Permissions Management
If you need to assign different permissions to personnel in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to control access to CBR resources. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use CBR resources but do not want them to delete CBR resources or perform any other high-risk operations, you can grant permission to use CBR resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permissions-authorization scope |
|
Granting roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using user group-based authorization and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy-based authorization |
Policies |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and attach both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy with the condition key g:RequestedRegion, and then apply the policy to the users. It is more flexible than role/policy-based authorization.
Policies and actions in the two authorization models are not interoperable. Identity policy-based authorization is recommended. For details about system-defined permissions, see Role/Policy-based Authorization and Identity Policy-based Authorization.
Role/Policy-based Authorization
CBR supports authorization with roles and policies. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
CBR is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified project (for example, ap-southeast-2) in the specific region (for example, AP-Bangkok), the users only have permissions for CBR resources in the selected project. If you set Scope to All resources, the users have permissions for CBR resources in all region-specific projects. When accessing CBR resources, the users need to switch to the authorized region.
Table 2 lists all the system-defined permissions for CBR. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
CBR FullAccess |
Administrator permissions for CBR. Users with these permissions can operate and use all vaults, backups, and policies. |
System-defined policy |
|
CBR BackupsAndVaultsFullAccess |
Common user permissions for CBR. Users with these permissions can create, view, and delete vaults and backups, but cannot create, update, or delete policies. |
System-defined policy |
|
CBR ReadOnlyAccess |
Read-only permissions for CBR. Users with these permissions can only view CBR data. |
System-defined policy |
Table 3 lists the common operations supported by system-defined permissions of CBR.
|
Operation |
CBR FullAccess |
CBR BackupsAndVaultsFullAccess |
CBR ReadOnlyAccess |
|---|---|---|---|
|
Querying vaults |
Supported |
Supported |
Supported |
|
Creating vaults |
Supported |
Supported |
Not supported |
|
Listing vaults |
Supported |
Supported |
Supported |
|
Updating vaults |
Supported |
Supported |
Not supported |
|
Deleting vaults |
Supported |
Supported |
Not supported |
|
Associating with resources |
Supported |
Supported |
Not supported |
|
Dissociating from resources |
Supported |
Supported |
Not supported |
|
Creating policies |
Supported |
Not supported |
Not supported |
|
Updating policies |
Supported |
Not supported |
Not supported |
|
Applying policies to vaults |
Supported |
Supported |
Not supported |
|
Removing policies from vaults |
Supported |
Supported |
Not supported |
|
Deleting policies |
Supported |
Not supported |
Not supported |
|
Synchronizing backups |
Supported |
Supported |
Not supported |
|
Replicating vaults |
Supported |
Supported |
Not supported |
|
Performing backups |
Supported |
Supported |
Not supported |
|
Updating subscriptions |
Supported |
Supported |
Not supported |
|
Querying the Agent status |
Supported |
Supported |
Not supported |
|
Deleting backups |
Supported |
Supported |
Not supported |
|
Restoring data from backups |
Supported |
Supported |
Not supported |
|
Replicating backups |
Supported |
Supported |
Not supported |
|
Batch adding tags to or removing tags from vaults |
Supported |
Supported |
Not supported |
|
Adding tags to vaults |
Supported |
Supported |
Not supported |
|
Editing tags |
Supported |
Supported |
Not supported |
Identity Policy-based Authorization
CBR supports authorization with identity policies. Table 4 lists all the system-defined identity policies for CBR. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
CBRFullAccessPolicy |
Administrator permissions for CBR. Users with these permissions can operate and use all vaults, backups, and policies. |
System-defined identity policy |
|
CBRBackupsAndVaultsFullAccessPolicy |
Common user permissions for CBR. Users with these permissions can create, view, and delete vaults and backups, but cannot create, update, or delete policies. |
System-defined identity policy |
|
CBRReadOnlyAccessPolicy |
Read-only permissions for CBR. Users with these permissions can only view CBR data. |
System-defined identity policy |
Table 5 lists the common operations supported by system-defined identity policies for CBR.
|
Operation |
CBRFullAccessPolicy |
CBRBackupsAndVaultsFullAccessPolicy |
CBRReadOnlyAccessPolicy |
|---|---|---|---|
|
Querying vaults |
Supported |
Supported |
Supported |
|
Creating vaults |
Supported |
Supported |
Not supported |
|
Listing vaults |
Supported |
Supported |
Supported |
|
Updating vaults |
Supported |
Supported |
Not supported |
|
Deleting vaults |
Supported |
Supported |
Not supported |
|
Associating with resources |
Supported |
Supported |
Not supported |
|
Dissociating from resources |
Supported |
Supported |
Not supported |
|
Creating policies |
Supported |
Not supported |
Not supported |
|
Updating policies |
Supported |
Not supported |
Not supported |
|
Applying policies to vaults |
Supported |
Supported |
Not supported |
|
Removing policies from vaults |
Supported |
Supported |
Not supported |
|
Deleting policies |
Supported |
Not supported |
Not supported |
|
Synchronizing backups |
Supported |
Supported |
Not supported |
|
Replicating vaults |
Supported |
Supported |
Not supported |
|
Performing backups |
Supported |
Supported |
Not supported |
|
Updating subscriptions |
Supported |
Supported |
Not supported |
|
Querying the Agent status |
Supported |
Supported |
Not supported |
|
Deleting backups |
Supported |
Supported |
Not supported |
|
Restoring data from backups |
Supported |
Supported |
Not supported |
|
Replicating backups |
Supported |
Supported |
Not supported |
|
Batch adding tags to or removing tags from vaults |
Supported |
Supported |
Not supported |
|
Adding tags to vaults |
Supported |
Supported |
Not supported |
|
Editing tags |
Supported |
Supported |
Not supported |
Roles or Policies that the CBR Console Depends on
|
Console Function |
Dependent Services |
Roles or Policies Required |
|---|---|---|
|
Associating ECSs with a vault |
ECS |
When an IAM user associates ECSs with a vault on the CBR console, the permissions of querying the ECS list and details are required. The user can either use the CBRFullAccessPolicy policy or add the required actions to a custom policy. Required actions: ecs:cloudServers:listServerVolumeAttachments ecs:cloudServers:list ecs:cloudServers:showServer |
|
Associating EVS disks with a vault |
EVS |
When an IAM user associates EVS disks with a vault on the CBR console, the permissions of querying the EVS disk list and details are required. The user can either use the CBRFullAccessPolicy policy or add the required actions to a custom policy. Required actions: evs:volumes:list |
|
Associating SFS Turbo file systems with a vault |
SFS Turbo |
When an IAM user associates SFS Turbo file systems with a vault on the CBR console, the permissions of querying the SFS Turbo file system list and details are required. The user can either use the CBRFullAccessPolicy policy or add the required actions to a custom policy. Required actions: sfsturbo:shares:getAllShares |
|
Associating Workspace desktops with a vault |
WorkSpace |
When an IAM user associates Workspace desktops with a vault on the CBR console, the permissions of querying the Workspace desktop list and details are required. The user can either use the CBR FullAccess policy or add the following actions to a custom policy: workspace:desktops:listDetail vpc:securityGroups:get vpc:publicIps:list vpc:ports:get |
|
Querying a backup and registering an image |
IMS |
When an IAM user uses a cloud server backup to create a private image on the CBR console, the permission of querying the IMS image list is required. The user can either use the CBRFullAccessPolicy policy or add the required actions to a custom policy. Required actions: ims:images:list |
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
