Help Center/ Cloud Data Migration/ Service Overview/ Security/ Identity Authentication and Access Control

Updated on 2022-12-16 GMT+08:00

View PDF

Identity Authentication and Access Control

Identity Authentication

You can access CDM through the CDM console or open APIs. In either way, access requests are sent through the RESTful APIs provided by CDM.

CDM APIs can be accessed upon successful authentication. Requests sent through the CDM console and requests for calling APIs can both be authenticated using tokens.

Access Control

You can use Identity and Access Management (IAM) to implement fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your HUAWEI CLOUD resources. For more information about IAM, see IAM Service Overview.

You can grant users permissions by using roles and policies.

Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, a specific user group is not allowed to delete a cluster. Only basic CDM operations (such as creating and querying jobs) are allowed.

Table 1 lists all the system-defined roles and policies supported by CDM.

**Table 1** System-defined roles and policies supported by CDM
Role/Policy Name	Description	Type
CDM Administrator	Permissions: Administrator permissions for all operations on CDM resources. Users granted these permissions must also be granted permissions of the Tenant Guest and Server Administrator policies. Users granted permissions of the VPC Administrator policy can create VPCs and subnets. Users granted permissions of the Cloud Eye Administrator policy can view monitoring information of CDM clusters.	System role
CDM FullAccess	Administrator permissions for CDM. Users granted these permissions can perform all operations on CDM resources.	System-defined policy
CDM FullAccessExceptEIPUpdating	Users granted these permissions can perform all operations on CDM resources except binding and unbinding EIPs.	System-defined policy
CDM CommonOperations	Users granted these permissions can operate CDM jobs and links.	System-defined policy
CDM ReadOnlyAccess	Read-only permissions for CDM. Users granted these permissions can only view CDM clusters, links, and jobs.	System-defined policy