Using IAM Roles or Policies to Grant Access to MgC
System-defined permissions in role/policy-based authorization provided by Identity and Access Management (IAM) let you control access to MgC. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials for accessing MgC resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or cloud service to perform professional and efficient O&M on your MgC resources.
If your account does not need individual IAM users for permissions management, you can skip this section.
Figure 1 shows the process flow of role/policy-based authorization.
Prerequisites
Before granting permissions to user groups, learn about Role/Policy-based Authorization for MgC. To grant permissions for other services, learn about all system-defined permissions.
Process Flow
- Create a user group and assign permissions.
You can assign system-defined policies and custom policies to the user group. Custom policies extend and supplement system-defined policies, providing more refined access control. Select proper authorization policies based on your service requirements.
Select All resources for the authorization scope when using both policy types.
- System-defined policies: For details about the system-defined policies supported by MgC, see Table 1. Assign proper system-defined policies to the user group based on your permission requirements.
Table 1 MgC system-defined policies Policy Name
Description
Policy Type
MgC FullAccess
Administrator permissions for MgC. Users with these permissions can perform all operations on MgC.
System-defined policies
MgC ReadOnlyAccess
Read-only permissions for MgC. Users with these permissions can only view MgC resources.
System-defined policies
MgC DiscoveryAccess
Permissions for resource discovery with MgC. Users with these permissions can use the resource discovery function of MgC and view MgC resources.
System-defined policies
MgC AssessAccess
Permissions for application assessment with MgC. Users with these permissions can use the resource discovery and application assessment functions of MgC and view MgC resources.
System-defined policies
MgC MigrateAccess
Permissions for application migration with MgC. Users with these permissions can use the resource discovery, assessment, and migration functions of MgC and view MgC resources.
System-defined policies
MgC AppDiscoveryAccess
Permissions for resource discovery with MgC. Users with these permissions can use the resource discovery and collection functions of MgC and view MgC resources.
System-defined policies
- Custom policies: For the actions required for each function of MgC, see Using Roles or Policies to Assign Custom Permissions to IAM Users. For details about how to create a custom policy, see Creating a Custom Policy.
- System-defined policies: For details about the system-defined policies supported by MgC, see Table 1. Assign proper system-defined policies to the user group based on your permission requirements.
- Create an IAM user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 1.
- When the IAM user accesses certain MgC functions for the first time, the IAM user needs to complete authorization through agencies in either of the following ways:
- Method 1 (recommended): Sign in to the MgC console using the HUAWEI ID, access the corresponding functions, and agree to the agency-based authorization.
- Method 2 (alternative):
- Sign in to the IAM console using the HUAWEI ID.
- Create a custom policy for agency authorization. For details, see Creating a Custom Policy. The following lists the required actions:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:quotas:listQuotas", "iam:permissions:listRolesForAgency", "iam:roles:listRoles", "iam:agencies:listAgencies", "iam:roles:createRole", "iam:agencies:createAgency", "iam:roles:updateRole", "iam:permissions:grantRoleToAgency", "iam:permissions:revokeRoleFromAgency" ] } ] } - Assign the custom policy to the user group that the IAM user belongs to. This ensures that the IAM user has the required permissions.
- Sign in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Migration Center. On the MgC console, perform operations based on the granted permissions. If you can, the granted permissions have taken effect.
- Choose a service other than MgC in the Service List. If a message appears indicating that you have insufficient permissions to access the service, the permissions have taken effect.
Example Custom Policies
You can create custom policies to supplement the system-defined policies of MgC.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy from scratch or based on an existing policy.
For details, see Creating a Custom Policy. The following lists examples of common MgC custom policies.
- Example 1: Grant permission to collect resource details.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mgc:*:query*", "mgc:*:discovery", "iam:agencies:listAgencies", "iam:roles:listRoles", "iam:quotas:listQuotas", "iam:permissions:listRolesForAgency" ] } ] } - Example 2: Grant permission to get target recommendations.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "mgc:*:query*", "mgc:*:discovery", "mgc:*:assess*", "iam:agencies:listAgencies", "iam:roles:listRoles", "iam:quotas:listQuotas", "iam:permissions:listRolesForAgency" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
