Help Center/ Customer Operation Capabilities/ API Reference/ API Invoking Methods/ Permissions and Supported Actions/ Introduction
Updated on 2025-11-21 GMT+08:00
View PDF
Share

Introduction

You can use Identity and Access Management (IAM) for fine-grained permissions management of your BSS resources. If your HUAWEI IDaccount does not need individual IAM users, you can skip this section.

With IAM, you can control access to specific Huawei Cloudcloud resources from principals (IAM users, user groups, agencies, or trust agencies). IAM supports role/policy-based authorization and identity policy-based authorization.

The following table lists the differences between these two types of authorization.

Table 1 Differences between the two types of authorization

Authorization Type

Authorization Using

Permissions

Authorization Method

Description

Role/Policy-based authorization

User, permissions, and authorization scope
  • System-defined roles
  • System-defined policies
  • Custom policies

Attaching roles or policies to principals

To authorize a user, you need to add it to a user group first and then assign permissions to the user group so that the added user can inherit permissions from the user group. In this way, you need to maintain numerous user groups and use relatively fewer condition keys. It is difficult to implement fine-grained permissions through user groups. The policies/roles model is more suitable for small- and medium-sized enterprises.

Identity policy-based authorization

Users and policies
  • System-defined policies
  • Custom identity policies
  • Granting principles identity policies
  • Attaching identity policies to principals

You can authorize a user by directly attaching an identity policy to them. You can customize policies and attach them to specified users. Identity policies allow you to perform refined access control more efficiently and flexibly. However, this model is more complex and requires higher personnel expertise. It is more suitable for medium- and large-sized enterprises.

Policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model.

If you use IAM users in your account to call an API, the IAM users must be granted the required permissions. The required permissions are determined by the actions supported by the API. Only users with the policies allowing for those actions can call the API successfully.

Assume that an IAM user wants to call an API to query the price of a pay-per-use product. With policy-based authorization, the IAM user must be granted the permissions allowing for action bss:discount:view. With identity policy-based authorization, the IAM user must be granted the permissions allowing for action billing:contract:viewDiscount.