Permission Management
If you need to assign different permissions for employees in your organization to access DataArts Fabric resources, IAM is a good choice for fine-grained permission management. IAM provides user authentication, permission assignment, and access control, enabling secure management of access to your cloud resources. If your HUAWEI ID does not require IAM for permission management, you may skip this section.
IAM can be used free of charge. You pay only for the resources in your account.
With IAM, you can control the scope of access to specific Huawei Cloud resources. For example, if certain employees are involved in software development and need access to DataArts Fabric resources—but you want to prevent them from performing high-risk actions like deleting those resources—you can create IAM users and grant them usage permissions only, while withholding deletion rights.
DataArts Fabric supports role/policy-based authorization.
|
Policy |
Core Relationship |
Permission |
Authorization Method |
Application Scenario |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
For example, if you need to grant an IAM user permission to create ECSs in the CN North-Beijing4 region A and OBS buckets in the CN South-Guangzhou region B, under role/policy-based authorization, you must create two custom policies and assign both to the IAM users. With identity policy-based authorization, however, you only need to create one custom identity policy and configure the condition key g:RequestedRegion for the policy, and then attach the policy to the users or grant the users the access permissions to the specified regions. Identity policy-based authorization is more flexible than role/policy-based authorization.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Authorization
DataArts Fabric supports role/policy-based authorization. By default, new IAM users do not have any permissions. To grant permissions, you must add them to one or more groups and attach policies or roles to these groups. This process is known as authorization. Once authorized, users can use cloud services based on the granted permissions.
DataArts Fabric is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, cn-north-4) in the specified regions (for example, CN North-Beijing4), the users only have permissions for resources in the selected projects. If you set Scope to All resources, the users have permissions for resources in all region-specific projects. When accessing DataArts Fabric, the users need to switch to a region where they have been authorized to use this service.
The following table lists all system-defined permissions of DataArts Fabric.
|
Role/Policy Name |
Description |
Category |
Dependency |
|---|---|---|---|
|
DataArtsFabricFullPolicy |
Full permissions for DataArts Fabric. |
System-defined policy |
|
|
DataArtsFabricConsoleFullPolicy |
All permissions for using DataArts Fabric on the console, including all permissions of DataArts FabricFullPolicy and certain permissions required on the console. |
System-defined policy |
|
|
DataArtsFabricReadOnlyPolicy |
Read-only permissions for DataArts Fabric. |
System-defined policy |
LakeFormation ReadOnlyAccess |
The following table lists the common operations supported by system-defined permissions for DataArts Fabric. Refer to this table to select the appropriate permissions as needed.
|
Operation |
DataArtsFabricConsoleFullPolicy |
DataArtsFabricFullPolicy |
DataArtsFabricReadOnlyPolicy |
|---|---|---|---|
|
Listing workspaces |
√ |
√ |
√ |
|
Creating a workspace |
√ |
√ |
× |
|
Modifying a workspace |
√ |
√ |
× |
|
Modifying workspace monitoring configuration |
√ |
√ |
× |
|
Deleting a workspace |
√ |
√ |
× |
|
Querying compute resources |
√ |
√ |
√ |
|
Creating a compute resource |
√ |
√ |
× |
|
Modifying a compute resource |
√ |
√ |
× |
|
Deleting a compute resource |
√ |
√ |
× |
|
Listing the endpoints of a workspace |
√ |
√ |
√ |
|
Creating an endpoint for a workspace |
√ |
√ |
× |
|
Querying the endpoint details of a workspace |
√ |
√ |
√ |
|
Modifying an endpoint of a workspace |
√ |
√ |
× |
|
Deleting an endpoint of a workspace |
√ |
√ |
× |
|
Listing jobs |
√ |
√ |
√ |
|
Creating a job |
√ |
√ |
× |
|
Querying jobs |
√ |
√ |
√ |
|
Modifying a job |
√ |
√ |
× |
|
Deleting a job |
√ |
√ |
× |
|
Listing services |
√ |
√ |
√ |
|
Creating a service |
√ |
√ |
× |
|
Modifying a service |
√ |
√ |
× |
|
Querying services |
√ |
√ |
√ |
|
Deleting a service |
√ |
√ |
× |
|
Creating a model |
√ |
√ |
× |
|
Listing models |
√ |
√ |
√ |
|
Querying models |
√ |
√ |
√ |
|
Deleting a model |
√ |
√ |
× |
|
Modifying a model |
√ |
√ |
× |
|
Creating a tag |
√ |
√ |
× |
|
Deleting a tag |
√ |
√ |
× |
|
Listing tags |
√ |
√ |
√ |
|
Querying tags of a specific resource |
√ |
√ |
√ |
|
Listing resources by tag |
√ |
√ |
√ |
|
Creating a notification policy |
√ |
√ |
× |
|
Listing notification policies |
√ |
√ |
√ |
|
Deleting a notification policy |
√ |
√ |
× |
|
Listing running jobs |
√ |
√ |
√ |
|
Running a job |
√ |
√ |
× |
|
Querying running jobs |
√ |
√ |
√ |
|
Deleting a running job |
√ |
√ |
× |
|
Canceling a running job |
√ |
√ |
× |
|
Invoking an inference service instance |
√ |
√ |
× |
|
Listing routes |
√ |
√ |
√ |
|
Querying session information |
√ |
√ |
√ |
|
Subscribing to a public endpoint |
√ |
√ |
× |
|
Querying SQL endpoints |
√ |
√ |
√ |
|
Creating a SQL endpoint |
√ |
√ |
× |
|
Deleting a SQL endpoint |
√ |
√ |
× |
|
SQL editor |
√ |
√ |
√ |
Role/Policy Dependencies of the DataArts Fabric Console
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Granting service permissions |
IAM |
Granting permissions on the authorization page requires the IAM user to have the IAM Agency Management FullAccess policy. |
|
Creating a workspace |
LakeFormation |
Users with the DataArtsFabricFullPolicy policy can create workspaces. Specifying a LakeFormation metastore during workspace creation requires the LakeFormation ReadOnlyAccess policy. |
|
Creating a model |
OBS |
To create a model and specify its OBS file path on the model management page, an IAM user must have the DataArtsFabricFullPolicy and OBS OperateAccess policies. |
|
Creating a notification policy |
IAM SMN |
Creating a notification policy requires an IAM user to have the DataArtsFabricFullPolicy, IAM Agency Management ReadOnly, and SMN ReadOnlyAccess policies. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
