Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Permissions/ Example: Designing and Configuring Permissions for Users in a Company
Updated on 2024-10-25 GMT+08:00

Example: Designing and Configuring Permissions for Users in a Company

A company uses Huawei Cloud UCS to manage multiple clusters. The company has multiple functional teams responsible for permission granting, resource management, application creation, traffic distribution, and O&M, respectively. Using the permissions management of IAM and UCS can achieve refined permission granting.

Figure 1 Organizational structure
  • Management team: manages all resources of the company.
  • Development team: develops services.
  • O&M team: views and monitors the usage of all resources.
  • Guest: a reserved read-only team that has only the permission for viewing resources.

Grant required permissions to different functional teams in the company according to Table 1.

Table 1 Permissions

Functional Team

Policy to Be Granted

Permission Description

Management team

UCS FullAccess

UCS administrator with full permissions, including creating permission policies and security policies

Development team

UCS CommonOperations

Common UCS user with permissions for creating workloads, distributing traffic, and other operations

O&M team

UCS CIAOperations

CIA administrator with full permissions in UCS

Guest

UCS ReadOnlyAccess

Read-only permissions on UCS (except for CIA)

Permission Design

The following figure shows the operations that can be performed by different functional teams on UCS resources.

Figure 2 Operations that can be performed on UCS resources
  • : Tenant Administrator grants permissions to each functional team.
  • to : The management team with the UCS FullAccess permission is responsible for creating a fleet, registering a cluster, adding a cluster to the fleet, enabling cluster federation, and building the multi-cluster federation infrastructure. In addition, the management team creates permissions and associates them with the fleet or clusters that are not added to the fleet so that the development team has the corresponding operation permissions on specific Kubernetes resources.
  • and : The development team with the UCS CommonOperations permission performs operations such as creating workloads and distributing traffic.
  • : The O&M team with the UCS CIAOperations permission performs monitoring and O&M.
  • : Guests with the UCS ReadOnlyAccess permission can view resources such as clusters, fleets, and workloads.

Administrator: IAM Authorization

Tenant Administrator performs IAM authorization for each functional team by creating four user groups, granting the UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess permissions to these user groups, and adding users to each user group, as shown in Figure 3.

Figure 3 IAM authorization

For example, create the dev user group for the development team, grant the UCS CommonOperations permission to the user group, and add the devuser1 and devuser2 users.

Figure 4 Granting permissions
Figure 5 Managing users

For details, see UCS Resource Permissions (IAM Authorization). To use some UCS functions that depend on other cloud services, grant permissions to related cloud services. For example, the IAM user list is required for creating a permission policy, so both the UCS FullAccess and VDC ReadOnlyAccess permissions need to be granted to the management team.

Management Team: Building Infrastructure and Configuring Permission Policies

  1. Create a permission policy.

    Create a development permission policy for developers.

    Figure 6 Creating a development permission policy

  2. Create a fleet and associate the permission policy with the fleet.

    A fleet contains multiple clusters and can implement unified permission management for these clusters. The management team associates the development permission created in the previous step with the fleet, so that clusters subsequently added to the fleet will have the permission. In this way, developers are allowed to perform operations on cluster resources (such as creating workloads) in the fleet. For details, see Managing Fleets.

  3. Register clusters and add them to the fleet.

    UCS supports the registration of Huawei Cloud clusters, on-premises clusters, multi-cloud clusters, and attached clusters. The management team can select a cluster type as required. For details, see Huawei Cloud Clusters, Overview, Overview, or Overview.

  4. Enable cluster federation.

    Enable it to enjoy unified orchestration of multiple clusters, cross-cluster auto scaling & service discovery, auto failover, etc. Enabling cluster federation for the fleet will federate the registered clusters in the fleet.

Development Team: Creating Workloads and Distributing Traffic

After the management team builds the multi-cluster federation infrastructure, developers can use the infrastructure resources. For details, see Workload Management and Traffic Distribution.

O&M Team: Viewing and Monitoring Resource Usage

The O&M team can use the functions provided by CIA, such as intelligent analysis, dashboard, notification configuration, and 24/7 daemon, to monitor workload resources in real time, analyze application health, and complete other routine O&M tasks. For details, see Container Intelligent Analysis.

Guest: Viewing Resources

Guests (persons who have only the permission for viewing resources) can view resources such as clusters, fleets, and workloads.