Permissions Management
You can use IAM to manage EG permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can create IAM users for software developers and assign permissions to allow them to use EG resources but prevent them from deleting resources or performing any high-risk operations.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.
IAM can be used free of charge. You pay only for the resources in your account. For details, see IAM Service Overview.
EG Permissions
By default, new IAM users do not have any permissions. You need to add them to one or more groups, and then add permissions policies or roles to these groups. The users inherit permissions from their groups and can then perform specified operations on cloud services.
EG is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, set the scope to Region-specific projects and select projects for the permissions to take effect. If All resources is selected, the permissions will take effect for the user group in all region-specific projects. Switch to a region where you have been authorized to access EG.
You can grant users permissions by using roles and policies.
- Roles: A coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism enables more flexible policy-based authorization and meets secure access control requirements. For example, you can grant IAM users only the permissions for performing specific operations on event sources. Most policies define permissions based on APIs.
Table 1 lists all the system-defined roles and policies supported by EG.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
EG FullAccess |
Full permissions for EG |
System-defined policy |
N/A |
|
EG Publisher |
Permissions for publishing events |
System-defined policy |
N/A |
|
EG ReadOnlyAccess |
Read-only permissions for EG |
System-defined policy |
N/A |
Table 2 lists the common operations supported by each system-defined policy of EG. Please choose proper policies according to this table.
|
Operation |
EG FullAccess |
EG Publisher |
EG ReadOnlyAccess |
|---|---|---|---|
|
Create event subscription
NOTE:
To create event targets with FunctionGraph, EG, or SMN, you must be granted the required permissions. For details, see Table 3. |
√ |
× |
× |
|
Enable/Disable event subscription |
√ |
× |
× |
|
Update event subscription |
√ |
× |
× |
|
Delete event subscription |
√ |
× |
× |
|
View event subscription |
√ |
× |
√ |
|
Create event source |
√ |
× |
× |
|
Update event source |
√ |
× |
× |
|
Delete event source |
√ |
× |
× |
|
View event source |
√ |
× |
√ |
|
Create event channel |
√ |
× |
× |
|
Update event channel |
√ |
× |
× |
|
Delete event channel |
√ |
× |
× |
|
View event channel |
√ |
√ |
√ |
|
Create connection |
√ |
× |
× |
|
Update connection |
√ |
× |
× |
|
Delete connection |
√ |
× |
× |
|
View connection |
√ |
× |
√ |
|
Create endpoint |
√ |
× |
× |
|
Update endpoint |
√ |
× |
× |
|
Delete endpoint |
√ |
× |
× |
|
View endpoint |
√ |
× |
√ |
|
Publish event to event channel |
√ |
√ |
× |
|
Configuration |
Permission |
|---|---|
|
Configure event targets with EG, SMN, or FunctionGraph |
iam:permissions:grantRoleToAgencyOnProject |
|
iam:agencies:listAgencies |
|
|
iam:roles:listRoles |
|
|
iam:agencies:getAgency |
|
|
iam:agencies:createAgency |
|
|
iam:permissions:listRolesForAgency |
|
|
iam:permissions:listRolesForAgencyOnProject |
|
|
iam:permissions:listRolesForAgencyOnDomain |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
