Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ FAQs/ Permissions Management/ How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
Updated on 2025-11-06 GMT+08:00
View PDF
Share

How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?

Symptom

You want to grant an IAM user permissions to place orders but disallow the user to pay for the orders.

Solution

However, the system-defined permissions of Billing Center registered with IAM cannot meet your requirements. You need to create a custom identity policy containing the required permissions and use the identity policy to grant permissions to the IAM user.

Prerequisites

You have already created an IAM user. For details, see Creating an IAM User.

Procedure

  1. Log in to the Huawei Cloud management console.
  2. On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. In the navigation pane on the left, choose Identity Policies. In the upper right corner, click Create Identity Policy.

    Figure 1 Creating a custom identity policy

  4. Enter a policy name: billing_order.
  5. Select Visual editor for Policy View.
  6. In the Policy Content area, configure permissions that allow the user to place orders but disallow the user to pay for the orders.

    • Configuring permissions to disallow order payment
      1. Select Deny.
      2. Select billing.
      3. In the Actions pane, expand the Write area, and select action billing:order:pay.
        Figure 2 Configuring permissions to disallow order payment
      4. Select All resources for Resources.
    • Configuring permissions to allow order placement
      1. Select Allow.
      2. Select billing.
      3. In the Actions pane, expand the Write area, select action billing:bill:update, and select all the actions in the Read area.
        Figure 3 Configuring permissions to allow order placement
      4. Select All resources for Resources.

  7. Set a description for the identity policy, for example, Permissions to place orders but disallow order payment.
  8. Click OK.
  9. Attach the custom identity policy to the created IAM user.

    You can attach custom identity policies to a user in the same way you attach system-defined identity policies. For details, see Assigning Permissions to an IAM User.

    When the IAM user logs in and goes to the Unpaid Orders page of the Billing Center, the Pay button is grayed out in the Operation column.

    Figure 4 Setting successful (Pay button grayed out)
    Figure 5 Setting failed (Pay button available)

Parent topic: Permissions Management