Help Center/ DataArts Studio/ User Guide/ Authorizing Users to Use DataArts Studio/ Creating an IAM User and Assigning DataArts Studio Permissions
Updated on 2024-10-23 GMT+08:00

Creating an IAM User and Assigning DataArts Studio Permissions

Identity and Access Management (IAM) can be used for fine-grained permissions management on your DataArts Studio resources. With IAM, you can:
  • Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing DataArts Studio resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei account or cloud service to perform efficient O&M on your DataArts Studio resources.

If you do not require individual IAM users for permissions management, skip this topic.

This section describes the procedure for granting permissions. See Procedure for details.

Context

  • Before assigning permissions to a user group, you need to understand the permission system of DataArts Studio so that you can select the permissions that meet your needs. For details about DataArts Studio permissions, see DataArts Studio Permission Management.
    Figure 1 Permission system
  • For the permissions of other services, see System Permissions.

Notes and Constraints

  • The DAYU User system role provides the permissions related to instances, workspaces, and dependent services. The operation permissions in workspaces are provided by workspace roles.
  • IAM provides the following two authorization mechanisms: Note that DataArts Studio supports only the IAM role-based authorization and does not support the IAM policy-based authorization.
    • IAM Roles: IAM initially provides a coarse-grained authorization mechanism to define permissions based on users' job responsibilities. Only a limited number of service-level roles are available. However, traditional IAM roles are not an ideal choice for fine-grained authorization and secure access control.
    • IAM Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.

Procedure

Figure 2 Authorization process
  1. Create a user group and assign a system role to the group.

    Log in to the IAM console using a Huawei account, create a user group and assign a DataArts Studio system role to the group. For example, the system role can be DAYU Administrator or DAYU User.

    For details, see Creating a User Group and Assigning Permissions.

    • When configuring DataArts Studio permissions for a user group, enter DAYU in the search box to search for the permissions and select the permissions to be granted to the user group, for example, DAYU User.
    • DataArts Studio is a project-level service deployed in specific physical regions. If you select All resources for Scope, the permission takes effect in all projects of all regions. If you select Region-specific projects for Scope, the permission takes effect only for a specified project. When accessing DataArts Studio, the IAM user must switch to the region where they have been assigned the required permissions.

  2. Create a user and add the user to the user group.

    Create users on the IAM console and add them to the group created in Step 1.

    For details, see Creating an IAM User and Adding It to a User Group.

    An IAM user can pass the authentication and access DataArts Studio through an API or SDK only if Programmatic access is selected for Access Type during the creation of the IAM user.

  3. Create a custom workspace role for DAYU User, add it as a workspace member, and assign a role to the member.

    DataArts Studio workspace roles determine the permissions of DAYU User in a workspace. There are five preset roles: admin, developer, deployer, operator, and viewer. For details about how to add a workspace member and assign a role, see Adding Workspace Members and Assigning Roles.

    For details about the permissions of the roles, see Permissions.

  4. Log in to the console and verify permissions.

    Log in to the console using the created user and verify permissions of the user.

    • Choose Service List > DataArts Studio. Locate a DataArts Studio instance and click Access. Check whether the workspace list is displayed.
    • Access a service module (for example, Management Center) to which your current user has been added and check whether you can perform the operations allowed for the workspace role assigned to you.

Follow-up Operations

Adjusting permissions of dependent services: If the DAYU User system role has excessive permissions on dependent services, security risks may arise. You can manually adjust the permissions to make them comply with the principle of least privilege (PoLP). For details, see Authorizing Users to Use DataArts Studio by Complying with the Principle of Least Privilege.