Permissions Management
If you need to assign different permissions to personnel in your enterprise to access your Cloud Connect resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources. If your HUAWEI IDaccount does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can control access to specific Huawei Cloud resources. For example, if you want some software developers in your enterprise to use Cloud Connect resources but do not want them to delete the resources or perform any other high-risk operations, you can grant permission to use the resources but not permission to delete them.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between the two authorization models.
|
Name |
Authorization Using |
Permissions |
Authorization Method |
Scenario |
|---|---|---|---|---|
|
Role/Policy |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It is hard to provide fine-grained permissions control using authorization by user groups and a limited number of condition keys. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by directly attaching an identity policy to it. You can customize policies and attach them to specified users. Identity policies allow you to perform refined access control more efficiently and flexibly. However, this model is more complex and requires higher personnel expertise. It is more suitable for medium- and large-sized enterprises. |
Assume that you want to grant IAM users the permission to create ECSs in CN North-Beijing4 and OBS buckets in CN South-Guangzhou. With role/policy-based authorization, the administrator needs to create two custom policies and assign both to the IAM users. With identity policy-based authorization, the administrator only needs to create one custom policy and configure the condition key g:RequestedRegion for the policy and attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
The two authorization models require independent policies and permissions. You are advised to use identity policies for authorization. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Permissions Management
Cloud Connect supports authorization with roles and policies. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
Cloud Connect is a global service deployed for all regions. When you set the authorization scope to Global services, users have permission to access Cloud Connect in all regions.
Table 2 lists all the system-defined policies for Cloud Connect in role/policy-based authorization. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
Cross Connect Administrator |
Administrator permissions for Cloud Connect. Users with these permissions can perform all operations on Cloud Connect. To have these permissions, users must also have the Tenant Guest and VPC Administrator permissions. |
System-defined role |
Tenant Guest and VPC Administrator
|
|
CC FullAccess |
All permissions on Cloud Connect. |
System-defined policy |
CC Network Depend QueryAccess |
|
CC ReadOnlyAccess |
Read-only permissions for Cloud Connect. Users who have these permissions can only view Cloud Connect resources. |
System-defined policy |
- |
|
CC Network Depend QueryAccess |
Read-only permissions required to access dependency resources when using Cloud Connect. Users who have these permissions can view VPCs or virtual gateways. |
System-defined policy |
- |
Table 3 lists common operations supported by system-defined permissions.
|
Operation |
Cross Connect Administrator |
CC FullAccess |
CC ReadOnlyAccess |
|---|---|---|---|
|
Creating a cloud connection |
√ |
√ |
× |
|
Viewing a cloud connection |
√ |
√ |
√ |
|
Modifying a cloud connection |
√ |
√ |
× |
|
Deleting a cloud connection |
√ |
√ |
× |
|
Binding a bandwidth package to a cloud connection |
√ |
√ |
× |
|
Unbinding a bandwidth package from a cloud connection |
√ |
√ |
× |
|
Loading a network instance |
√ |
√ |
× |
|
Viewing a network instance |
√ |
√ |
√ |
|
Updating a network instance |
√ |
√ |
× |
|
Removing a network instance |
√ |
√ |
× |
|
Buying a bandwidth package |
√ |
√ |
× |
|
Viewing a bandwidth package |
√ |
√ |
√ |
|
Modifying a bandwidth package |
√ |
√ |
× |
|
Unsubscribing from a yearly/monthly bandwidth package |
√ |
√ |
× |
|
Renewing a yearly/monthly bandwidth package |
√ |
√ |
× |
|
Assigning an inter-region bandwidth |
√ |
√ |
× |
|
Viewing an inter-region bandwidth |
√ |
√ |
√ |
|
Modifying an inter-region bandwidth |
√ |
√ |
× |
|
Deleting an inter-region bandwidth |
√ |
√ |
× |
|
Viewing monitoring Data of an inter-region bandwidth |
√ |
√ |
√ |
|
Viewing routes |
√ |
√ |
√ |
|
Asking others to authorize the permission to access their VPCs |
√ |
√ |
× |
|
Viewing authorization |
√ |
√ |
√ |
|
Viewing the other users' VPCs that you are allowed to access |
√ |
√ |
√ |
|
Canceling authorization |
√ |
√ |
× |
|
Creating a central network |
× |
√ |
× |
|
Updating a central network |
× |
√ |
× |
|
Deleting a central network |
× |
√ |
× |
|
Viewing a central network |
× |
√ |
√ |
|
Querying central networks |
× |
√ |
√ |
|
Adding a central network policy |
× |
√ |
× |
|
Applying a central network policy |
× |
√ |
× |
|
Deleting a central network policy |
× |
√ |
× |
|
Querying central network policies |
× |
√ |
√ |
|
Querying policy changes |
× |
√ |
√ |
|
Querying central network connections |
× |
√ |
√ |
|
Updating a central network connection |
× |
√ |
× |
|
Adding a global DC gateway to a central network as an attachment |
× |
√ |
× |
|
Updating a global DC gateway on a central network |
× |
√ |
× |
|
Viewing a global DC gateway on a central network |
× |
√ |
√ |
|
Querying the global DC gateways on a central network |
× |
√ |
√ |
|
Removing an attachment from a central network |
× |
√ |
× |
|
Querying the attachments on a central network |
× |
√ |
√ |
|
Querying quotas |
√ |
√ |
√ |
|
Querying the capabilities |
√ |
√ |
√ |
Identity Policy-based Permissions Management
Cloud Connect supports authorization with identity policies. Table 4 lists all the system-defined policies for Cloud Connect in identity policy-based authorization. System-defined policies in role/policy-based authorization and identity policy-based authorization are not interoperable.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
CCFullAccessPolicy |
All permissions on Cloud Connect. |
System-defined identity policy |
|
CCReadOnlyPolicy |
Read-only permissions for Cloud Connect. |
System-defined identity policy |
Table 5 lists common operations supported by system-defined identity policies of Cloud Connect.
