Help Center/ Migration Center/ User Guide/ New Edition/ Permissions Management/ Using IAM to Grant Access to MgC/ Using IAM Identity Policies to Grant Access to MgC
Updated on 2025-11-13 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to MgC

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to MgC. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing MgC resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or cloud service to perform professional and efficient O&M on your MgC resources.

If your account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about system-defined permissions in identity policy-based authorization for MgC. To grant permissions for other services, learn about all system-defined permissions.

Process Flow

Figure 1 Process for granting MgC permissions
  1. Create a user or create a user group.

    On the IAM console, create an IAM user or user group.

  2. Apply a system-defined policy to the user or user group.

    Apply the MGCReadOnlyPolicy to the IAM user or user group.

  3. Sign in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Service List > Migration Center. On the MgC console, perform operations based on the granted permissions. If you can, the granted permissions have taken effect.
    • Choose a service other than MgC in the Service List. If a message appears indicating that you have insufficient permissions to access the service, the permissions have taken effect.

Example Custom Identity Policies

You can create custom policies to supplement predefined identity policies for MgC.

You can create custom identity policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom Identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (service-specific condition keys) to control when the policy is in effect. The following lists example custom identity policies for MgC. For details about the permissions required for IAM users to access different MgC functions, see Assigning Permissions to IAM Users Using Custom Policies.

  • Example 1: Grant permission to create or delete a migration project. 
    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "mgc:project:create",
          "mgc:project:delete"
      ]
    }
  ]
}
  • Example 2: Grant permission to create or delete a workflow. 
    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "mgc:workflow:create",
          "mgc:workflow:delete"
      ]
    }
  ]
}
Parent Topic: Using IAM to Grant Access to MgC