Permissions Management
If you need to assign different permissions to employees in your enterprise to access your AOM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your AOM resources.
With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific types of resources. For example, some software developers in your enterprise need to use AOM resources but are not allowed to delete them or perform any high-risk operations such as deleting application discovery rules. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using AOM resources.
If your account does not need individual IAM users for permissions management, you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account. For more information, see IAM Service Overview.
AOM Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on AOM.
AOM is a project-level service deployed and accessed in specific physical regions. To assign AOM permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing AOM, the users need to switch to a region where they have been authorized to use this service.
You can grant users permissions by using roles and policies.
- Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on users' job responsibilities. This mechanism provides only a limited number of service-level roles for authorization. Huawei Cloud services depend on each other. When you grant permissions using roles, you may also need to attach dependent roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant Elastic Cloud Server (ECS) users only the permissions for managing a certain type of ECSs. Most policies define permissions based on APIs. For the API actions supported by AOM, see Permissions Policies and Supported Actions.
Subservice Name |
Policy Name |
Description |
Type |
Dependent System Permissions |
---|---|---|---|---|
Monitoring center/collection management/CMDB |
AOM FullAccess |
Administrator permissions for AOM 2.0. Users granted these permissions can operate and use AOM. |
System-defined policy |
CCE FullAccess and DMS ReadOnlyAccess |
AOM ReadOnlyAccess |
Read-only permissions for AOM 2.0. Users granted these permissions can only view AOM data. |
System-defined policy |
CCE ReadOnlyAccess and DMS ReadOnlyAccess |
|
Automation |
CMS FullAccess |
Administrator permissions for Automation. Users granted these permissions can operate and use Automation. |
System-defined policy |
- |
CMS ReadOnlyAccess |
Read-only permissions for Automation. Users granted these permissions can only view Automation data. |
System-defined policy |
Common Operations and System-defined Policies of CMDB
Table 2 lists the common operations supported by each system-defined policy of CMDB. Select policies as required.
Operation |
AOM FullAccess |
AOM ReadOnlyAccess |
---|---|---|
Querying the details of an application |
√ |
√ |
Querying the details of a sub-application |
√ |
√ |
Querying the details of a component |
√ |
√ |
Querying the details of an environment |
√ |
√ |
Querying environment tags |
√ |
√ |
Querying the details of a resource |
√ |
√ |
Creating an application |
√ |
x |
Updating an application |
√ |
x |
Deleting an application |
√ |
x |
Creating a sub-application |
√ |
x |
Updating a sub-application |
√ |
x |
Deleting a sub-application |
√ |
x |
Transferring a sub-application |
√ |
x |
Creating a component |
√ |
x |
Updating a component |
√ |
x |
Deleting a component |
√ |
x |
Transferring a component |
√ |
x |
Creating an environment |
√ |
x |
Updating an environment |
√ |
x |
Deleting an environment |
√ |
x |
Creating an environment tag |
√ |
x |
Updating an environment tag |
√ |
x |
Deleting an environment tag |
√ |
x |
Importing a resource |
√ |
x |
Updating a resource |
√ |
x |
Deleting a resource |
√ |
x |
Transferring a resource |
√ |
x |
Synchronizing a resource |
√ |
x |
Binding a resource |
√ |
x |
Unbinding a resource |
√ |
x |
Enabling resource authorization |
√ |
x |
Canceling resource authorization |
√ |
x |
Obtaining the application list |
√ |
√ |
Obtaining the sub-application list |
√ |
√ |
Obtaining the component list |
√ |
√ |
Obtaining the tag list of an application |
√ |
√ |
Obtaining the resource list |
√ |
√ |
Querying the node topology |
√ |
√ |
Querying operation records |
√ |
√ |
Common Operations and System Permissions for Resource Monitoring
Table 3 lists the common operations supported by each system-defined policy of resource monitoring. Select policies as required.
