise project |
groups |
listGroupsOnEnterpriseProject |
|
Querying actions |
action |
listActions |
|
Querying the system policy list |
policy |
listRoles |
|
Querying the permission list of a user in a project |
policy |
showAssignment |
|
Obtaining the permissions associated with a user group in a specified enterprise project |
policy |
showRolesAssignedOnEpGroup |
|
Creating a custom policy |
policy |
CheckCustomPolicy |
|
Querying permission details |
policy |
showRole |
|
Querying permissions |
policy |
listRoles |
|
Querying permissions of a user group for the global service project |
policies |
listDomainPermissionsForGroup |
|
Querying permissions of a user group for a region-specific project |
policies |
listProjectPermissionsForGroup |
|
Checking whether a user group has specified permissions for a global service project |
policies |
checkDomainPermissionForGroup |
|
Checking whether a user group has specified permissions for a region-specific project |
policies |
checkProjectPermissionForGroup |
|
Querying all permissions of a user group |
policies |
listAllProjectPermissionsForGroup |
|
Checking whether a user group has specified permissions for all projects |
policies |
checkroleForGroup |
|
Querying permissions of an agency for a global service project |
policies |
listDomainPermissionsForAgency |
|
Querying permissions of an agency for a region-specific project |
policies |
listProjectPermissionsForAgency |
|
Querying the Permissions of a user group associated with an enterprise project |
policies |
listRolesForGroupOnEnterpriseProject |
|
Querying permissions of a user directly associated with an enterprise project |
policies |
listRolesForUserOnEnterpriseProject |
|
Querying project details |
project |
showProject |
|
Querying the project list |
project |
listProjects |
|
Changing project status |
project |
showProjectDetailsAndStatus |
|
Querying a project list based on specified condition |
projects |
listProjects |
|
Listing the projects accessible to a user |
projects |
listProjectsForUser |
|
Querying the quotas of a project |
project |
showProjectQuota |
|
Querying the quotas of an account |
quota |
showDomainQuota |
|
Querying region details |
region |
showRegion |
|
Listing regions |
regions |
listRegions |
|
Querying the password strength policy |
securityPolicy |
showSecurityCompliance |
|
Querying the password strength policy with conditions |
securityPolicy |
showSecurityComplianceByOption |
|
Querying the operation protection policy |
securityPolicy |
showSecurityPolicy |
|
Querying the password policy |
securityPolicy |
showSecurityPolicy |
|
Querying the login authentication policy |
securityPolicy |
showSecurityPolicy |
|
Querying the ACL for console access |
securityPolicy |
showSecurityPolicy |
|
Querying the ACL for API access |
securityPolicy |
showSecurityPolicy |
|
Querying service details |
service |
showService |
|
Listing services |
services |
listServices |
|
Querying the cloud service list |
service |
listCloudServices |
|
Obtaining a user token through password authentication |
token |
createTokenByPwd |
|
Obtaining a user token through password authentication and virtual MFA |
token |
createTokenByMfa |
|
Obtaining an agency token |
token |
createTokenByAssumeRole |
|
Verifying a token |
token |
verifyToken |
|
Obtaining a federated token using an OpenID Connect ID token |
token |
createTokenWithIdToken |
|
Obtaining an unscoped token with an OpenID Connect ID token |
token |
showUnscopeTokenBySPinitiated |
|
Obtaining an unscoped token (IdP Initiated) |
token |
createUnscopeTokenByIdpInitiated |
|
Obtaining an unscoped token (SP Initiated) |
token |
showUnscopeTokenBySPinitiated |
|
Obtaining a login token through a custom identity broker |
loginToken |
createLoginToken |
|
Obtaining temporary access keys and security tokens of an agency |
securityToken |
createV3SecurityTokenByAssumeRole |
|
Obtaining temporary access keys and security tokens of an IAM user |
securityToken |
createV3SecurityTokenByToken |
|
Querying endpoints |
endpoint |
showEndpoint |
|
Querying the service catalog |
endpoints |
listEndpoints |
|
Querying enterprise projects associated with a user group |
enterpriseProjects |
listEnterpriseProjectsForGroup |
|
Querying enterprise projects directly associated with a user |
enterpriseProjects |
listEnterpriseProjectsForUser |
|
Listing identity providers |
identityProvider |
listIdentityProviders |
|
Querying identity provider details |
identityProvider |
showIdentityProvider |
|
Querying metadata configurations |
identityProvider |
showMetadataConfiguration |
|
Querying an OpenID Connect identity provider |
identityProvider |
showOIDCConfiguration |
|
Listing protocols |
identityProvider |
listProtocols |
|
Querying protocol details |
identityProvider |
showProtocol |
|
Querying metadata files |
identityProvider |
showMetadataConfiguration |
|
Listing mappings |
mapping |
listMappings |
|
Querying mapping details |
mapping |
showMapping |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
