Introduction

Permission System

You can use Identity and Access Management (IAM) for fine-grained permissions management of your DataArts Studio resources. If your HUAWEI IDaccount does not need individual IAM users, you can skip this section.

With IAM, you can control access to specific Huawei Cloudcloud resources from principals (IAM users, user groups, agencies, or trust agencies). IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes their differences.

**Table 1** Differences between role/policy-based and identity policy-based authorization
Authorization Model	Core Relationship	Permissions	Authorization Method	Scenario
Role/Policy	User-permission-authorization scope	System-defined roles System-defined policies Custom policies NOTE: DataArts Studio supports system-defined roles (DAYU Administrator, DAYU User, and DataArts Studio User) but does not support system-defined policies and custom policies.	Assigning roles or policies to principals	To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.
Identity policy	User-policy	System-defined policies Custom identity policies	Assigning identity policies to principals Attaching identity policies to principals	You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Assume that you want to grant IAM users permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.

Figure 1 shows the permission system of DataArts Studio. Role/Policy-based authorization and Identity policy-based authorization are supported. However, system-defined policies and custom policies in role/policy-based authorization are not supported. Policies, identity policies, and actions in the two authorization models are not interoperable. Figure 2 compares the two models. You are advised to use attribute-based access control (ABAC) for fine-grained authorization to ensure that minimum permissions are assigned. For details about how to assign permissions, see Creating an IAM User and Assigning DataArts Studio Permissions.

If you assign both a role/policy-based permission (DAYU Administrator, DAYU User, or DataArts Studio User) and an identity policy-based permission (DataArtsStudioFullAccessPolicy, DataArtsStudioOperatorPolicy, DataArtsStudioReadOnlyPolicy, or custom identity policies) to an IAM user, the IAM user will have the following permissions:

If both permissions contain the deny action, the deny policy prevails.
The allow actions in the two permissions both take effect.

Figure 1 Permission system

Figure 2 Two authorization models

API Calling Permissions

If you use IAM users in your account to call an API, the IAM users must be granted the required permissions.

**Table 2** API calling permissions
Authorization Method	Required Permissions	Authorization Content	Example
Role/Policy-based authorization	To call an API, you must have the required role permissions. (DataArts Studio does not support system-defined policies or custom policies in role/policy-based authorization.)	You can configure any of the following roles to grant permissions: DAYU Administrator: instance administrator, who has all management permissions on DataArts Studio instances and workspaces, permissions on dependent services, and all service operation permissions in all workspaces. DAYU User + workspace role: common user, who has the permissions to view DataArts Studio instances and workspaces, and the permissions on dependent services. After assigned a role, the common user has permissions of the role to perform service operations. Workspace roles include the preset admin, developer, deployer, operator, and viewer. For details about the permissions of each role, see Permissions. DataArts Studio User + workspace role + dependent service permissions: common user, who has the permissions to view DataArts Studio instances and workspaces, but does not have the permissions on dependent services. After assigned a workspace role and the permissions of dependent services, the common user has permissions of the role to perform service operations. Workspace roles include the preset admin, developer, deployer, operator, and viewer. For details about the permissions of each role, see Permissions.	For example, an IAM user can call the API for querying the DataArts Studio instance list only if the user has been assigned one of the following roles: DAYU Administrator, DAYU User, and DataArts Studio User.
Identity policy-based authorization	To call an API, you must have the required system-defined policy permissions, or have the policy corresponding to the action.	You can configure any of the following system-defined policies to grant permissions: DataArtsStudioFullAccessPolicy + workspace role + permissions of dependent services: permissions for managing DataArts Studio instances and workspaces. After assigned any workspace role and permissions of dependent services, the user has the service operation permissions of the corresponding role and can perform service operations. For details about the operation permissions of the roles, see Permissions. DataArtsStudioOperatorPolicy + workspace role + permissions of dependent services: permissions for performing common operations on DataArts Studio instances and workspaces. After assigned any workspace role and permissions of dependent services, the user has the service operation permissions of the corresponding role and can perform service operations. For details about the operation permissions of the roles, see Permissions. DataArtsStudioReadOnlyPolicy + workspace role + permissions of dependent services: permissions for viewing DataArts Studio instances and workspaces. After assigned any workspace role and permissions of dependent services, the user has the service operation permissions of the corresponding role and can perform service operations. For details about the operation permissions of the roles, see Permissions.	For example, an IAM user can call the API for querying the DataArts Studio instance list only if the user has been assigned the DataArtsStudioFullAccessPolicy system policy or a custom policy that contains the DataArtsStudio:instance:list action.
Identity policy-based authorization		The permissions for calling the following APIs can be assigned based on the corresponding actions. For details, see Table 2. Buying a DataArts Studio Instance: DataArtsStudio:instance:create Obtaining the Workspace List: DataArtsStudio:workspace:list Creating a Workspace: DataArtsStudio:workspace:create Obtaining Information About a Workspace: DataArtsStudio:workspace:get Obtaining the Instance List: DataArtsStudio:instance:list Changing Specifications: DataArtsStudio:instance:resize