|
Operation |
CCFullAccessPolicy |
CCReadOnlyPolicy |
|---|---|---|
|
Creating a cloud connection |
√ |
× |
|
Deleting a cloud connection |
√ |
× |
|
Updating a cloud connection |
√ |
× |
|
Viewing a cloud connection |
√ |
√ |
|
Querying cloud connections |
√ |
√ |
|
Creating a network instance |
√ |
× |
|
Removing a network instance |
√ |
× |
|
Updating a network instance |
√ |
× |
|
Querying network instance details |
√ |
√ |
|
Querying network instances |
√ |
√ |
|
Requesting a bandwidth package |
√ |
× |
|
Deleting a bandwidth package |
√ |
× |
|
Updating a bandwidth package |
√ |
× |
|
Querying bandwidth package details |
√ |
√ |
|
Querying bandwidth packages |
√ |
√ |
|
Binding a bandwidth package |
√ |
× |
|
Unbinding a bandwidth package |
√ |
× |
|
Assigning an inter-region bandwidth |
√ |
× |
|
Deleting an inter-region bandwidth |
√ |
× |
|
Updating an inter-region bandwidth |
√ |
× |
|
Querying inter-region bandwidth details |
√ |
√ |
|
Querying inter-region bandwidths |
√ |
√ |
|
Viewing a cloud connection route |
√ |
√ |
|
Querying cloud connection routes |
√ |
√ |
|
Querying the quotas |
√ |
√ |
|
Querying cloud connection and central network capabilities |
√ |
√ |
|
Creating a central network |
√ |
× |
|
Deleting a central network |
√ |
× |
|
Updating a central network |
√ |
× |
|
Querying details of a central network |
√ |
√ |
|
Querying central networks |
√ |
√ |
|
Adding a central network policy |
√ |
× |
|
Applying a central network policy |
√ |
× |
|
Deleting a central network policy |
√ |
× |
|
Querying central network policies |
√ |
√ |
|
Querying the changes between the current policy and the applied policy |
√ |
√ |
|
Querying central network connections |
√ |
√ |
|
Updating a central network connection |
√ |
× |
|
Adding a global DC gateway to a central network as an attachment |
√ |
× |
|
Updating a global DC gateway on a central network |
√ |
× |
|
Querying details of a global DC gateway on a central network |
√ |
√ |
|
Querying the global DC gateways on a central network |
√ |
√ |
|
Adding an enterprise router route table to a central network as an attachment |
√ |
× |
|
Updating an enterprise router route table added to a central network as an attachment |
√ |
× |
|
Querying details of an enterprise router route table added to a central network as an attachment |
√ |
√ |
|
Querying enterprise router route tables added to a central network as an attachment |
√ |
√ |
|
Removing an attachment from a central network |
√ |
× |
|
Querying the attachments on a central network |
√ |
× |
Roles or Policies that the Cloud Connect Console Depends on
|
Function |
Dependent Cloud Service/Resource |
Roles or Policies Required |
|---|---|---|
|
Assigning cross-site connection bandwidths on a central network |
Global connection bandwidth |
CCFullAccessPolicy and CC ReadOnlyAccess |
|
Modifying cross-site connection bandwidths on a central network |
Global connection bandwidth |
CCFullAccessPolicy and CC ReadOnlyAccess |
|
Viewing cross-site connection bandwidths on a central network |
Global connection bandwidth |
CCFullAccessPolicy and CC ReadOnlyAccess |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
