Permissions Management
If you need to assign different permissions to employees in your enterprise to access your CNAD Basic resources, IAM is an ideal choice for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control. If your Huawei Cloud account does not require IAM for permissions management, you can skip this section.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control the access to Huawei Cloud resources through authorization. For example, if you want certain software developers in your enterprise to use CNAD Basic without the ability to delete resources or perform high-risk operations, you can grant them only the necessary permissions for using CNAD Basic resources.
IAM supports role/policy-based authorization and identity policy-based authorization.
The differences and relationships between the two authorization models are as follows:
|
Authorization Model |
Core Relationship |
Permission |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy-based Authorization |
User-permission-authorization scope |
|
Granting a role or policy to a subject |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity Policy-based Authorization |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Role/Policy-based Permissions Management
CNAD Basic supports role/policy-based authorization. By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
CNAD Basic is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing Anti-DDoS, the users need to switch to a region where they have been authorized.
Table 1 lists all CNAD Basic system permissions. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.
|
Role/Policy Name |
Description |
Type |
|---|---|---|
|
Anti-DDoS Administrator |
Administrator permissions for CNAD Basic. |
System-defined role |
|
Anti-DDoS FullAccess |
All permissions for CNAD Basic |
System-defined policy |
|
Anti-DDoS ReadOnlyAccess |
Read-only permissions for CNAD Basic |
System-defined policy |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
