Introduction

This chapter describes fine-grained permissions management for your Data Lake Factory (DLF). If your HUAWEI CLOUD account does not need individual IAM users, then you may skip over this chapter.

By default, new IAM users do not have permissions assigned. You need to add them to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

You can grant users permissions by using roles and policies. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.

Policy-based authorization is useful if you want to allow or deny the access to an API.

An account has all of the permissions required to call all APIs, but IAM users must have the required permissions specifically assigned. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user queries jobs using an API, the user must have been granted permissions that allow the dlf:job:list action.

Supported Actions

VBS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

Permission: A statement in a policy that allows or denies certain operations.
Actions: Added to a custom policy to control permissions for specific operations.
Authorization Scope: A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect for IAM. Such policies will not take effect if they are assigned to user groups in Enterprise Project.
APIs: REST APIs that can be called in a custom policy.

**Table 1** Actions
Permissions	Actions	Authorization Scope	APIs
Creating Data Connections	dlf:connection:create	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/connections
Querying a Connection List	dlf:connection:list	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/connections?offset={offset}&limit={limit}&connectionName={connectionName}
Querying Connection Details	dlf:connection:get	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/connections/{connection_name}
Editing a Data Connection	dlf:connection:update	Supported: IAM projects Enterprise projects Not supported: none	PUT /v1/{project_id}/connections/{connection_name}
Deleting a Data Connection	dlf:connection:delete	Supported: IAM projects Enterprise projects Not supported: none	DELETE /v1/{project_id}/connections/{connection_name}
Exporting a Data Connection	dlf:connection:export	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/connections/export
Importing a Data Connection	dlf:connection:import	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/connections/import
Creating a Script	dlf:script:create	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/scripts
Querying a Script	dlf:script:get	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/scripts/{script_name}
Querying a Script List	dlf:script:list	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/scripts?offset={offset}&limit={limit}&scriptName={scriptName}
Modifying a Script	dlf:script:update	Supported: IAM projects Enterprise projects Not supported: none	PUT /v1/{project_id}/scripts/{script_name}
Deleting a Script	dlf:script:delete	Supported: IAM projects Enterprise projects Not supported: none	DELETE /v1/{project_id}/scripts/{script_name}
Executing a Script	dlf:script:execute	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/scripts/{script_name}/execute
Querying the Execution Result of a Script Instance	dlf:script:get	Supported: IAM projects Not supported: Enterprise projects	GET /v1/{project_id}/scripts/{script_name}/instances/{instance_id}
Stopping Executing a Script Instance	dlf:script:cancel	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/scripts/{script_name}/instances/{instance_id}/stop
Creating a Resource	dlf:resource:create	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/resources
Querying a Resource	dlf:resource:get	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/resources/{resource_id}
Querying a Resource List	dlf:resource:list	Supported: IAM projects Not supported: Enterprise projects	GET /v1/{project_id}/resources?offset={offset}&limit={limit}&resourceName={resourceName}
Modifying a Resource	dlf:resource:update	Supported: IAM projects Enterprise projects Not supported: none	PUT /v1/{project_id}/resources/{resource_id}
Deleting a Resource	dlf:resource:delete	Supported: IAM projects Enterprise projects Not supported: none	DELETE /v1/{project_id}/resources/{resource_id}
Creating a Job	dlf:job:create	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs
Editing a Job	dlf:job:update	Supported: IAM projects Not supported: Enterprise projects	PUT /v1/{project_id}/jobs/{name}
Viewing a Job List	dlf:job:list	Supported: IAM projects Enterprise projects Not supported: none	GET /v1/{project_id}/jobs?jobType={jobType}&offset={offset}&limit={limit}&jobName={jobName}
Viewing Job Details	dlf:job:get	Supported: IAM projects Not supported: Enterprise projects	GET /v1/{project_id}/jobs/{name}
Exporting a Job	dlf:job:export	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs/{name}/export
Batch Exporting Jobs	dlf:job:export	Supported: IAM projects Not supported: Enterprise projects	POST /v1/{project_id}/jobs/batch-export
Viewing a Job File	dlf:job:get	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs/check-file
Importing a Job	dlf:job:import	Supported: IAM projects Not supported: Enterprise projects	POST /v1/{project_id}/jobs/import
Starting a Job	dlf:job:startJob	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs/{name}/start
Stopping a Job	dlf:job:stopJob	Supported: IAM projects Not supported: Enterprise projects	POST /v1/{project_id}/jobs/{name}/stop
Deleting a Job	dlf:job:delete	Supported: IAM projects Not supported: Enterprise projects	DELETE /v1/{project_id}/jobs/{name}
Executing a Job Immediately	dlf:job:testRun	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs/{name}/run-immediate
Viewing a Job Instance List	dlf:jobInstance:list	Supported: IAM projects Not supported: Enterprise projects	GET /v1/{project_id}/jobs/instances/detail?jobName={jobName}&minPlanTime={minPlanTime}&maxPlanTime={maxPlanTime}&limit={limit}&offset={offset}&status={status}
Stopping a Job Instance	dlf:jobInstance:stopInstance	Supported: IAM projects Not supported: Enterprise projects	POST /v1/{project_id}/jobs/{jobName}/instances/{instanceId}/stop
Retry a Job Instance	dlf:jobInstance:retryInstance	Supported: IAM projects Enterprise projects Not supported: none	POST /v1/{project_id}/jobs/{jobName}/instances/{instanceId}/restart