Creating a User and Granting DCS Permissions
This section describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your DCS resources. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing DCS resources.
- Manage permissions on a principle of least permissions (PoLP) basis.
- Entrust a Huawei Cloud account or cloud service to perform efficient O&M on your DCS resources.
If your Huawei Cloud account does not require individual IAM users, skip this chapter.
This section describes the procedure for granting the DCS ReadOnlyAccess permission (see Figure 1) as an example.
Prerequisites
Learn about the permissions (see System-defined roles and policies supported by DCS) supported by DCS and choose policies or roles according to your requirements. For the permissions of other services, see Permissions Policies.
Process Flow
- Create a user group and assign permissions.
Create a user group on the IAM console, and assign the DCS ReadOnlyAccess policy to the group.
- Create an IAM user.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the DCS console using the newly created user, and verify that the user only has read permissions for DCS.
- Choose Distributed Cache Service in Service List. Then click Buy DCS Instance in the upper right corner of the DCS console. If a DCS instance cannot be purchased, the DCS ReadOnlyAccess policy has already taken effect.
- Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the DCS ReadOnlyAccess policy has already taken effect.
DCS Custom Policies
You can create custom policies to supplement the system-defined policies of DCS. For the actions that can be added to custom policies, see Permissions Policies and Supported Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following section contains examples of common DCS custom policies.
Due to data caching, a policy involving OBS actions will take effect five minutes after it is attached to a user, user group, or project.
Example Custom Policies
- Example 1: Grant permission to delete and restart DCS instances and clear data of an instance.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ " dcs:instance:delete dcs:instance:modifyStatus " ] } ] }
- Example 2: Grant permission to deny DCS deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the DCS FullAccess policy to a user but want to prevent them from deleting DCS instances. You can create a custom policy for denying DCS deletion, and attach this policy together with the DCS FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on DCS instances excepting deleting them. Example policy denying DCS deletion:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "dcs:instance:delete" ] } ] }
DCS Resources
A resource is an object that exists within a service. DCS resources include instance. To select these resources, specify their paths.
Resource |
Resource Name |
Path |
---|---|---|
instance |
Instance |
[Format] DCS:*:*: instance:instance ID [Note] For instance resources, DCS automatically generates the prefix (DCS:*:*:instance:) of the resource path. For the path of a specific instance, add the instance ID to the end. You can also use an asterisk * to indicate any instance. For example: DCS:*:*:instance:* indicates any DCS instance. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot