Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.
- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Tag Management
- Auditing Logs
- Sharing
- Permission Control
-
Best Practices
- Key Management Service
- Cloud Secret Management Service
- General
-
API Reference
- Before You Start
- Calling APIs
- API Overview
-
APIs
-
Key Management APIs
- Key Lifecycle Management
- DEK Management
- Small-Size Data Encryption and Decryption
- Signature and Verification
- Key Tag Management
- Key API Version Query
- Querying Key API Versions
- Key Import Management
- Querying Keys
- Key Grant Management
- Key Rotation Management
- Dedicated Keystore Management
- Signature Verification
- Key Pair Management APIs
- Secret Management APIs
-
Key Management APIs
- Historical APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- How Do I Use an Asymmetric Key to Verify the Signature Result of a Public Key Pair?
- Does an Imported Key Support Rotation?
- Does KMS Support Offline Data Encryption and Decryption?
- How Do I Convert an Original EC Private Key into a Private Key in PKCS8 Format?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
- What Can I Do If an Error Is Reported When an Account Key Is Created or Upgraded for the First Time?
- Will the Account Key Pair Quota Be Occupied After a Private Key Pair Is Upgraded to an Account Key Pair?
- Why Is the Private Key Pair Invisible After It Is Upgraded to an Account Key Pair When Logging in as a Federated User?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
-
General
- What Functions Does DEW Provide?
- What Cryptography Algorithms Does DEW Use?
- In Which Regions Are DEW Services Available?
- What Is a Quota?
- What Is the Resource Allocation Mechanism of DEW?
- What Are Regions and AZs?
- Can DEW Be Shared Across Accounts?
- How Do I Access the Functions of DEW?
- Why Do DEW Pemissions Fail to Take Effect Immediately?
-
KMS Related
- Videos
-
More Documents
- User Guide (ME-Abu Dhabi Region)
- User Guide (Paris and Amsterdam Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Auditing Logs
- Permission Control
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Types of Keys Can I Import?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
- How Does KMS Protect My Keys?
- Credential Related
-
KMS Related
- Change History
-
API Reference (ME-Abu Dhabi Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Querying CMK Instances
- Querying CMK Tags
- Querying Project Tags
- Adding or Deleting CMK Tags in Batches
- Adding a CMK Tag
- Deleting a CMK Tag
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
API Reference (Paris and Amsterdam Regions)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- Calling APIs
- API Overview
-
APIs
- Creating a CMK
- Enabling a CMK
- Disabling a CMK
- Scheduling the Deletion of a CMK
- Canceling the Scheduled Deletion of a CMK
- Querying the List of CMKs
- Querying the Information About a CMK
- Creating a Random Number
- Creating a DEK
- Creating a Plaintext-Free DEK
- Encrypting a DEK
- Decrypting a DEK
- Querying the Number of Instances
- Querying the Quota of a User
- Changing the Alias of a CMK
- Changing the Description of a CMK
- Creating a Grant
- Revoking a Grant
- Retiring a Grant
- Querying Grants on a CMK
- Querying Grants That Can Be Retired
- Encrypting Data
- Decrypting Data
- Obtaining CMK Import Parameters
- Importing CMK Material
- Deleting CMK Material
- Enabling Rotation for a CMK
- Changing the Rotation Interval for a CMK
- Disabling Rotation for a CMK
- Querying the Rotation Status of a CMK
- Appendix
- Change History
- General Reference
Show all
Copied.
DEW Permission Management
If you want to assign different access permissions to employees in an enterprise for the DEW resources purchased on Huawei Cloud, you can use Identity and Access Management (IAM) to perform refined permission management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can use your Huawei account to create IAM users for your employees, and grant permissions to the users to control their access to specific resource types. For example, if you have software developers and you want to assign them the permission to access DEW but not to delete DEW or its resources, then you can create an IAM policy to assign the developers the permission to access DEW but prevent them from deleting DEW related data.
If the Huawei account has met your requirements and you do not need to create an independent IAM user for permission control, skip this section. This will not affect other functions of DEW.
IAM is free. You pay only for the resources in your account. For details about IAM, see IAM Service Overview.
DEW Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services based on the permissions.
DEW is a project-level service deployed and accessed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. Users need to switch to the authorized region when accessing DEW.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you must also assign other roles that the permissions depend on to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant DEW users only the permissions for managing a certain type of cloud servers. Most policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by DEW, see Permissions Policies and Supported Actions.
KMS system policies, KPS system policies, and CSMS system policies list all DEW system permissions.
|
Role/Policy |
Description |
Type |
Dependency |
|---|---|---|---|
|
KMS Administrator |
All permissions of KMS |
Role |
None |
|
KMS CMKFullAccess |
All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
|
KMS CMKReadOnlyAccess |
Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
|
Role/Policy |
Description |
Type |
Dependency |
|---|---|---|---|
|
DEW KeypairFullAccess |
All permissions for KPS. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
|
DEW KeypairReadOnlyAccess |
Read-only permissions for KPS in DEW. Users with this permission can only view KPS data. |
Policy |
None |
|
Role/Policy |
Description |
Type |
Dependency |
|---|---|---|---|
|
CSMS FullAccess |
All permissions for CSMS in DEW. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
|
CSMS ReadOnlyAccess |
Read-only permissions for CSMS in DEW. Users with these permissions can perform all the operations allowed by policies. |
Policy |
None |
NOTE:
Key pairs do not support enterprise project authorization. The DEW KeypairFullAccess and DEW KeypairReadOnlyAccess policies cannot be used for enterprise project authorization.
Table 4 lists the common operations supported by each system-defined permission of DEW. Select the permissions as needed.
|
Operation |
KMS Administrator |
KMS CMKFullAccess |
|---|---|---|
|
Create a key |
√ |
√ |
|
Enable a key |
√ |
√ |
|
Disable a key |
√ |
√ |
|
Schedule key deletion |
√ |
√ |
|
Cancel scheduled key deletion |
√ |
√ |
|
Modify a key alias |
√ |
√ |
|
Modify key description |
√ |
√ |
|
Generate a random number |
√ |
√ |
|
Create a DEK |
√ |
√ |
|
Create a plaintext-free DEK |
√ |
√ |
|
Encrypt a DEK |
√ |
√ |
|
Decrypt a DEK |
√ |
√ |
|
Obtain parameters for importing a key |
√ |
√ |
|
Import key materials |
√ |
√ |
|
Delete key materials |
√ |
√ |
|
Create a grant |
√ |
√ |
|
Revoke a grant |
√ |
√ |
|
Retire a grant |
√ |
√ |
|
Query the grant list |
√ |
√ |
|
Query retirable grants |
√ |
√ |
|
Encrypt data |
√ |
√ |
|
Decrypt data |
√ |
√ |
|
Send signature messages |
√ |
√ |
|
Authenticate signature |
√ |
√ |
|
Enable key rotation |
√ |
√ |
|
Modify key rotation interval |
√ |
√ |
|
Disable key rotation |
√ |
√ |
|
Query key rotation status |
√ |
√ |
|
Query CMK instances |
√ |
√ |
|
Query key tags |
√ |
√ |
|
Query project tags |
√ |
√ |
|
Batch add or delete key tags |
√ |
√ |
|
Add tags to a key |
√ |
√ |
|
Delete key tags |
√ |
√ |
|
Query the key list |
√ |
√ |
|
Query key details |
√ |
√ |
|
Query a public key |
√ |
√ |
|
Query instance quantity |
√ |
√ |
|
Query quotas |
√ |
√ |
|
Query the key pair list |
x |
x |
|
Create or import a key pair |
x |
x |
|
Query key pairs |
x |
x |
|
Delete a key pair |
x |
x |
|
Update key pair description |
x |
x |
|
Bind a key pair |
x |
x |
|
Unbind a key pair |
x |
x |
|
Query a binding task |
x |
x |
|
Query failed tasks |
x |
x |
|
Delete all failed tasks |
x |
x |
|
Delete the failed task |
x |
x |
|
Query running tasks |
x |
x |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
