Permissions Management
If you need to assign different permissions to employees in your enterprise to access your Huawei Cloud Astro Canvas resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, if you want your software developers to use Huawei Cloud Astro Canvas resources but not delete them or perform any high-risk operations, you can create IAM users for these software developers and assign them only the permissions required for using Huawei Cloud Astro Canvas resources.
If your Huawei Cloud account does not need individual IAM users for permissions management, skip this chapter.
IAM is free of charge. You pay only for the resources you use. For more information about IAM, see What Is IAM?
Huawei Cloud Astro Canvas Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to user groups and attach policies or roles to these groups. The users then inherit permissions from their user groups and can perform specified operations on cloud services based on those permissions.
Huawei Cloud Astro Canvas is a project-level service deployed in specific physical regions. When granting permissions, set the scope to regional-level projects and set permissions in the project corresponding to the specified region. The permissions take effect only for this project. If you set permissions for All projects, the permissions will take effect for all region-specific projects. When accessing Huawei Cloud Astro Canvas, switch to the region where you are authorized.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
Table 1 lists all system permissions of Huawei Cloud Astro Canvas.
Policy |
Description |
Type |
Policy Content |
---|---|---|---|
Astro Canvas FullAccess |
Administrator permission. Users granted this permission can use all functions. |
System policy |
|
Astro Canvas InstanceManagement |
Permission to manage Huawei Cloud Astro Canvas instances, including creating and managing instances. |
System policy |
Table 2 lists the common operations supported by each Huawei Cloud Astro Canvas system policy. Select the policies as required.
Operation |
Astro Canvas FullAccess |
Astro Canvas InstanceManagement |
---|---|---|
Querying the product sales period |
√ |
√ |
Querying order information |
√ |
√ |
Querying subscription prices |
√ |
√ |
Querying instance information |
√ |
√ |
Querying price details for batch change |
√ |
√ |
Querying cloud service expiration |
√ |
√ |
Purchasing an instance |
√ |
√ |
Purchasing an expansion package |
√ |
√ |
Upgrading an instance |
√ |
√ |
Freezing an instance |
√ |
√ |
Unfreezing an instance |
√ |
√ |
Deleting an instance |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot