Learning About RBAC
This section describes how to use IAM to implement fine-grained permissions control for your COC resources. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing COC resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or cloud service to perform efficient O&M on your COC resources.
If your Huawei Cloud account does not require individual IAM users, skip this chapter.
This section describes the workflow for granting permissions to users.
Prerequisites
Learn about the permissions supported by COC, see Permissions Management. To grant permissions for other services, learn about all system-defined permissions.
Example Workflow
- Create a user group and assign permissions to it.
Create a user group on the IAM console, and grant the read-only system permission COC ReadOnlyAccess and the administrator system permission COC FullAccess to the user group.
- Create an IAM user and add it to a group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
- Log in to COC, choose Task Management > To-do Center in the navigation pane on the left. In the upper right corner of the displayed page, click Create Ticket. If a to-do task fails to be created (assume that you have only the COC ReadOnlyAccess permission), the COC ReadOnlyAccess permission has taken effect.
- Log in to COC, choose Task Management > To-do Center in the navigation pane on the left. In the upper right corner of the displayed page, click Create Ticket. If a to-do task can be created (assume that you have only the COC FullAccess permission), the COC FullAccess permission has taken effect.
- Custom policies can be created to supplement the system-defined policies of COC. For the actions supported for custom policies, see Policies and Actions.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common COC custom policies.
Example Custom Policies
- Example 1: Allow users to create O&M tasks.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "coc:task:create" ] } ] }
- Example 2: Grant permissions to deny topic deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
Assume that you want to grant the permissions of the COC FullAccess policy to a user but want to prevent them from deleting documents. You can create a custom policy for denying document deletion, and attach both policies to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on COC resources except deleting documents. The following is an example of a deny policy:{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "coc:document:delete" ] } ] }
- Example 3: Create a custom policy containing multiple actions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot