Permissions Management
If you want to assign different permissions to employees in your enterprise to access your SA resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.
With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can use policies to grant different permissions to software developers in your enterprises to allow them to only use SA but not perform certain high-risk operations, such as deletion of SA data.
If your account does not need individual IAM users for permissions management, then you may skip over this chapter.
IAM is free. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
SA Permissions
By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.
You can create IAM users in any region. SA is a global service for all geographic regions. SA permissions are assigned to IAM users in the global project, so IAM users can access SA in any region without having to switch over among regions.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. If one role has a dependency role required for accessing SA, assign both roles to the users. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant SA users only the permissions for managing a certain type of resources. For the API actions supported by SA, see Permissions Policies and Supported Actions.
Table 1 lists all the system-defined roles and policies supported by SA.
Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
SA FullAccess |
All permissions for SA |
System-defined policy |
None |
SA ReadOnlyAccess |
Read-only permission for SA. Users with the read-only permission can only query SA information but cannot perform configuration in SA. |
System-defined policy |
None |
Currently, the SA FullAccess or SA ReadOnlyAccess permission can be used only when you have the Tenant Guest permission. The details are as follows:
- Configure all SA permissions: SA FullAccess and Tenant Guest.
To use SA Resource Manager and Baseline Inspection, configure the following permissions:
- Resource Manager: Configure SA FullAccess and Tenant Administrator. For details, see How Do I Assign Operation Permissions to an Account?
- Baseline Inspection: Configure SA FullAccess, Tenant Administrator, and IAM permissions. For details, see How Do I Assign Operation Permissions to an Account?
- Configure SA read-only permissions: Configure SA ReadOnlyAccess and Tenant Guest.
Related Topics
SA FullAccess Policy Content
{ "Version": "1.1", "Statement": [ { "Action": [ "sa:*:*" ], "Effect": "Allow" } ] }
SA ReadOnlyAccess Policy Content
{ "Version": "1.1", "Statement": [ { "Action": [ "sa:cssb:get", "sa:service:get", "sa:subscribe:get", "sa:subscribe:getList", "sa:threatevent:getAnalyze", "sa:threatevent:getAsset", "sa:threatevent:getDashboard", "sa:threatevent:getHostscreen", "sa:threatevent:getList", "sa:threatevent:getOverview", "sa:threatevent:getSafety" ], "Effect": "Allow" } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot