Permissions Management of CBH Instances
If you need to assign different permissions to employees in your enterprise to manage your CBH instances, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.
With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can create IAM users for the software developers and assign specific permissions to allow them to only use CBH instances but not to create, change specifications of, or upgrade CBH instances.
If your account does not need individual IAM users for permissions management, then you may skip over this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
CBH Instance Permissions
By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.
CBH is a project-level service deployed and accessed in specific physical regions. To assign CBH permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing a CBH instance, switch to a region where they have been authorized to use the CBH instance.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CBH users only the permissions for managing a certain type of resources. For details about the actions supported by CBH, see Permissions and Supported Actions.
Table 1 lists all the system-defined roles and policies supported by CBH instances.
Role/Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
CBH FullAccess |
All permissions (except the payment permission) on CBH instances |
System-defined policy |
None |
CBH ReadOnlyAccess |
Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but not configure services. |
System-defined policy |
None |
To use all CBH functions on the CBH console, you need to have the CBH FullAccess role assigned at the enterprise project level and the CBH ReadOnlyAccess role assigned at the IAM project level.
Table 2 lists the common operations for each system-defined policy or role of CBH instances. Select the policies or roles as required.
Operation |
CBH FullAccess |
CBH ReadOnlyAccess |
---|---|---|
Creating a CBH instance |
√ |
x |
Changing CBH instance specifications (changing specifications) |
√ |
x |
Querying the CBH instance list |
√ |
√ |
Upgrading the CBH system version |
√ |
x |
Querying total ECS quota |
√ |
x |
Binding or unbinding an EIP |
√ |
x |
Restarting a CBH instance |
√ |
x |
Starting a CBH instance |
√ |
x |
Stopping a CBH instance |
√ |
x |
Querying the AZ of a CBH instance |
√ |
x |
Checking whether an IPv6 CBH instance can be created |
√ |
x |
Checking network connection between the CBH instance and the license center |
√ |
x |
Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center |
√ |
x |
Related Topics
CBH FullAccess Policy Content
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:*:*", "vpc:subnets:get", "vpc:publicIps:list", "vpc:vpcs:list", "vpc:securityGroups:get", "vpc:firewallGroups:get", "vpc:firewallPolicies:get", "vpc:firewallRules:get", "vpc:ports:get", "vpc:publicips:update", "vpc:securityGroups:create", "vpc:firewallRules:create", "vpc:firewallPolicies:addRule" "ecs:cloudServerFlavors:get", "evs:types:get" ] } ] }
CBH ReadOnlyAccess Policy Content
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:*:list*", "vpc:publicIps:list", "vpc:vpcs:list", "vpc:securityGroups:get", "vpc:subnets:get" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot