Updated on 2025-03-21 GMT+08:00

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your Huawei Cloud Astro Canvas resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you want your software developers to use Huawei Cloud Astro Canvas resources but not delete them or perform any high-risk operations, you can create IAM users for these software developers and assign them only the permissions required for using Huawei Cloud Astro Canvas resources.

If your Huawei Cloud account does not need individual IAM users for permissions management, skip this chapter.

IAM is free of charge. You pay only for the resources you use. For more information about IAM, see What Is IAM?

Huawei Cloud Astro Canvas Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to user groups and attach policies or roles to these groups. The users then inherit permissions from their user groups and can perform specified operations on cloud services based on those permissions.

Huawei Cloud Astro Canvas is a project-level service deployed in specific physical regions. When granting permissions, set the scope to regional-level projects and set permissions in the project corresponding to the specified region. The permissions take effect only for this project. If you set permissions for All projects, the permissions will take effect for all region-specific projects. When accessing Huawei Cloud Astro Canvas, switch to the region where you are authorized.

You can grant permissions by using roles and policies.

  • Roles: A coarse-grained authorization that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.

Table 1 lists all system permissions of Huawei Cloud Astro Canvas.

Table 1 System permissions

Policy

Description

Type

Policy Content

Astro Canvas FullAccess

Administrator permission. Users granted this permission can use all functions.

System policy

Astro Canvas FullAccess Policy Content

Astro Canvas InstanceManagement

Permission to manage Huawei Cloud Astro Canvas instances, including creating and managing instances.

System policy

Astro Canvas InstanceManagement Policy Content

Table 2 lists the common operations supported by each Huawei Cloud Astro Canvas system policy. Select the policies as required.

Table 2 Common operations supported by each system policy

Operation

Astro Canvas FullAccess

Astro Canvas InstanceManagement

Querying the product sales period

Querying order information

Querying subscription prices

Querying instance information

Querying price details for batch change

Querying cloud service expiration

Purchasing an instance

Purchasing an expansion package

Upgrading an instance

Freezing an instance

Unfreezing an instance

Deleting an instance

Astro Canvas FullAccess Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "astrocanvas:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}

Astro Canvas InstanceManagement Policy Content

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "astrocanvas:instances:*"
            ],
            "Effect": "Allow"
        }
    ]
}