Permissions Management
If you need to grant your enterprise personnel permission to access your CAE resources, use Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to be able to use CAE resources but do not want them to be able to delete CAE resources or perform any other high-risk operations, you can create IAM users and grant permission to use CAE resources but not permission to delete them.
If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
For more information about IAM, see IAM Service Overview.
CAE Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
CAE is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-east-3) in the specified regions (for example, CN East-Shanghai1), the users only have permissions for CAE in the selected projects. If you set Scope to All resources, the users have permissions for CAE in all region-specific projects. When accessing CAE, the users need to switch to the authorized region.
You can grant permissions by using roles and policies.
- Roles: IAM's coarse-grained authorization that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Different services often depend on other services, so these dependencies must be considered when assigning roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization tool that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.
Table 1 lists all the system-defined permissions for CAE.
|
Role/Policy Name |
Description |
Type |
Dependent System Permissions |
Service Dependency and Scenario |
|---|---|---|---|---|
|
CAE FullAccess |
Full permissions for CAE. |
System-defined policy |
Must be used together with these permissions:
|
Full permissions for CAE. |
|
CAE ReadOnlyAccess |
Read-only permissions for CAE. |
System-defined policy |
Must be used together with these permissions:
|
Read-only permissions for CAE. |
Policies are also customizable beyond permissions listed in Table 1 do not meet your requirements, as shown in Table 2.
|
Description |
CAE ReadOnlyAccess |
CAE FullAccess |
|---|---|---|
|
Buy a package |
x |
√ |
|
Create an environment |
x |
√ |
|
Query all environments |
√ |
√ |
|
Query environment information |
√ |
√ |
|
Delete an environment |
x |
√ |
|
Create an application |
x |
√ |
|
Query application information |
√ |
√ |
|
Query all applications |
√ |
√ |
|
Update application information |
x |
√ |
|
Delete an application |
x |
√ |
|
Create a component |
x |
√ |
|
Query component information |
√ |
√ |
|
Query component configurations |
√ |
√ |
|
Query component events |
√ |
√ |
|
Query all components and instances |
√ |
√ |
|
View usage data |
√ |
√ |
|
Modify component configurations |
x |
√ |
|
Scale, upgrade, roll back, stop, start, restart, and edit components |
x |
√ |
|
Delete a component |
x |
√ |
|
Enable certificate configuration |
x |
√ |
|
View certificate configurations |
√ |
√ |
|
Modify certificate configurations |
x |
√ |
|
Disable certificate configuration |
x |
√ |
|
Configure a domain name |
x |
√ |
|
View a domain name |
√ |
√ |
|
Cancel domain name configuration |
x |
√ |
|
Authorize cloud storage |
x |
√ |
|
Unbind cloud storage |
x |
√ |
|
Log in remotely |
x |
√ |
Role/Policy Dependencies of the CAE Console
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Object Storage Service (OBS) |
To use these two functions, an IAM user must be granted: CAE FullAccess and OBS Administrator. |
|
Create an environment |
Application Operations Management (AOM) |
To create an environment, an IAM user must be granted: CAE FullAccess and AOM FullAccess.
NOTE:
If IAM users are granted the V3 system permission CAE FullAccess for an enterprise project, they cannot use the component event and component log functions. Permissions of CAE that depend on AOM do not support enterprise projects, including aom:alarm:list (querying event alarm information), aom:metric:get (querying metrics), and aom:metric:list (querying time series data). For details about AOM permissions policies and supported actions, see Actions Supported by Policy-based Authorization. |
|
Component creation, deployment, upgrade, and rollback |
Software Repository for Container (SWR) |
To perform operations on components, an IAM user must be granted: CAE FullAccess and SWR Admin. |
|
Query and configure public domain names |
Domain Name Service (DNS) |
To query and configure public domain names, an IAM user must be granted: CAE FullAccess and DNS Administrator.
NOTE:
To grant the DNS Administrator permission, the VPC Administrator and Tenant Guest permissions must be granted. After the DNS Administrator permission is granted, the VPC Administrator and Tenant Guest permissions can be deleted. The deletion does not affect domain name configuration. |
|
Buy a package and make payment |
Billing Center (BSS) |
To buy a package and make payment, an IAM user must be granted: CAE FullAccess and BSS Finance. |
|
Data Encryption Workshop (DEW) |
To configure secrets and use them to configure environment variables, an IAM user must be granted: CAE FullAccess, KMS CMKFullAccess (all permissions for KMS CMKs), and CSMS ReadonlyAccess (read-only permissions for CSMS). |
Customizing Fine-grained Policies
To use a custom fine-grained policy, log in to IAM as the administrator and select fine-grained permissions of CAE as required. Table 4 describes fine-grained permission dependencies of CAE.
On the IAM console, choose Permissions > Policies/Roles > Create Custom Policy > Select service > CAE > Policy Content. Only the permissions (cae:environment:* and cae:application:*) listed in the following table apply to Huawei Cloud regions.
|
Permission Name |
Description |
Permission Dependency |
Scenarios (Actions) |
|---|---|---|---|
|
cae:environment:create |
Create an environment |
|
|
|
cae:environment:list |
Query all environments |
|
|
|
cae:environment:get |
Query environment information |
None |
- |
|
cae:environment:delete |
Delete an environment |
|
|
|
cae:application:create |
Create an application |
|
|
|
cae:application:get |
Query application information |
|
|
|
cae:application:list |
Query all applications |
None |
|
|
cae:application:modify |
Update application information |
|
Component operations:
|
|
cae:application:delete |
Delete an application |
|
|
|
cae:application:createConsole |
Log in remotely |
|
Log in remotely |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
