Permissions Management
If you need to assign different permissions to employees in your enterprise to access your CCM resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access CCM but not to delete CCM or its resources, then you can create an IAM policy to assign the developers the permission to access CCM but prevent them from deleting CCM related data.
If your Huawei Cloud account does not need individual IAM users for permissions management, you may skip over this topic.
IAM is free. You pay only for the resources in your account. For more information about IAM, see What Is IAM.
CCM Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
CCM is a global service deployed for all physical regions. Therefore, CCM permissions are assigned to users in the Global project, and the users do not need to switch regions when accessing CCM.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides a limited number of service-level roles for authorization. If one role has a dependency role required for accessing CCM, assign both roles to the users. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CCM users the permissions to manage only a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by CCM, see Permissions Policies and Supported Actions.
Table 1 lists the system-defined roles of CCM.
Role/Policy |
Description |
Type |
Dependency |
---|---|---|---|
SCM Administrator |
SCM administrator permissions. Users with SCM administrator permissions have all the permissions for the SCM service. |
System-defined policy |
The Server Administrator and Tenant Guest roles need to be assigned in the same project. BSS Administrator role is required for purchasing a certificate. BSS Administrator: a system role, which is the administrator of the billing center (BSS) and has all permissions for the service. WAF FullAccess: system policy, which is the Web Application Firewall (WAF) administrator. ELB FullAccess: a system policy that has all permissions for Elastic Load Balance (ELB). CDN FullAccess: a system policy that has the permission to operate all fine-grained authentication interfaces of the Content Delivery Network (CDN). EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator. DNS FullAccess: a system policy that has all permissions for Domain Name Service (DNS), including creating, deleting, querying, and modifying DNS resources. |
SCM FullAccess |
All permissions for SCM |
System-defined policy |
BSS Administrator role is required for purchasing a certificate. BSS Administrator: a system role, which is the administrator of the billing center (BSS) and has all permissions for the service. WAF FullAccess: system policy, which is the WAF administrator. ELB FullAccess: a system policy that has all permissions for Elastic Load Balance (ELB). CDN FullAccess: a system policy that has the permission to operate all fine-grained authentication interfaces of the Content Delivery Network (CDN). EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator. DNS FullAccess: a system policy that has all permissions for Domain Name Service (DNS), including creating, deleting, querying, and modifying DNS resources. |
SCM ReadOnlyAccess |
Read-only permission for SCM. Users with the read-only permission can only query certificate information but cannot add, delete, or modify certificates. |
System-defined policy |
None. |
PCA FullAccess |
All permissions for PCA |
System policy |
BSS Administrator role is required for creating a private CA or private certificate. EPS FullAccess: a system-defined policy that has all Enterprise Project Management Service (EPS) permissions. OBS Administrator: a system policy, which is the Object Storage Service (OBS) administrator. |
Table 2 lists the common operations supported by each system-defined policy of SCM. Select the proper system-defined policies as required.
To purchase a certificate, your account must have the BSS Administrator permission in addition to the SCM Administrator or SCM FullAccess permission.
BSS Administrator: has all permissions on account center, billing center, and resource center. It is a project-level role, which must be assigned in the same project.
Operation |
SCM Administrator |
SCM FullAccess |
SCM ReadOnlyAccess |
---|---|---|---|
Querying the SSL certificate list |
√ |
√ |
√ |
Querying the details of an SSL certificate |
√ |
√ |
√ |
Querying the SSL certificate type |
√ |
√ |
√ |
Querying details about SSL certificates of CAs |
√ |
√ |
√ |
Withdrawing an SSL certificate application |
√ |
√ |
x |
Purchasing an SSL certificate |
√ |
√ |
x |
Applying for an SSL certificate |
√ |
√ |
x |
Restoring the information provided when applying for an SSL certificate |
√ |
√ |
x |
Obtaining the information provided when applying for an SSL certificates |
√ |
√ |
√ |
Modifying an SSL certificate |
√ |
√ |
x |
Deleting an SSL certificate |
√ |
√ |
x |
Downloading an SSL certificate |
√ |
√ |
x |
Uploading authentication information |
√ |
√ |
x |
Revoking an SSL certificate |
√ |
√ |
x |
Pushing an SSL certificate to other services |
√ |
√ |
x |
Querying the record of SSL certificates pushed to other services |
√ |
√ |
√ |
Uploading an SSL certificate |
√ |
√ |
x |
Verifying a CSR |
√ |
√ |
x |
Adding an additional domain name |
√ |
√ |
x |
Canceling privacy authorization |
√ |
√ |
x |
Reissuing an SSL certificate |
√ |
√ |
x |
Unsubscribing from an SSL certificate |
√ |
√ |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot