Assigning Permissions to O&M Personnel Using IAM

Overview

Assume that a company has purchased different resources on Huawei Cloud, and has multiple functional teams that need to use one or more types of resources. The company can use IAM identity policies to set permissions for multiple O&M personnel.

Resource Planning

Based on the different responsibilities of employees in the company, employees are grouped into the following seven teams.

Figure 1 Permissions management model
Click to enlarge

Resource O&M team: manages all resources of the company.
Accounting management team: manages accounting affairs of the company.
Resource monitoring team: views and monitors the resource usage.
Computing O&M team: is responsible for the computing domain O&M.
Network O&M team: is responsible for the network domain O&M.
Database O&M team: is responsible for the database domain O&M.
Security O&M team: is responsible for the security domain O&M.

You can assign different permissions to different functional teams according to Table 1. In this way, the permissions of different teams are isolated and each team performs its own functions. For details about system-defined permissions of all Huawei Cloud services, see System-defined Identity Policies.

**Table 1** Team permissions
Functional team	Required Policy	Description
Resource O&M team	AdministratorAccessPolicy	Full permissions for all services.
Accounting management team	BILLINGFullAccessPolicy	Full permissions for Billing Center, Account Center, Cost Center, Enterprise Center, and Message Center.
Resource monitoring team	ReadOnlyPolicy	Read-only permissions for all services.
Computing O&M team	ECSFullPolicy	Full permissions for Elastic Cloud Server (ECS), including the permission to purchase ECS resources. Users granted only this permission cannot view the overall usage of ECS resources and other resources unless you grant them the BSS Administrator permission.
	CCEFullPolicy	Full permissions for Cloud Container Engine (CCE), including the permission to purchase CCE resources. Users granted only this permission cannot view the overall usage of CCE resources and other resources unless you grant them the BSS Administrator permission.
	ASFullPolicy	Full permissions for Auto Scaling (AS), including the permission to purchase AS resources. Users granted only this permission cannot view the overall usage of AS resources and other resources unless you grant them the BSS Administrator permission.
Network O&M team Database O&M team Security O&M team	VPCFullAccessPolicy ELBFullAccessPolicy RDSFullAccessPolicy DDSFullAccessPolicy DDMFullAccessPolicy Anti-DDoSFullAccessPolicy AADFullAccessPolicy KMSFullAccessPolicy	Full permissions for Virtual Private Cloud (VPC), including the permission to purchase VPC resources. Users granted only this permission cannot view the overall usage of VPC resources and other resources unless you grant them the BSS Administrator permission. Full permissions for Elastic Load Balance (ELB), including the permission to purchase ELB resources. Users granted only this permission cannot view the overall usage of ELB resources and other resources unless you grant them the BSS Administrator permission. Full permissions for Relational Database Service (RDS), including the permission to purchase RDS resources. Users granted only this permission cannot view the overall usage of RDS resources and other resources unless you grant them the BSS Administrator permission. Full permissions for Document Database Service (DDS), including the permission to purchase DDS resources. Users granted only this permission cannot view the overall usage of DDS resources and other resources unless you grant them the BSS Administrator permission. Full permissions for Distributed Database Middleware (DDM). Full permissions for Anti-DDoS. Full permissions for Advanced Anti-DDoS (AAD). Full permissions for Key Management Service (KMS), including the permission to purchase KMS resources. Users granted only this permission cannot view the overall usage of KMS resources and other resources unless you grant them the BSS Administrator permission.

Based on the division of the functional teams, resources are planned as follows.

**Table 2** Resource planning
Resource	Resource Name	Description	Quantity
Administrator account	Company-A	Used to manage resources and permissions of the company.	1
IAM user groups	Network O&M	Functional teams are divided into seven user groups. The network O&M team is used as an example to describe how to create a user group.	1
IAM users	James and Alice	James and Alice are used as an example to describe how to create IAM users.	2
Permissions	VPC FullAccess and ELB FullAccess	According to the preceding table, two types of permissions need to be configured for the network O&M team.	2

IAM is a free service, so the best practices do not involve any expenditures.

Procedure

IAM allows you to assign permissions to users in the user groups. Figure 2 shows how to grant an employee the permissions required as the network O&M owner. If you want to configure employees as other O&M owners, assign the required permissions to them based on Table 1.

Figure 2 Process

Step 1: Create a User Group and Assign Permissions

Log in to the Huawei Cloud management console as the administrator.
On the management console, hover the mouse pointer over the username in the upper right corner and then choose Identity and Access Management.
On the IAM console, choose User Groups in the navigation pane. Then click Create User Group.
Figure 3 Creating a user group
On the Create User Group page, enter the user group name NetworkDomainOperations and click OK. Only letters, digits, spaces, hyphens (-), and underscores (_) are allowed.
Figure 4 Entering a group name
Locate the user group you created and click Authorize in the Operation column.
Figure 5 Authorizing a user group
Search for VPCFullAccessPolicy and ELBFullAccessPolicy, select the two policies, and click Next.
Figure 6 Selecting permissions
Click OK. The created user group will be displayed in the user group list.
You can click the name of the network O&M user group and view the assigned permissions on the Permissions tab.

Step 2: Create an IAM User and Add It to the Group

Log in to the IAM console as the administrator and choose Users from the left navigation pane.
On the Users page, click Create User in the upper right corner.
Figure 7 Creating a user
Configure basic information about users James and Alice.
On the Create User page, enter the username and description, configure the management console access, and set a password.
Figure 8 Setting user details
Click Next and add the IAM users James and Alice to the created network O&M user group.
Figure 9 Adding users to the user group
Click Create User. The IAM users are created. You can download the login password.
Figure 10 Users created

Step 3: Log In as an IAM User and Verify Permissions

An IAM user can log in using different methods. The following describes how to log in through the login page. For more login methods, see Logging In to Huawei Cloud.

On the Huawei Cloud login page, click IAM User.
On the IAM User Login page, enter the company's account name, IAM username, and password.
- Account name: the name of the account that created the IAM user
- Username and password: the username and password specified for the IAM user
Figure 11 Logging in as the IAM user
Log in to the Huawei Cloud management console as the IAM user.
Choose Virtual Private Cloud and then Elastic Load Balance from the service list to go to the homepages of these services. If you can perform management operations on the homepages, the permissions are successfully configured.
Choose a service other than the preceding services from the service list. If the system displays a message indicating insufficient permissions, the permissions are successfully configured.