Permissions
If you need to assign different permissions to employees in your enterprise to access your Direct Connect resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You pay only for the resources in your account.
With IAM, you can control access to specific cloud resources. For example, some software developers in your enterprise need to use Direct Connect but should not be allowed to delete other Direct Connect resources or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the required permissions.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between the two authorization models.
|
Name |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
Policies |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and attach both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the principals or grant the principals the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
Policies and actions in the two authorization models are not interoperable. You are advised to use the role/policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
Direct Connect supports role/policy-based authorization. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
Direct Connect is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for VPCEP resources in the selected projects. If you set Scope to All resources, the users have permissions for VPCEP resources in all region-specific projects. When accessing Direct Connect, the users need to switch to a region where they have been authorized to use this service.
Table 2 lists all the system-defined policies for Direct Connect in role/policy-based authorization. System-defined policies in the two authorization models are not interoperable.
|
Role/Policy |
Description |
Type |
Dependency |
|---|---|---|---|
|
Direct Connect Administrator |
Administrator permissions for Direct Connect. Users with these permissions can perform all operations on Direct Connect. To have these permissions, users must also have the Tenant Guest and VPC Administrator permissions. |
System-defined role |
Tenant Guest and VPC Administrator
|
|
DCaaS Partner |
Direct Connect partner permissions. Users who have these permissions can create hosted operations for others. To have these permissions, users must also have the Tenant Guest and VPC Administrator permissions. |
System-defined role |
Tenant Guest and VPC Administrator
|
|
DCAAS FullAccess |
Permissions: all permissions for Direct Connect Scope: project-level service |
System-defined policy |
None |
|
DCAAS ReadOnlyAccess |
Permissions: read-only permissions for Direct Connect Scope: project-level service |
System-defined policy |
None |
Table 3 lists common operations supported by each system-defined policy for Direct Connect.
|
Operation |
Direct Connect Administrator |
DCaaS Partner |
DCAAS FullAccess |
DCAAS ReadOnlyAccess |
|---|---|---|---|---|
|
Creating a connection |
√ |
√ |
√ |
× |
|
Viewing a connection |
√ |
√ |
√ |
√ |
|
Modifying a connection |
√ |
√ |
√ |
× |
|
Deleting a connection |
√ |
√ |
√ |
× |
|
Creating a virtual gateway |
√ |
√ |
√ |
× |
|
Viewing a virtual gateway |
√ |
√ |
√ |
√ |
|
Modifying a virtual gateway |
√ |
√ |
√ |
× |
|
Deleting a virtual gateway |
√ |
√ |
√ |
× |
|
Creating a global DC gateway |
√ |
√ |
√ |
× |
|
Viewing a global DC gateway |
√ |
√ |
√ |
√ |
|
Modifying a global DC gateway |
√ |
√ |
√ |
× |
|
Deleting a global DC gateway |
√ |
√ |
√ |
× |
|
Creating a virtual interface |
√ |
√ |
√ |
× |
|
Viewing a virtual interface |
√ |
√ |
√ |
√ |
|
Modifying a virtual interface |
√ |
√ |
√ |
× |
|
Deleting a virtual interface |
√ |
√ |
√ |
× |
|
Creating an operations connection |
√ |
√ |
√ |
× |
|
Viewing an operations connection |
√ |
√ |
√ |
√ |
|
Modifying an operations connection |
√ |
√ |
√ |
× |
|
Deleting an operations connection |
√ |
√ |
√ |
× |
|
Creating a hosted connection |
√ |
√ |
√ |
× |
|
Viewing a hosted connection |
√ |
√ |
√ |
√ |
|
Modifying a hosted connection |
√ |
√ |
√ |
× |
|
Deleting a hosted connection |
√ |
√ |
√ |
× |
Roles or Policies that the Direct Connect Console Depends on
|
Function |
Dependent Cloud Service/Resource |
Roles or Policies Required |
|---|---|---|
|
Connect gateways |
Elastic IP |
You need to configure the EIP ReadOnlyAccess permission when you perform the following operations on connect gateways on the Direct Connect console:
|
|
Virtual interfaces |
When deleting a virtual interface on the Direct Connect console, you need the EIP ReadOnlyAccess permission. |
Identity Policy-based Authorization
Direct Connect supports identity policy-based authorization. Table 5 lists all the system-defined policies for Direct Connect with identity policy-based authorization. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
DCAASFullAccessPolicy |
Full permissions for Direct Connect |
System-defined identity policy |
|
DCAASReadOnlyPolicy |
Read-only permissions for Direct Connect |
System-defined identity policy |
Table 6 lists common operations supported by system-defined identity policies for Direct Connect.
|
Operation |
DCAASFullAccessPolicy |
DCAASReadOnlyPolicy |
|---|---|---|
|
Creating a connection |
√ |
× |
|
Viewing a connection |
√ |
√ |
|
Modifying a connection |
√ |
× |
|
Deleting a connection |
√ |
× |
|
Creating a virtual gateway |
√ |
× |
|
Viewing a virtual gateway |
√ |
√ |
|
Modifying a virtual gateway |
√ |
× |
|
Deleting a virtual gateway |
√ |
× |
|
Creating a global DC gateway |
√ |
× |
|
Viewing a global DC gateway |
√ |
√ |
|
Modifying a global DC gateway |
√ |
× |
|
Deleting a global DC gateway |
√ |
× |
|
Creating a virtual interface |
√ |
× |
|
Viewing a virtual interface |
√ |
√ |
|
Modifying a virtual interface |
√ |
× |
|
Deleting a virtual interface |
√ |
× |
|
Creating an operations connection |
√ |
× |
|
Viewing an operations connection |
√ |
√ |
|
Modifying an operations connection |
√ |
× |
|
Deleting an operations connection |
√ |
× |
|
Creating a hosted connection |
√ |
× |
|
Viewing a hosted connection |
√ |
√ |
|
Modifying a hosted connection |
√ |
× |
|
Deleting a hosted connection |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
