Help Center/ Content Delivery Network/ Service Overview/ Permissions Management
Updated on 2025-11-20 GMT+08:00
View PDF
Share

Permissions Management

If you need to assign different permissions to personnel in your enterprise to access your Content Delivery Network (CDN) resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use CDN resources but do not want them to delete CDN resources or perform any other high-risk operations, you can grant permission to use CDN resources but not permission to delete them.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

Table 1 Differences between RBAC and ABAC

Authorization Model

Authorization Using

Permissions

Authorization Method

Scenario

Role/Policy

User-permission-authorization scope
  • System-defined roles
  • System-defined policies
  • Custom policies

Assigning roles or policies to principals

To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises.

Identity policy

User-policy
  • System-defined identity policies
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users the permissions needed to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Authorization

CDN supports authorization with roles and policies. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CDN is a global service deployed and accessed without specifying any physical region. When you set the authorization scope to Global services, users have permission to access CDNs in all regions.

Table 2 lists all the system-defined permissions for CDN. System-defined policies in the two authorization models are not interoperable.

Table 2 System-defined permissions for CDN

Role/Policy Name

Description

Type

Dependencies

CDN LogsReadOnlyAccess

Read-only permissions for the CDN log service

System-defined policy

None

CDN RefreshAndPreheatAccess

Cache purge and prefetch permissions

System-defined policy

None

CDN Administrator

Full permissions for CDN

System-defined role

None

CDN ReadOnlyAccess

Read-only permissions for all CDN services

System-defined policy

None

CDN FullAccess

Full permissions for CDN

System-defined policy

None

CDN StatisticsReadOnlyAccess

Read-only permissions for the CDN statistics service

System-defined policy

None

CDN DomainConfiguration

Permissions for configuring domain names

System-defined policy

None

CDN DomainReadOnlyAccess

Read-only permissions on domain names

System-defined policy

None

Table 3 lists the common operations supported by system-defined permissions for CDN.

Table 3 Common operations supported by system-defined permissions

Operation

CDN Administrator

CDN ReadOnlyAccess

CDN StatisticsReadOnlyAccess

CDN LogsReadOnlyAccess

CDN DomainConfiguration

CDN RefreshAndPreheatAccess

CDN FullAccess

CDN DomainReadOnlyAccess

Querying the billing option

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Creating or modifying the billing option

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Supported

Not supported

Querying domain name statistics

Supported

Supported

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Querying logs

Supported

Supported

Not supported

Supported

Not supported

Not supported

Supported

Not supported

Querying full configuration of a domain name

Supported

Supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

Modifying full configuration of a domain name

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Not supported

Creating a domain name

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Not supported

Querying account information

Supported

Supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

Modifying account information

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

When you want to acquire the CDN DomainConfiguration or CDN RefreshAndPreheatAccess policy, ensure that you also acquire the CDN DomainReadOnlyAccess policy. Otherwise, you cannot view the domain names, and thus cannot configure, or purge or prefetch cache for domain names.

Roles or Policies That the CDN Console Depends On

Some CDN permissions depend on the policies of other cloud services. To view or use other cloud resources on the CDN console, enable the system policy access control feature of IAM and assign dependency policies for other cloud services.

  • Dependency policies are assigned based on the CDN FullAccess or CDN ReadOnlyAccess policy you configured.

    To grant an IAM user permissions to view or use resources of other cloud services on the CDN console, you must first grant the CDN Administrator, CDN FullAccess, or CDN ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies listed in Table 4.

Table 4 Dependency policies and roles

Console Function

Dependent Services

Roles or Policies Required
  • OBS authorization
  • SCM authorization

Identity and Access Management (IAM)
  • Creating an agency: iam:agencies:createAgency
  • Listing agencies: iam:agencies:listAgencies
  • Querying agency details: iam:agencies:getAgency
  • Granting permissions to an agency for a region-specific project: iam:permissions:grantRoleToAgencyOnProject
  • Checking whether an agency has specified permissions for a region-specific project: iam:permissions:checkRoleForAgencyOnProject
  • Listing projects: iam:projects:listProjects
  • Listing permissions: iam:roles:listRoles
  • Creating a custom policy: iam:roles:createRole

Origin server settings

  • Setting the domain name of an OBS bucket as the origin server

Object Storage Service (OBS)
  • Listing buckets: obs:bucket:ListAllMyBuckets
  • Listing objects in a bucket: obs:bucket:ListBucket
  • Checking whether a bucket exists and obtaining its metadata: obs:bucket:HeadBucket