Operation |
AOM FullAccess |
AOM ReadOnlyAccess |
---|---|---|
Creating an alarm rule |
√ |
x |
Modifying an alarm rule |
√ |
x |
Deleting an alarm rule |
√ |
x |
Creating an alarm template |
√ |
x |
Modifying an alarm template |
√ |
x |
Deleting an alarm template |
√ |
x |
Creating an alarm action rule |
√ |
x |
Modifying an alarm action rule |
√ |
x |
Deleting an alarm action rule |
√ |
x |
Creating a message template |
√ |
x |
Modifying a message template |
√ |
x |
Deleting a message template |
√ |
x |
Creating a grouping rule |
√ |
x |
Modifying a grouping rule |
√ |
x |
Deleting a grouping rule |
√ |
x |
Creating a suppression rule |
√ |
x |
Modifying a suppression rule |
√ |
x |
Deleting a suppression rule |
√ |
x |
Creating a silence rule |
√ |
x |
Modifying a silence rule |
√ |
x |
Deleting a silence rule |
√ |
x |
Creating a dashboard |
√ |
x |
Modifying a dashboard |
√ |
x |
Deleting a dashboard |
√ |
x |
Creating a Prometheus instance |
√ |
x |
Modifying a Prometheus instance |
√ |
x |
Deleting a Prometheus instance |
√ |
x |
Creating an application discovery rule |
√ |
x |
Modifying an application discovery rule |
√ |
x |
Deleting an application discovery rule |
√ |
x |
Subscribing to threshold alarms |
√ |
x |
Configuring a VM log collection path |
√ |
x |
Common Operations and System Permissions of Automation
Table 4 lists the common operations supported by each system-defined policy of Automation. Select policies as required.
Operation |
CMS FullAccess |
CMS ReadOnlyAccess |
---|---|---|
Creating a script |
√ |
x |
Editing a script |
√ |
x |
Copying and creating a script |
√ |
x |
Editing a version |
√ |
x |
Viewing a script version |
√ |
√ |
Creating a package |
√ |
x |
Viewing a package |
√ |
√ |
Editing a package |
√ |
x |
Viewing the package version list |
√ |
√ |
Modifying a package version |
√ |
x |
Deleting a package |
√ |
x |
Creating a task |
√ |
x |
Editing a task |
√ |
x |
Deleting a task |
√ |
x |
Viewing the task list |
√ |
√ |
Viewing the task details |
√ |
√ |
Executing a task |
√ |
x |
Common Operations Supported by Each System-defined Policy of Collection Management
Table 5 lists the common operations supported by each system-defined policy of collection management. Select policies as required.
Operation |
AOM FullAccess |
AOM ReadOnlyAccess |
---|---|---|
Querying a proxy area |
√ |
√ |
Editing a proxy area |
√ |
x |
Deleting a proxy area |
√ |
x |
Creating a proxy area |
√ |
x |
Querying all proxies in a proxy area |
√ |
√ |
Querying all proxy areas |
√ |
√ |
Querying the Agent installation result |
√ |
√ |
Obtaining the Agent installation command of a host |
√ |
√ |
Obtaining the host heartbeat and checking whether the host is connected with the server |
√ |
√ |
Uninstalling running Agents in batches |
√ |
x |
Querying the Agent home page |
√ |
√ |
Testing the connectivity between the installation host and the target host |
√ |
x |
Installing Agents in batches |
√ |
x |
Obtaining the latest operation log of the Agent |
√ |
√ |
Obtaining the list of versions that can be selected during Agent installation |
√ |
√ |
Obtaining the list of all Agent versions under the current project ID |
√ |
√ |
Deleting hosts with Agents installed |
√ |
x |
Querying Agent information based on the ECS ID |
√ |
√ |
Deleting a host with an Agent installed |
√ |
x |
Setting an installation host |
√ |
x |
Resetting installation host parameters |
√ |
x |
Querying the list of hosts that can be set to installation hosts |
√ |
√ |
Querying the list of Agent installation hosts |
√ |
√ |
Deleting an installation host |
√ |
x |
Upgrading Agents in batches |
√ |
x |
Querying historical task logs |
√ |
√ |
Querying historical task details |
√ |
√ |
Querying all historical tasks |
√ |
√ |
Querying all execution statuses and task types |
√ |
√ |
Querying the Agent execution statuses in historical task details |
√ |
√ |
Modifying a proxy |
√ |
x |
Deleting a proxy |
√ |
x |
Setting a proxy |
√ |
x |
Querying the list of hosts that can be set to proxies |
√ |
√ |
Updating plug-ins in batches |
√ |
x |
Uninstalling plug-ins in batches |
√ |
x |
Installing plug-ins in batches |
√ |
x |
Querying historical task logs of a plug-in |
√ |
√ |
Querying all plug-in execution records |
√ |
√ |
Querying plug-in execution records based on the task ID |
√ |
√ |
Querying the plug-in execution statuses in historical task details |
√ |
√ |
Obtaining the plug-in list |
√ |
√ |
Querying the plug-in version |
√ |
√ |
Querying the list of supported plug-ins |
√ |
√ |
Obtaining the CCE cluster list |
√ |
√ |
Obtaining the Agent list of a CCE cluster |
√ |
√ |
Installing ICAgent on a CCE cluster |
√ |
x |
Upgrading ICAgent for a CCE cluster |
√ |
x |
Uninstalling ICAgent from a CCE cluster |
√ |
x |
Obtaining the CCE cluster list |
√ |
√ |
Obtaining the list of hosts where the ICAgent has been installed |
√ |
√ |
Installing ICAgent on CCE cluster hosts |
√ |
x |
Upgrading ICAgent on CCE cluster hosts |
√ |
x |
Uninstalling ICAgent from CCE cluster hosts |
√ |
x |
Fine-grained Permissions
To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of AOM as required. For details about fine-grained permissions of AOM, see Table 6.
Permission |
Description |
Permission Dependency |
Application Scenario |
---|---|---|---|
cms:workflow:create |
Creating a task |
|
Creating a task |
cms:workflow:update |
Modifying a task |
|
Modifying a task |
cms:workflow:list |
Obtaining the task list |
N/A |
Obtaining the task list |
cms:execution:get |
Obtaining the execution details about a task |
Obtaining the execution details about a task |
|
cms:execution:create |
Executing a task |
|
Executing a task (such as script/job execution and package installation/uninstall) |
cms:template:get |
Querying the details of a template |
N/A |
Querying template details or execution plan details |
cms:template:list |
Obtaining the template list |
Obtaining the list of execution plans or the list of templates that can be used to create tasks |
|
cms:script:get |
Querying the details of a script |
Querying the details of a script |
|
cms:script:list |
Querying the script list |
Querying the script list |
|
cms:job:list |
Querying the job list |
Querying the job list |
|
aom:cmdbApplication:get |
Obtaining the details of an application |
N/A |
Obtaining the details of an application based on the application ID or name |
aom:cmdbApplication:update |
Modifying an application |
Modifying an application |
|
aom:cmdbApplication:delete |
Deleting an application |
Deleting an application |
|
aom:cmdbApplication:get |
Obtaining the details of an application |
Obtaining the details of an application |
|
aom:cmdbComponent:get |
Querying the details of a component |
Querying the details of a component based on the component ID or name |
|
aom:cmdbComponent:create |
Adding a component |
Adding a component |
|
aom:cmdbComponent:update |
Updating a component |
Updating a component |
|
aom:cmdbComponent:delete |
Deleting a component |
Deleting a component |
|
aom:cmdbComponent:move |
Transferring a component |
Transferring a component |
|
aom:cmdbComponent:list |
Querying the component list |
Querying the component list |
|
aom:cmdbEnvironment:create |
Creating an environment |
Creating an environment |
|
aom:cmdbEnvironment:update |
Modifying an environment |
Modifying an environment |
|
aom:cmdbEnvironment:get |
Obtaining the details of an environment |
Obtaining the details of an environment based on the environment name+region+component ID, or environment ID |
|
aom:cmdbEnvironment:delete |
Deleting an environment |
Deleting an environment |
|
aom:cmdbSubApplication:get |
Querying the details of a sub-application |
Querying the details of a sub-application |
|
aom:cmdbSubApplication:update |
Modifying a sub-application |
Modifying a sub-application |
|
aom:cmdbSubApplication:move |
Transferring a sub-application |
Transferring a sub-application |
|
aom:cmdbSubApplication:delete |
Deleting a sub-application |
Deleting a sub-application |
|
aom:cmdbSubApplication:create |
Adding a sub-application |
Adding a sub-application |
|
aom:cmdbSubApplication:list |
Querying the sub-application list |
Querying the sub-application list |
|
aom:cmdbResources:unbind |
Unbinding a resource |
Unbinding a resource |
|
aom:cmdbResources:bind |
Binding a resource |
Binding a resource |
|
aom:cmdbResources:move |
Transferring a resource |
Transferring a resource |
|
aom:cmdbResources:get |
Querying the details of a resource |
Querying the details of a resource |
|
aom:alarm:put |
Reporting an alarm |
N/A |
Reporting a custom alarm |
aom:event2AlarmRule:create |
Adding an event alarm rule |
Adding an event alarm rule |
|
aom:event2AlarmRule:set |
Modifying an event alarm rule |
Modifying an event alarm rule |
|
aom:event2AlarmRule:delete |
Deleting an event alarm rule |
Deleting an event alarm rule |
|
aom:event2AlarmRule:list |
Querying all event alarm rules |
Querying all event alarm rules |
|
aom:actionRule:create |
Adding an alarm action rule |
Adding an alarm action rule |
|
aom:actionRule:delete |
Deleting an alarm action rule |
Deleting an alarm action rule |
|
aom:actionRule:list |
Querying the alarm action rule list |
Querying the alarm action rule list |
|
aom:actionRule:update |
Modifying an alarm action rule |
Modifying an alarm action rule |
|
aom:actionRule:get |
Querying an alarm action rule by name |
Querying an alarm action rule by name |
|
aom:alarm:list |
Obtaining the sent alarm content |
Obtaining the sent alarm content |
|
aom:alarmRule:create |
Creating a threshold rule |
Creating a threshold rule |
|
aom:alarmRule:set |
Modifying a threshold rule |
Modifying a threshold rule |
|
aom:alarmRule:get |
Querying threshold rules |
Querying all threshold rules or a single threshold rule by rule ID |
|
aom:alarmRule:delete |
Deleting a threshold rule |
Deleting threshold rules in batches or a single threshold rule by rule ID |
|
aom:discoveryRule:list |
Querying application discovery rules |
Querying existing application discovery rules |
|
aom:discoveryRule:delete |
Deleting an application discovery rule |
Deleting an application discovery rule |
|
aom:discoveryRule:set |
Adding an application discovery rule |
Adding an application discovery rule |
|
aom:metric:list |
Querying time series objects |
Querying time series objects |
|
aom:metric:list |
Querying time series data |
Querying time series data |
|
aom:metric:get |
Querying metrics |
Querying metrics |
|
aom:metric:get |
Querying monitoring data |
Querying monitoring data |
|
aom:muteRule:delete |
Deleting a silence rule |
N/A |
Deleting a silence rule |
aom:muteRule:create |
Adding a silence rule |
Adding a silence rule |
|
aom:muteRule:update |
Modifying a silence rule |
Modifying a silence rule |
|
aom:muteRule:list |
Querying the silence rule list |
Querying the silence rule list |
Roles/Policies Required by AOM Dependent Services
If an IAM user needs to view data or use functions on the AOM console, grant the AOM FullAccess or AOM ReadOnlyAccess policy to the user group to which the user belongs and then add the roles or policies required by AOM dependent services by referring to Table 7.
When a user subscribes to AOM for the first time, AOM will automatically create a service agency. In addition to the AOM FullAccess permission, the user must be granted the Security Administrator permission.
Console Function |
Dependent Service |
Policy/Role Required |
---|---|---|
|
CCE |
To use workload and cluster monitoring and Prometheus for CCE, you need to set the CCE FullAccess permission. |
Data subscription |
Distributed Message Service (DMS) for Kafka |
To use data subscription, you need to set the DMS ReadOnlyAccess permission. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot