Permissions Management
If you need to assign different permissions to employees in your enterprise to access your DEW resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control. If your Huawei account works well for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control the access to Huawei Cloud resources through authorization. For example, some developers in your enterprise need to use DEW but you do not want them to have permissions to perform high-risk operations such as deleting DEW. To achieve such purpose, you can use IAM to grant them only the permissions to use DEW, but not delete DEW. With IAM, you can control their usage of DEW resources.
There are two types of IAM authorization: policy/role authorization and identity policy authorization.
The following table describes the differences between these two authorization models.
| Authorization Model | Authorization Using | Permissions | Authorization Method | Scenario |
|---|---|---|---|---|
| Policies/Roles | Roles |
| Granting roles or policies to principals | To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
| Identity Policies | Policies |
|
| You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
For example, if you want to grant an IAM user the permissions to create ECSs in CN North-Beijing4 and OBSs in CN South-Guangzhou, you need to use the administrator role to create two custom policies and assign them to the IAM user. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. ABAC is more flexible than RBAC.
Policies and actions in the two authorization models are not interoperable. You are advised to use the ABAC authorization model. For details about system-defined permissions, see Policies/Roles Permission Management and Identity Policy Permission Management.
For more information about IAM, see What Is IAM?
Policies/Roles Permission Management
DEW supports the role-based authorization model. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
DEW is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects (such as ap-southeast-2) for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing DEW.
Table 2 lists all the system policies of DEW. System-defined policies in RBAC and ABAC are not interoperable.
| Role/Policy | Description | Type | Dependency |
|---|---|---|---|
| KMS Administrator | Administrator permissions of KMS in DEW | System-defined role | None |
| KMS CMKFullAccess | All permissions for KMS in DEW Users with these permissions can perform all the operations allowed by policies. | System-defined policy | None |
| KMS CMKReadOnlyAccess | Read-only permissions of KMS in DEW Users with this permission can only view KMS data. | System-defined policy | None |
| CSMS FullAccess | All permissions of CSMS in DEW Users with these permissions can perform all the operations allowed by policies. | System-defined policy | None |
| CSMS ReadOnlyAccess | Read-only permissions of CSMS in DEW Users with this permission can only view CSMS data. | System-defined policy | None |
| DEW KeypairFullAccess | All permissions of KPS in DEW Users with these permissions can perform all the operations allowed by policies. | System-defined policy | None |
| DEW KeypairReadOnlyAccess | Read-only permissions of KPS in DEW Users with this permission can only view KPS data. | System-defined policy | None |
The following tables list the authorization relationships between DEW typical operations and system permissions. You can select proper system permissions according to the tables.
| Operation | KMS Administrator | KMS CMKFullAccess | KMS CMKReadOnlyAccess |
|---|---|---|---|
| Canceling the scheduled deletion of a key | Supported | Supported | × |
| Creating a key | Supported | Supported | × |
| Schedule key deletion | Supported | Supported | × |
| Disabling a key | Supported | Supported | × |
| Enabling a key | Supported | Supported | × |
| Modifying the key alias | √ | Supported | × |
| Modifying the key description | √ | Supported | × |
| Creating a DEK | Supported | Supported | × |
| Creating a plaintext-free DEK | Supported | Supported | × |
| Creating an EC data key pair | √ | Supported | × |
| Creating a PIN | √ | Supported | × |
| Generating a random number | Supported | Supported | × |
| Creating an RSA data key pair | √ | Supported | × |
| Decrypting a DEK | Supported | Supported | × |
| Encrypting a DEK | Supported | Supported | × |
| Obtaining parameters for importing a key | √ | Supported | √ |
| Deleting key materials | Supported | Supported | × |
| Importing key materials | Supported | Supported | × |
| Revoking a grant | Supported | Supported | × |
| Retiring a grant | Supported | Supported | × |
| Creating a grant | Supported | Supported | × |
| Querying the grant list | Supported | Supported | Supported |
| Querying retirable grants | Supported | Supported | √ |
| Decrypting data | Supported | Supported | × |
| Encrypting data | Supported | Supported | × |
| Signature data | √ | Supported | × |
| Signature verification | √ | Supported | × |
| Disabling key rotation | Supported | Supported | × |
| Enabling key rotation | Supported | Supported | × |
| Querying the key rotation status | Supported | Supported | √ |
| Modifying the key rotation interval | Supported | Supported | × |
| Adding or deleting key tags in batches | Supported | Supported | × |
| Adding key tags | Supported | Supported | × |
| Deleting key tags | Supported | Supported | × |
| Querying key instances | Supported | Supported | Supported |
| Querying project tags | Supported | Supported | √ |
| Querying key tags | Supported | Supported | √ |
| Querying key details | √ | Supported | √ |
| Querying the key list | Supported | Supported | √ |
| Querying public key information | Supported | Supported | √ |
| Querying the number of instances | √ | Supported | √ |
| Querying quota | √ | Supported | √ |
| Querying a specified version | √ | Supported | √ |
| Querying all versions | √ | Supported | √ |
| Creating a dedicated keystore | √ | Supported | × |
| Deleting a dedicated keystore | √ | Supported | × |
| Disabling a dedicated keystore | √ | Supported | × |
| Enabling a dedicated keystore | √ | Supported | × |
| Obtaining the list of dedicated keystores | Supported | Supported | Supported |
| Obtaining a dedicated keystore | Supported | Supported | √ |
| Querying the regions supported by a cross-region key | √ | Supported | √ |
| Copying a key to a specified region | √ | Supported | × |
| Changing the primary region to which the key belongs | √ | Supported | × |
| Generating a MAC | √ | Supported | × |
| Verifying a MAC | √ | Supported | × |
| Associating an alias with a key | √ | Supported | × |
| Creating a key alias | √ | Supported | × |
| Deleting a key alias | √ | Supported | × |
| Querying the alias associated with a key | √ | Supported | Supported |
| Operation | CSMS FullAccess | CSMS ReadOnlyAccess |
|---|---|---|
| Deleting secrets in batches | √ | × |
| Creating a secret | Supported | × |
| Deleting a secret immediately | Supported | × |
| Creating a scheduled secret deletion task | Supported | × |
| Downloading a secret backup | Supported | Supported |
| Obtaining the secret list | Supported | √ |
| Canceling a scheduled secret deletion task | Supported | × |
| Rotating a secret | Supported | × |
| Querying a secret | Supported | √ |
| Updating a secret | Supported | × |
| Restoring a secret | Supported | × |
| Creating a secret version | Supported | × |
| Obtaining the secret version list | Supported | √ |
| Querying the secret version and value | Supported | √ |
| Updating a secret version | √ | × |
| Creating a secret version status | Supported | × |
| Querying the version status of a secret | Supported | √ |
| Deleting the version status of a secret | Supported | × |
| Updating the version status of a secret | Supported | × |
| Adding or deleting secret tags in batches | Supported | × |
| Adding a secret tag | Supported | × |
| Deleting a secret tag | Supported | × |
| Querying project tags | Supported | √ |
| Querying a secret instance | Supported | √ |
| Querying secret tags | Supported | √ |
| Creating an event | Supported | × |
| Deleting an event immediately | √ | × |
| Querying the record of triggered event notifications | Supported | √ |
| Obtaining the event list | Supported | √ |
| Querying an event | √ | √ |
| Updating an event | √ | × |
| Creating a service agency | √ | × |
| Obtaining the secret rotation function template | √ | √ |
| Checking whether a service agency exists | √ | √ |
| Querying the task list | √ | Supported |
| Operation | DEW KeypairFullAccess | DEW KeypairReadOnlyAccess |
|---|---|---|
| Exporting private keys of key pairs in batches | √ | × |
| Importing SSH key pairs in batches | √ | × |
| Clearing a private key | Supported | × |
| Creating and Importing an SSH Key Pair | Supported | × |
| Deleting an SSH key pair | Supported | × |
| Exporting a private key | Supported | × |
| Importing a private key | Supported | × |
| Obtaining details about an SSH key pair | Supported | Supported |
| Obtaining SSH key pair list | Supported | Supported |
| Updating the description about an SSH key pair | Supported | × |
| Binding an SSH key pair | Supported | × |
| Importing SSH key pairs in batches | √ | × |
| Deleting all failed tasks | Supported | × |
| Deleting a failed task | Supported | × |
| Unbinding an SSH key pair | Supported | × |
| Querying the information about failed tasks | Supported | Supported |
| Obtaining task information | Supported | Supported |
| Querying the information about a task that is being processed | Supported | √ |
Identity Policy Permission Management
DEW supports identity policy authorization. The following table lists all identity policies in DEW. The identity policy for roles/policies and identity policies are different.
| Policy Name | Description | Policy Type |
|---|---|---|
| KMSFullAccessPolicy | All permission policies of KMS | System-defined |
| KMSReadOnlyPolicy | Read-only permission policies of KMS | System-defined |
| CSMSFullAccessPolicy | All permissions of CSMS | System-defined |
| CSMSReadOnlyPolicy | Read-only permissions of CSMS | System-defined |
| CSMSServiceLinkedAgencyPolicy | Agency policies linked with cross-account CSMS | System-defined |
| KPSFullAccessPolicy | All permissions of KPS | System-defined |
| KPSReadOnlyPolicy | Read-only permissions of KPS | System-defined |
Table 7, Table 8, and Table 9 list the authorization relationships between DEW typical operations and system permissions. You can select proper system permissions according to the tables.