SCM certificates

Cloud Certificate & Manager (CCM)
  • Listing certificates: scm:cert:list
  • Exporting a certificate: scm:cert:download

Filtering domain names by tag

Tag Management Service (TMS)

Querying predefined tags: tms:predefineTags:list

Enterprise projects

Enterprise Management
  • Querying details about an enterprise project: eps:enterpriseProjects:get
  • Listing enterprise projects: eps:enterpriseProjects:list

Identity Policy-based Authorization

CDN supports authorization with identity policies. Table 5 lists all the system-defined policies for CDN in identity policy-based authorization. System-defined identity policies and system-defined policies in the two authorization models are not interoperable.

Table 5 System-defined policies for CDN

Policy Name

Description

Type

CDNAdministratorPolicy

Full permissions for CDN

System-defined identity policy

CDNReadOnlyPolicy

Read-only permissions for all CDN services

System-defined identity policy

CDNStatisticsReadOnlyPolicy

Read-only permissions for the CDN statistics service

System-defined identity policy

CDNLogsReadOnlyPolicy

Read-only permissions for the CDN log service

System-defined identity policy

CDNDomainConfigurationPolicy

Permissions for configuring domain names

System-defined identity policy

CDNRefreshAndPreheatPolicy

Cache purge and prefetch permissions

System-defined identity policy

CDNFullPolicy

Full permissions for CDN

System-defined identity policy

CDNDomainReadOnlyPolicy

Read-only permissions on domain names

System-defined identity policy

CDNChargeConfigurationPolicy

Permission for enabling CDN billing and modifying and querying the billing option

System-defined identity policy

Table 6 lists the common operations supported by system-defined identity policies for CDN.

Table 6 Common operations supported by each system-defined identity policy of CDN

Operation

CDNAdministratorPolicy

CDNReadOnlyPolicy

CDNStatisticsReadOnlyPolicy

CDNLogsReadOnlyPolicy

CDNDomainConfigurationPolicy

CDNRefreshAndPreheatPolicy

CDNFullPolicy

CDNDomainReadOnlyPolicy

CDNChargeConfigurationPolicy

Querying the billing option

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Creating or modifying the billing option

Supported

Not supported

Not supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Querying domain name statistics

Supported

Supported

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Not supported

Querying logs

Supported

Supported

Not supported

Supported

Not supported

Not supported

Supported

Not supported

Not supported

Querying full configuration of a domain name

Supported

Supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

Supported

Modifying full configuration of a domain name

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Not supported

Not supported

Creating a domain name

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Not supported

Not supported

Querying account information

Supported

Supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

Not supported

Modifying account information

Supported

Not supported

Not supported

Not supported

Supported

Not supported

Supported

Supported

Not supported

When you want to acquire CDN DomainConfigurationPolicy or DomainConfigurationPolicy, ensure that you also acquire DomainConfigurationPolicy. Otherwise, you cannot view the domain names, and thus cannot configure, or purge or prefetch cache for domain names.

Identity Policies That the CDN Console Depends On

Some CDN permissions depend on the policies of other cloud services. To view or use other cloud resources on the CDN console, enable the access control feature based on system-defined identity policies of IAM and assign dependency policies for other cloud services.

  • Dependency policies are assigned based on the CDN FullAccess policy you configured.

    To grant an IAM user permissions to view or use resources of other cloud services on the CDN console, you must first grant the CDN Administrator or CDN FullAccess policy to the user group to which the user belongs and then grant the dependency policies listed in Table 7.

Table 7 Roles and policies of other services that the CDN console depends on

Console Function

Dependent Services

Roles or Policies Required

OBS authorization

IAM
  • Creating an agency: iam:agencies:create
  • Querying agency details: iam:agencies:list
  • Granting permissions to an agency for a region-specific project: iam:agencies:grantRoleOnProject
  • Checking whether an agency has specified permissions for a region-specific project: iam:agencies:checkRoleOnProject
  • Listing permissions: iam:roles:list
  • Creating a custom policy: iam:roles:create

Origin server settings

  • Setting the domain name of an OBS bucket as the origin server

OBS
  • Listing buckets: obs:bucket:ListAllMyBuckets
  • Obtaining the object content and metadata (required when the origin server is a custom OBS bucket): obs:object:GetObject

Helpful Links