Permissions

If you need to grant your enterprise personnel permission to access your CloudDC resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your HUAWEI IDaccount does not require IAM for permissions management, you can skip this section.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to be able to use CloudDC resources but do not want them to be able to unsubscribe from the resources or perform any other high-risk operations, you can create IAM users and grant permissions to use CloudDC resources but not permissions to unsubscribe from them.

IAM supports policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

**Table 1** Differences between policy-based and identity policy-based authorization
Authorization Model	Core Relationship	Permissions	Authorization Method	Scenario
Policy	User-permission-authorization scope	System-defined policies Custom policies	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy	User-policy	System-defined identity policies Custom identity policies	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users permission to create CloudDC resources in CN North-Beijing4 and CloudDC permission in CN South-Guangzhou. With policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the principals or grant the principals access to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see #clouddc_productdesc_0020/en-us_topic_0000001490017126_section18155510471 and Identity Policy-based Authorization.

For more information about IAM, see IAM Service Overview.

Identity Policy-based Authorization

CloudDC supports identity policy-based authorization. Table 2 lists all the system-defined identity policies for CloudDC. System-defined policies in identity policy-based authorization are not interoperable with those in policy-based authorization.

**Table 2** System-defined identity policies for CloudDC
Policy	Description	Type
CloudDCFullAccessPolicy	Full permissions for CloudDC	System-defined identity policy
CloudDCReadOnlyPolicy	Read-only permissions for CloudDC	System-defined identity policy
CloudDCConsoleFullAccessPolicy	Full permissions for the CloudDC console	System-defined identity policy
CloudDCConsoleReadOnlyPolicy	Read-only permissions for the CloudDC console	System-defined identity policy

Table 3 lists the common operations supported by system-defined identity policies for CloudDC.

**Table 3** Common operations supported by system-defined identity policies
Operation	CloudDCFullAccessPolicy	CloudDCReadOnlyPolicy	CloudDCConsoleFullAccessPolicy	CloudDCConsoleReadOnlyPolicy
Batch querying physical servers	Supported	Supported	Supported	Supported
Querying information about physical servers	Supported	Supported	Supported	Supported
Querying server hardware details	Supported	Supported	Supported	Supported
Querying server firmware details	Supported	Supported	Supported	Supported
Modifying the power statuses of physical servers	Supported	Not supported	Supported	Not supported
Exporting server logs	Supported	Not supported	Supported	Not supported
Querying the export status of logs	Supported	Supported	Supported	Supported
Downloading logs	Supported	Not supported	Supported	Not supported
Obtaining the console address	Supported	Not supported	Supported	Not supported
Batch creating iMetal servers	Supported	Not supported	Supported	Not supported
Batch querying iMetal servers	Supported	Supported	Supported	Supported
Batch deleting iMetal servers	Supported	Not supported	Supported	Not supported
Creating an iMetal server	Supported	Not supported	Supported	Not supported
Deleting an iMetal server	Supported	Not supported	Supported	Not supported
Changing the password of an iMetal server	Supported	Not supported	Supported	Not supported
Reinstalling the OS on an iMetal server	Supported	Not supported	Supported	Not supported
Querying the status of an iMetal server	Supported	Supported	Supported	Supported
Changing the IP address of an iMetal server	Supported	Not supported	Supported	Not supported
Listing resources	Supported	Supported	Supported	Supported
Querying tags of a resource	Supported	Supported	Supported	Supported
Querying resource tags in a specified project.	Supported	Supported	Supported	Supported
Querying the number of instances	Supported	Supported	Supported	Supported
Batch creating resource tags	Supported	Not supported	Supported	Not supported
Batch deleting tags from a resource	Supported	Not supported	Supported	Not supported
Obtaining server overview	Supported	Supported	Supported	Supported
Obtaining server alarm overview	Supported	Supported	Supported	Supported
Obtaining the server alarm trend	Supported	Supported	Supported	Supported
Obtaining the server alarm list	Supported	Supported	Supported	Supported
Obtaining the server event list	Supported	Supported	Supported	Supported
Querying event definitions	Supported	Supported	Supported	Supported
Updating or creating server maintenance data	Supported	Not supported	Supported	Not supported
Querying server maintenance data	Supported	Supported	Supported	Supported
Creating and updating spare parts	Supported	Not supported	Supported	Not supported
Querying spare parts	Supported	Supported	Supported	Supported
Modifying the intelligent rack description	Supported	Not supported	Supported	Not supported
Querying the intelligent rack list	Supported	Supported	Supported	Supported
Modifying the IDC description	Supported	Not supported	Supported	Not supported
Querying the IDC list	Supported	Supported	Supported	Supported
Querying the rack list	Supported	Supported	Supported	Supported
Querying rack tags	Supported	Supported	Supported	Supported
Querying rack tags in a specified project	Supported	Supported	Supported	Supported
Querying the number of racks	Supported	Supported	Supported	Supported
Batch creating rack tags	Supported	Not supported	Supported	Not supported
Batch deleting rack tags	Supported	Not supported	Supported	Not supported
Verifying rack order parameters	Supported	Not supported	Supported	Not supported

Identity Policy-based Permissions Required for CloudDC Console Operations

**Table 4** Identity policy dependencies of the CloudDC console
Console Function	Dependency	Identity Policy Required
Installing an OS	Image Management Service (IMS)	IAM users with CloudDCConsoleFullAccessPolicy or CloudDCConsoleReadOnlyPolicy assigned can directly use, access, or install an OS.
CloudDCN	Virtual Private Cloud (VPC)	IAM users with CloudDCConsoleFullAccessPolicy or CloudDCConsoleReadOnlyPolicy assigned can directly use or access CloudDCN.
CloudDC resource tag information	Tag Management Service (TMS)	IAM users with CloudDCConsoleFullAccessPolicy or CloudDCConsoleReadOnlyPolicy assigned can directly use or access TMS.
Querying or obtaining monitoring information	Cloud Eye	IAM users with CloudDCConsoleFullAccessPolicy or CloudDCConsoleReadOnlyPolicy assigned can directly use Cloud Eye to query monitoring data. NOTE: If you want to create alarm rules, view alarm lists, and customize monitoring, you need to switch from the CloudDC console to the Cloud Eye console. For details about how to use Cloud Eye and configure permissions, see Cloud Eye User Guide.
Paying for, viewing, renewing, and unsubscribing from CloudDC resources	Billing Center	IAM users with the following permissions can use or access Billing Center to pay for, view, renew, and unsubscribe from CloudDC resources: - billing:order:pay: Grants the permission to pay for resources to be purchased. - billing:order:view: Grants the permission to view orders. - billing:subscription:renew: Grants the permission to renew subscriptions, enable auto-renewal, and set expiration policies. - billing:subscription:unsubscribe: Grants the permission to view and unsubscribe from resources.
Creating a private image	Object Storage Service (OBS)	IAM users with the following permissions can use or access OBS to create images for CloudDC resources: - obs:object:getObject: Grants the permission to download an object. - obs:object:getObjectAcl: Grants the permission to obtain the ACL of an object. - obs:bucket:getBucketAcl: Grants the permission to obtain the bucket ACL. - obs:bucket:getBucketLocation: Grants the permission to query the location of a bucket. - obs:bucket:listBucket: Grants the permission to list the objects in a bucket. - obs:bucket:headBucket: Grants the permission to obtain the metadata of a bucket. - obs:bucket:listAllMybuckets: Grants the permission to list the created buckets.