| Operation | KMSFullAccessPolicy | KMSReadOnlyPolicy |
|---|---|---|
| Querying the key list | Supported | Supported |
| Enabling a key | Supported | × |
| Disabling a key | Supported | × |
| Querying details about a key | Supported | Supported |
| Creating a DEK | Supported | × |
| Creating a plaintext-free DEK | Supported | × |
| Encrypting a DEK | Supported | × |
| Decrypting a DEK | Supported | × |
| Encrypting data | Supported | × |
| Decrypting data | Supported | × |
| Generating a random number | Supported | × |
| Signature data | Supported | × |
| Signature verification | Supported | × |
| Querying public key information | Supported | Supported |
| Querying versions | Supported | Supported |
| Querying the API version of a key | Supported | Supported |
| Schedule key deletion | Supported | × |
| Canceling the scheduled deletion of a key | Supported | × |
| Querying the number of tenant key instances | Supported | Supported |
| Querying the tenant quota | Supported | Supported |
| Modifying key information - Updating a key alias | Supported | × |
| Modifying key information - Updating key description | Supported | × |
| Creating a grant | Supported | × |
| Querying the grant list | Supported | Supported |
| Querying retirable grants | Supported | Supported |
| Retiring a grant | Supported | × |
| Revoking a grant | Supported | × |
| Obtaining parameters for importing a key | Supported | Supported |
| Importing key materials | Supported | × |
| Deleting key materials | Supported | × |
| Enabling key rotation | Supported | × |
| Modifying the key rotation interval | Supported | × |
| Disabling key rotation | Supported | × |
| Querying the key rotation status | Supported | Supported |
| Deleting a dedicated keystore | Supported | × |
| Enabling a dedicated keystore | Supported | × |
| Disabling a dedicated keystore | Supported | × |
| Obtaining the list of dedicated keystores | Supported | Supported |
| Obtaining a dedicated keystore | Supported | Supported |
| Adding key tags | Supported | × |
| Adding or deleting key tags in batches | Supported | × |
| Querying key instances | Supported | Supported |
| Deleting key tags | Supported | × |
| Querying key tags | Supported | Supported |
| Querying project tags | Supported | Supported |
| Operation | CSMSFullAccessPolicy | CSMSReadOnlyPolicy |
|---|---|---|
| Creating a secret | Supported | × |
| Downloading a secret backup | Supported | Supported |
| Restoring a secret | Supported | × |
| Deleting a secret immediately | Supported | × |
| Updating a secret | Supported | × |
| Querying a secret | Supported | Supported |
| Obtaining the secret list | Supported | Supported |
| Creating a secret version | Supported | × |
| Querying the secret version and value | Supported | Supported |
| Obtaining the secret version list | Supported | Supported |
| Creating a secret version status | Supported | × |
| Querying the version status of a secret | Supported | Supported |
| Updating the version status of a secret | Supported | × |
| Deleting the version status of a secret | Supported | × |
| Querying the secret quota | Supported | Supported |
| Creating a scheduled secret deletion task | Supported | × |
| Canceling a scheduled secret deletion task | Supported | × |
| Rotating a secret | Supported | × |
| Querying a secret instance | Supported | Supported |
| Adding or deleting secret tags in batches | Supported | × |
| Adding a secret tag | Supported | × |
| Deleting a secret tag | Supported | × |
| Querying secret tags | Supported | Supported |
| Querying project tags | Supported | Supported |
| Updating the validity period of a secret version | Supported | × |
| Creating an event | Supported | × |
| Obtaining the event list | Supported | Supported |
| Querying event notifications | Supported | Supported |
| Updating an event notification | Supported | × |
| Deleting an event notification immediately | Supported | × |
| Querying the record of triggered event notifications | Supported | Supported |
| Operation | KPSFullAccessPolicy | KPSReadOnlyPolicy |
|---|---|---|
| Creating and Importing an SSH Key Pair | Supported | × |
| Deleting an SSH key pair | Supported | × |
| Obtaining details about an SSH key pair | Supported | Supported |
| Obtaining SSH key pair list | Supported | Supported |
| Updating the description about an SSH key pair | Supported | × |
| Binding an SSH key pair | Supported | × |
| Deleting all failed tasks | Supported | × |
| Deleting a failed task | Supported | × |
| Unbinding an SSH key pair | Supported | × |
| Querying the information about failed tasks | Supported | Supported |
| Obtaining task information | Supported | Supported |
| Querying the information about a task that is being processed | Supported | Supported |
| Importing a private key | Supported | × |
| Exporting a private key | Supported | × |
| Binding key pairs to VMs in batches | Supported | × |
| Clearing a private key | Supported | × |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot