Updated on 2024-10-15 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise to access your CSE resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.

With IAM, you can use your public cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you want the software developers in your enterprise to have the permission to use CSE, but do not want them to have the permission to perform high-risk operations such as deletion. Then, you can use IAM to create users for developers and grant them only the permissions required for using CSE resources.

If your public cloud account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.

CSE Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more user groups, and assign permission policies to the user groups. The user then inherits permissions from the user groups. This process is known as authorization. After authorization, the user can perform specified operations on CSE based on the permissions.

CSE is a project-level service deployed and accessed in specific physical regions. To assign CSE permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing CSE, the users need to switch to a region where they have been authorized to use this service.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on users' job responsibilities. There are only a limited number of roles for granting permissions to users. When you grant permissions using roles, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control.

Table 1 lists all the system policies supported by CSE.

Table 1 CSE system permissions

Role/Policy Name

Description

Type

Dependency

CSE FullAccess

Administrator permissions for Cloud Service Engine.

Policy

None

CSE ReadOnlyAccess

View permissions for Cloud Service Engine.

Policy

None

If the listed permissions in Table 1 do not meet actual requirements, you can Creating a Custom Policy for a Microservice Engine.

For details about the service permissions required by CSE functions, see Table 2.

Table 2 Roles/Policies dependencies of the CSE console

Console Function

Dependency

Role/Policy Required

Engine deletion and creation

Virtual Private Cloud (VPC)

To create or delete an engine, an IAM user must be granted the VPC ReadOnlyAccess permission.

Dashboard

Application Operations Management (AOM)

To view chart data such as dashboard data, an IAM user must be granted the AOM ReadOnlyAccess permission.

Tag management

Tag Management Service (TMS)

To use TMS to add tags to the ServiceComb engine or Nacos engine, an IAM user must be granted the TMS ReadOnlyAccess permission to identify and manage ServiceComb engines or Nacos engines.

IAM user import

Identity and Access Management (IAM)

To import IAM users, the IAM ReadOnlyAccess permission is required.

Table 3 lists the common operations for each system-defined policy or role of CSE. Select policies or roles as needed.

Table 3 Common operations supported by each system policy

Operation

CSE ReadOnlyAccess

CSE FullAccess

Create a microservice engine

x

Maintain a microservice engine

x

Query a microservice engine

Delete a microservice engine

x

Create a microservice

x

Query a microservice

Maintain a microservice

x

Delete a microservice

x

Create microservice configurations

x

Query microservice configurations

Edit microservice configurations

x

Delete microservice configurations

x

Create a microservice governance policy

x

Query a microservice governance policy

Edit a microservice governance policy

x

Delete a microservice governance policy

x

To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CSE as required. Table 4 describes fine-grained permission dependencies of CSE.

Table 4 Fine-grained permission dependencies of CSE

Permission

Description

Permission Dependency

Application Scenario

cse:engine:list

List all microservice engines

None

  • View ServiceComb engine list
  • View Nacos engine list

cse:engine:get

View engine information

  • cse:engine:list
  • View ServiceComb engine details
  • View Nacos engine details

cse:engine:modify

Modify an engine

  • cse:engine:list
  • cse:engine:get
  • Enable/Disable public network access to ServiceComb engines
  • Enable/Manage security authentication for ServiceComb engines
  • Retry a ServiceComb engine task
  • Enable/Disable security authentication for Nacos engines
  • Manage a Nacos user and role
  • Manage relationship between namespaces and enterprise projects

cse:engine:upgrade

Upgrade an engine

  • cse:engine:list
  • cse:engine:get
  • Upgrade a ServiceComb engine
  • Upgrade a Nacos engine

Upgrades include version upgrade and specification change.

cse:engine:delete

Delete an engine

  • cse:engine:list
  • cse:engine:get
  • vpc:ports:get
  • vpc:ports:delete
  • Delete a ServiceComb engine
  • Delete a Nacos engine

cse:engine:create

Create an engine

  • cse:engine:get
  • cse:engine:list
  • ecs:cloudServerFlavors:get
  • vpc:vpcs:get
  • vpc:vpcs:list
  • vpc:subnets:get
  • vpc:ports:get
  • vpc:ports:create
  • Create a ServiceComb engine
  • Back up a ServiceComb engine/Restore task creation
  • Create a Nacos engine

cse:config:modify

Modify ServiceComb engine configuration management

  • cse:engine:list
  • cse:engine:get
  • cse:config:get

Modify global and governance configurations of a ServiceComb engine

cse:config:get

View ServiceComb engine configuration management

  • cse:engine:list
  • cse:engine:get

View service configurations for a ServiceComb engine

cse:governance:modify

Modify the governance center of a ServiceComb engine

  • cse:engine:list
  • cse:engine:get
  • cse:config:get
  • cse:config:modify
  • cse:registry:get
  • cse:registry:modify
  • cse:governance:get

Create and modify service governance of a ServiceComb engine

cse:governance:get

View the governance center of a ServiceComb engine

  • cse:engine:list
  • cse:engine:get
  • cse:config:get
  • cse:registry:get

View service governance on a ServiceComb engine

cse:registry:modify

Modify service registry and management of a ServiceComb engine

  • cse:engine:list
  • cse:engine:get
  • cse:registry:get

Modify a ServiceComb engine

cse:registry:get

View service registry and management of a ServiceComb engine

  • cse:engine:list
  • cse:engine:get

View service catalog on a ServiceComb engine

cse:namespace:read

View namespace resources of a Nacos engine

cse:engine:get

View Nacos service list and configuration list

cse:namespace:write

Modify namespace resources of a Nacos engine

  • cse:engine:get
  • cse:namespace:read

Modify Nacos service list and configuration list resources