Permissions
If you need to grant your enterprise personnel permission to access your SMS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources of various types.
For example, you can create IAM users for software developers, and assign specific permissions to allow them to use SMS but disallow them to delete any resources or perform any high-risk operations.
If your Huawei Cloud account does not need individual IAM users for permissions management, you can skip this section.
IAM is a free service. You pay only for the resources in your account. For more information about IAM, see What Is IAM?
SMS Permissions
By default, new IAM users do not have any permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups. Users inherit permissions from the groups they are added to, and then they can perform specified operations on cloud services.
A Huawei Cloud account has all the permissions required for using SMS by default. If you use your Huawei Cloud account to perform a migration, no authorization is required.
SMS is a global service deployed for all physical regions. SMS permissions are assigned to users in the Global project, so the users do not need to switch regions when accessing SMS.
Table 1 lists all the system-defined policies and roles of SMS. Huawei Cloud services interwork with each other, and some SMS policies and roles are dependent on the policies and roles of other services. When assigning SMS permissions to users, you need to also assign dependent roles for the SMS permissions to take effect.
Operation |
SMS FullAccess (Global) |
OBS OperateAccess (OBS) |
EVS FullAccess |
ECS FullAccess |
VPC FullAccess |
---|---|---|---|---|---|
Creating migration tasks |
√ |
x |
√ |
√ |
√ |
Viewing migration progresses |
√ |
x |
x |
x |
x |
IAM supports two types of policies: system-defined policies and custom policies.
- If an IAM user needs all SMS permissions, attach the preceding system-defined policies to the user group to which the IAM user has been added.
- If an IAM user only needs some SMS permissions, you can create custom policies and attach these policies to the user group to which the user has been added.
For details, see Creating a User and Assigning Permissions.
Compared with system-defined policies, custom policies provide more fine-grained and secure permissions control.
Dependent Policy Configuration
To grant an IAM user the permissions to view or use resources of other cloud services on the SMS console, you must first grant the SMS FullAccess or SMS ReadOnlyAccess policy to the user group to which the user belongs and then grant the dependency policies and roles listed in Table 2.
Console Function |
Dependent Services |
Roles or Policies Required |
---|---|---|
Creating a migration task |
ECS EIP VPC Image Management Service (IMS) EVS |
An IAM user with the SMS FullAccess permissions assigned can use this function only after the ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess permissions are assigned. |
Viewing the migration progress |
/ |
No other roles or policies are required. An IAM user with the SMS ReadOnlyAccess permissions can use this function directly. |
Creating a migration template |
/ |
No other permissions are required. An IAM user with the SMS FullAccess permissions can use this function directly. |
Creating a server template |
VPC EVS ECS |
An IAM user with the SMS FullAccess permissions assigned can use this function only after the ECSReadOnlyAccess, VPC ReadOnlyAccess, and EVS ReadOnlyAccess permissions are assigned. |
Configuring the Agent |
ECS EIP VPC IMS EVS |
An IAM user with the SMS Full Access permissions assigned can use this function only after the ECS FullAccess, VPC FullAccess, IMS FullAccess, EVS FullAccess, and EIP FullAccess permissions are assigned. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot