Permissions Management

If you need to assign different permissions to employees in your enterprise to access your Huawei Cloud Astro Zero resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.

IAM is free of charge. You pay only for the resources you use.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want your software developers to use Huawei Cloud Astro Zero resources but not delete them or perform any high-risk operations, you can use IAM to grant them only the permissions required for using Huawei Cloud Astro Zero resources.

IAM supports role/policy-based authorization and identity policy-based authorization. The following table describes the differences between these two authorization models.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Name	Core Relationship	Permission	Authorization Method	Scenario
Role/Policy	User-permission-authorization scope	System-defined role System policy Custom policy	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy	User-policy	System-defined identity policy Custom identity policy	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Policies/Identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

Huawei Cloud Astro Zero supports role- and policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the user group and can perform specified operations on cloud services.

Huawei Cloud Astro Zero is a project-level service deployed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, CN North-Beijing4) in the specified regions (for example, CN North-Beijing4), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing Huawei Cloud Astro Zero, switch to the region where you are authorized.

Table 2 lists all system permissions of Huawei Cloud Astro Zero. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

**Table 2** System permissions
Policy Name	Description	Type
Astro Zero Instance ManageAccess	Subscribe, unsubscribe, view, and upgrade Huawei Cloud Astro Zero instances.	System policy
Astro Zero Instance ViewAccess	View Huawei Cloud Astro Zero instances only; cannot unsubscribe or upgrade them.	System policy
Astro Zero IAM User QueryAccess	Only a Huawei Cloud account or an IAM user with the Astro Zero IAM User QueryAccess permission can create a Huawei Cloud Astro Zero developer account.	System policy

Table 3 lists the common operations supported by each Huawei Cloud Astro Zero system-defined permission. Select the permissions as required.

**Table 3** Common operations supported by system-defined permissions
Operation	Astro Zero Instance ManageAccess	Astro Zero Instance ViewAccess	Astro Zero IAM User QueryAccess
Checking Huawei Cloud Astro Zero instance list and details	√	√	x
Subscribing to Huawei Cloud Astro Zero instances	√	x	x
Unsubscribing from Huawei Cloud Astro Zero instances	√	x	x
Changing the specifications of Huawei Cloud Astro Zero instances	√	x	x
Modifying Huawei Cloud Astro Zero instance details	√	x	x
Creating a Huawei Cloud Astro Zero developer account	x	x	√ In addition to this permission, select user management and user permissions in the profile.
Querying Huawei Cloud Astro Zero IAM users	x	x	√

Role/Policy Dependencies of the Huawei Cloud Astro Zero Console

**Table 4** Role/policy dependencies of the Huawei Cloud Astro Zero console
Console Function	Dependency	Role/Policy Required
Overview of Huawei Cloud Astro Zero instances	None	An IAM user with the Astro Zero Instance ViewAccess or Astro Zero Instance ManageAccess permission can view Astro Zero instances.

Identity Policy-based Permissions Management

Huawei Cloud Astro Zero supports identity policy-based authorization. Table 5 lists all the system-defined identity policies for Huawei Cloud Astro Zero. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

**Table 5** System-defined identity policies
Identity Policy Name	Description	Type
AstroZeroReadOnlyPolicy	View Huawei Cloud Astro Zero instances only; cannot unsubscribe or upgrade them.	System-defined identity policy
AstroZeroFullAccessPolicy	Subscribe, unsubscribe, view, and upgrade Huawei Cloud Astro Zero instances.	System-defined identity policy

Table 6 lists the common operations supported by each Huawei Cloud Astro Zero system-defined identity policy. Select the identity policies as required.

**Table 6** Common operations supported by system-defined policies
Operation	AstroZeroReadOnlyPolicy	AstroZeroFullAccessPolicy
Viewing the instance list	√	√
Querying subscription prices	x	√
Ordering instances	x	√
Querying upgrade prices	x	√
Upgrading instances	x	√
Deleting failed instances	x	√

Identity Policy Dependencies of the Huawei Cloud Astro Zero Console

**Table 7** Identity policy dependencies of the Huawei Cloud Astro Zero console
Console Function	Dependency	Identity Policy Required
Overview of Huawei Cloud Astro Zero instances	None	IAM users with the AstroZeroReadOnlyPolicy and AstroZeroFullAccessPolicy permissions can view Huawei Cloud Astro Zero instances.