Permission Management
If you need to assign different permissions to employees in your enterprise to access your UGO resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your Huawei Cloud resources.
With IAM, you can use your Huawei Cloud account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, you can grant software developers in your enterprise permissions to use UGO resources but not permissions needed to delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using UGO resources.
If your Huawei Cloud account does not need individual IAM users for permissions management, you may skip over this section.
IAM can be used for free. You pay only for the resources in your account. For more information about IAM, see What Is IAM?
UGO Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups they belong to and can perform specified operations on cloud services based on those permissions.
UGO is a project-level service deployed in specific physical regions. To assign UGO permissions to a user group, select a project (ap-southeast-3) in a specific region (AP-Singapore) to apply the permission changes. If all projects are selected, the permissions will take effect for the user group in all region-specific projects. When accessing UGO, you need to switch to a region where you have been authorized to use this service.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. This mechanism provides only a limited number of service-level roles for authorization. There may be dependencies involved between different roles. If these dependencies are not taken into account, you may be unable to properly assign the permissions as intended. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control.
Table 1 and Table 2 illustrate all the built-in roles and policies of the UGO.
Role |
Description |
Supported |
---|---|---|
Tenant Administrator |
Admin permissions of tenants. Tenants with these permissions can access and perform resources of tenants except IAM. |
Yes |
Tenant Guest |
Read-only permissions of tenants. Tenants with these permissions can query all objects of all tenants except IAM. |
Yes |
Policy Name |
Description |
Supported |
---|---|---|
UGO FullAccess |
All permissions |
Yes |
UGO ReadOnlyAccess |
Read-only permissions |
Yes |
UGO CommonOperations |
SQL conversion permission |
Optional |
Table 3 lists the common operations supported by each system-defined policy or role of UGO. Select the policies or roles as required.
Operation |
UGO FullAccess |
UGO ReadOnlyAccess |
UGO CommonOperations |
---|---|---|---|
Creating a project |
√ |
x |
x |
Querying a tag |
√ |
√ |
x |
Querying quota |
√ |
√ |
x |
Obtaining the project list |
√ |
√ |
x |
Deleting a project |
√ |
x |
x |
Starting a migration project |
√ |
x |
x |
Viewing project details |
√ |
√ |
x |
Converting SQL statements |
√ |
x |
√ |
Table 4 lists common UGO operations and corresponding actions. You can refer to this table to create custom permission policies.
Operation |
Action |
Type |
---|---|---|
Evaluation project: obtaining the evaluation project list |
ugo:evaluationJob:list |
ReadOnly |
Migration project: obtaining the migration project list |
ugo:migrationJob:list |
ReadOnly |
Querying a tag |
ugo:tag:getTags |
ReadOnly |
Adding, modifying, or deleting a tag |
ugo:tag:operateTags |
ReadWrite |
Querying quota |
ugo:jobs:getQuotas |
ReadOnly |
Shared: querying project details |
ugo:jobs:getDetails |
ReadOnly |
Evaluation project: testing source database connectivity |
ugo:evaluationJob:testConnection |
ReadWrite |
Evaluation project: testing the network stability of the source database |
ugo:evaluationJob:testNetworkConnection |
ReadWrite |
Evaluation project: pre-checking |
ugo:evaluationJob:preCheck |
ReadWrite |
Evaluation project: creating an evaluation project |
ugo:evaluationJob:create |
ReadWrite |
Evaluation project: stopping evaluation |
ugo:evaluationJob:stopEvalProject |
ReadWrite |
Evaluation project: resuming evaluation |
ugo:evaluationJob:resumeEvalProject |
ReadWrite |
Evaluation project: re-evaluating |
ugo:evaluationJob:reanalyze |
ReadWrite |
Evaluation project: running differentiation analysis |
ugo:evaluationJob:collectDiffAnalysis |
ReadWrite |
Evaluation project: Performing an incremental evaluation |
ugo:evaluationJob:startDeltaEvaluation |
ReadWrite |
Evaluation task: confirming the target database |
ugo:evaluationJob:updateEvalProject |
ReadWrite |
Evaluation project: reselecting and evaluating objects |
ugo:evaluationJob:analyzeType |
ReadWrite |
Evaluation project: Editing SQL |
ugo:evaluationJob:saveSQL |
ReadWrite |
Evaluation project: deleting an evaluation project |
ugo:evaluationJob:delete |
ReadWrite |
Migration task: testing the target database connectivity |
ugo:migrationJob:testConnection |
ReadWrite |
Migration project: creating a migration project |
ugo:migrationJob:create |
ReadWrite |
Conversion plan of the migration project: skipping conversion or undoing skip |
ugo:migrationJob:skipObjects |
ReadWrite |
Conversion plan of the migration project: editing conversion configuration |
ugo:migrationJob:updateConfig |
ReadWrite |
Conversion plan of the migration project: editing application configuration |
ugo:migrationJob:updateCategory |
ReadWrite |
Conversion plan of the migration project: setting the user password |
ugo:migrationJob:setPassword |
ReadWrite |
Conversion plan of the migration project: mapping tablespaces |
ugo:migrationJob:updateTableSpaceMapping |
ReadWrite |
Syntax conversion of the migration project: starting or resuming the conversion |
ugo:migrationJob:startConvert |
ReadWrite |
Syntax conversion of the migration project: pausing the conversion |
ugo:migrationJob:stopConvert |
ReadWrite |
Object correction of the migration project: updating status |
ugo:migrationJob:updateFailedStatus |
ReadWrite |
Object correction of the migration project: skipping migration or undoing skip |
ugo:migrationJob:skipVerification |
ReadWrite |
Object correction of the migration project: retuning the conversion |
ugo:migrationJob:reconvert |
ReadWrite |
Object correction of the migration project: replacing SQL statements in the bulk update |
ugo:migrationJob:updateBulk |
ReadWrite |
Object correction of the migration project: comparing, ignoring, or saving the SQL modifications |
ugo:migrationJob:updateSQL |
ReadWrite |
Verification of the migration project: starting the migration |
ugo:migrationJob:startVerify |
ReadWrite |
Verification of the migration project: stopping the migration |
ugo:migrationJob:stopVerify |
ReadWrite |
Migration project: deleting a migration project |
ugo:migrationJob:delete |
ReadWrite |
Converting SQL statements |
ugo:sqlStatement:convert |
ReadWrite |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot