Creating a User and Granting Permissions
This section describes how to use Identity and Access Management (IAM) to implement fine-grained permissions control for your FunctionGraph resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials for accessing FunctionGraph resources.
- Grant only the permissions required for users to perform a task.
- Entrust an account or a cloud service to perform efficient O&M on your FunctionGraph resources.
If your account does not need individual IAM users, then you may skip over this chapter.
This section describes the procedure for granting permissions. For details, see Figure 1.
Prerequisites
Before assigning permissions to user groups, you should learn about the system permissions listed in Permissions Management. For the system policies of other services, see System Permissions.
Process
- Create a user group and assign permissions.
Create a user group on the IAM console using an IAM account, and assign the FunctionGraph Invoker role to the group.
- Create an IAM user and add it to the user group.
Create a user on the IAM console using an IAM account and add the user to the group created in 1.
- Logging In as an IAM User and Verifying Permissions
Log in to the FunctionGraph console as the created user, and check whether it only has read permissions for FunctionGraph.
- Choose Service List > FunctionGraph to access the FunctionGraph console. In the navigation pane, choose Functions > Function List. Then click Create Function. If a message appears indicating insufficient permissions to perform the operation, the FunctionGraph Invoker role has already taken effect.
- Choose any other service in the Service List. If a message appears indicating insufficient permissions to access the service, the FunctionGraph Invoker role has already taken effect.
Creating a Custom Policy
Custom policies can be created as a supplement to the system policies of FunctionGraph. For details, see Creating a Custom Policy.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
The following contains examples of common FunctionGraph custom policies.
- Example 1: Authorizing a user to query function code and configuration
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "functiongraph:function:list", "functiongraph:function:getConfig", "funcitongraph:function:getCode" ] } ] } - Example 2: Denying function deletion
A policy with only "Deny" permissions must be used together with other policies. If both "Allow" and "Deny" permissions are assigned to a user, the "Deny" permissions take precedence over the "Allow" permissions.
If you need to assign permissions of the FunctionGraph FullAccess policy to a user but prevent the user from deleting functions, create a custom policy for denying function deletion, and attach both policies to the group to which the user belongs. In this way, the user can perform all operations on FunctionGraph except deleting functions. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ "Effect": "Deny", "Action": [ "functiongraph:function:delete" ] ] } - Example 3: Configuring permissions for specific resources
You can grant an IAM user permissions for specific resources. For example, to grant a user permissions for the functionname function in the Default application, set functionname to a specified resource path, that is, FUNCTIONGRAPH:*:*:function:Default/functionname.
Format: FUNCTIONGRAPH:*:*:function:application or function name
For function resources, IAM automatically generates the resource path prefix FUNCTIONGRAPH:*:*:function:. The path is specified by the application and function name. The wildcard (*) is supported. For example, FUNCTIONGRAPH:*:*:function:Default/* indicates any function in the Default application.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "functiongraph:function:list" ] }, { "Effect": "Allow", "Action": [ "functiongraph:function:listAlias", "functiongraph:function:listVersion", "functiongraph:function:getConfig", "functiongraph:function:getCode", "functiongraph:function:updateCode", "functiongraph:function:invoke", "functiongraph:function:updateConfig", "functiongraph:function:createVersion", "functiongraph:function:updateAlias", "functiongraph:function:createAlias" ], "Resource": [ "FUNCTIONGRAPH:*:*:function:Default/*" ] } ] }
FunctionGraph Resources
A resource is an object that exists within a service. FunctionGraph resources include functions and triggers. To select these resources when creating a policy, specify their paths.
|
Resource Type |
Resource Name |
Path |
|---|---|---|
|
function |
Functions |
Format: FunctionGraph::::function:group/function name Description: IAM automatically generates the prefix FunctionGraph:*:*:function: for bucket resource paths. By adding Function name to the end of the generated prefix, you can define a specific path. An asterisk * is allowed to indicate any function. For example, FunctionGraph:*:*:function:default/* indicates any function in the default group. |
|
trigger |
Triggers |
Format: FunctionGraph::::trigger:trigger ID Description: IAM automatically generates the prefix FunctionGraph:*:*:trigger: for object resource paths. By adding trigger ID to the end of the generated prefix, you can define a specific path. An asterisk * is allowed to indicate any trigger. For example, FunctionGraph:*:*:trigger:* indicates any trigger. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
