Updated on 2025-05-07 GMT+08:00

Identity and Permissions Design

Thanks to Huawei Cloud's extensive delivery experience, we provide the following best practices in user and permissions management.

Unified Identity and Permissions Management

The identity management system of your company is already optimal in controlling the permissions of employees as they are recruited and revoking permissions from employees who have transferred to different departments or have resigned. You are advised to use your own identity management system to implement federated identity authentication with Huawei Cloud IAM Identity Center, and synchronize users from your identity management system to IAM Identity Center based on the System for Cross-domain Identity Management (SCIM). In IAM Identity Center, you can centrally configure permissions for these users to access resources in multiple accounts. Then, the users can log in to the Huawei Cloud console using Single Sign-on (SSO), view the accounts they can access, and click Access Console to access the cloud resources in these accounts.

Figure 1 Unified identity and permissions management

User Group and Permissions Plan

You can plan IAM Identity Center user groups based on the role division of cloud center of excellence (CCoE) and add employees to the user groups that match their responsibilities. The following table lists the recommended user groups, along with their responsibilities, accounts, and permissions granted based on the principle of least privilege (PoLP). You can refer to this table to plan user groups and permissions that meet enterprise requirements.

Table 1 IAM Identity Center user groups

User Group

Group Responsibility

Recommended Permissions for Multiple Accounts

Financial management group

Manage financial elements such as bills, costs, discounts, and invoices of member accounts in a unified manner.

BSS Administrator and BSS Finance permissions for the management account

IT governance group

Create and manage OUs, member accounts, and SCPs.

Organizations FullAccess permission for the management account

Identity and permissions management group

Centrally create and manage users and user groups, and configure permissions, agencies, and SSO.

  • IdentityCenter FullAccess and Security Administrator permissions for the management account
  • Security Administrator for all other accounts

Security management group

Centrally manage and control security policies, rules, and resources for the entire company, and set security configuration baselines for other accounts of the company.

Management permissions of security resources for all accounts, such as SecMaster, Host Security Service (HSS), Data Security Center (DSC), and Database Security Service (DBSS)

Compliance audit group

Centrally view audit logs and security-related logs (such as VPC flow logs and OBS access logs) of all accounts.

  • Tenant Administrator permission for the logging account
  • Tenant Guest for all other accounts

Network management group

Centrally deploy and manage enterprise network connection resources, such as Enterprise Router, Virtual Private Network (VPN), Direct Connect (DC), and NAT Gateway. Centrally create and manage VPCs, subnets, and network access control lists (ACLs) for each account. Centrally deploy and manage network boundary protection resources, such as Web Application Firewall (WAF) and Cloud Firewall (CFW).

  • Tenant Administrator permission for the network operations account
  • Management permissions of network resources, such as VPCs, subnets, and network ACLs, for all other accounts
  • Management permissions of network security resources, such as Web Application Firewall (WAF) and Cloud Firewall (CFW), for network operations account

IaaS management group

Centrally manage IaaS resources of all accounts as the cloud infrastructure administrator.

  • Management permissions of IaaS resources for all accounts
  • Management permissions of O&M monitoring services, such as Application Operations Management (AOM), Cloud Eye, and Application Performance Management (APM), for all other accounts

PaaS management group

Centrally manage middleware resources of all accounts as the middleware administrator.

  • Management permissions of middleware resources for all accounts
  • Management permissions of O&M monitoring services, such as Application Operations Management (AOM), Cloud Eye, and Application Performance Management (APM), for all other accounts

Automated O&M group

Centrally monitor and maintain resources of all accounts.

  • Tenant Administrator permission for the O&M monitoring account
  • Management permissions of Cloud Operations Center (COC) for all other accounts

Data management group

Centrally deploy and manage data platforms and collect service data from other member accounts to store, process, and analyze them on the data platforms.

Tenant Administrator permission for the data platform account

Public service management group

Centrally deploy and manage the enterprise public resources, services, and application systems, and share them with other member accounts of the company.

Tenant Administrator permission for the public service account

Application development group

Develop applications and manage the development environment.

  • Tenant Administrator permission for the development account
  • Developer permissions for the DevOps account

Application test group

Test applications and manage the test environment.

  • Tenant Administrator permission for the test account
  • Tester permissions for the DevOps account

Permissions Configuration

The root user or Admin user of the master account is the administrator with the highest permissions. It is recommended that the CIO or IT director of the company keep the password of the root user or Admin user. The Admin user should not perform routine management and O&M operations, including creating users and configuring permissions. You are advised to use the master account's Admin user to create an identity permissions management group and its users in IAM Identity Center, and grant the required permissions to the group. Then, the users in this group can create other users and user groups and grant permissions to them. The following figure shows the recommended user group and permission configuration.

Figure 2 Recommended permission configuration

Permissions Use

For unified management, IT management personnel need to use the multi-account authorization method of IAM Identity Center to access and manage cloud resources of other accounts. For example, if the IaaS and PaaS administrators need to centrally manage IaaS and middleware resources of each account in a company, they can use the multi-account authorization method of IAM Identity Center to access these resources, as shown in the following figure.

Figure 3 Unified multi-account management of IaaS and middleware resources by IaaS and PaaS administrators

Other Best Practices for Identity and Permissions Management

  • Grant groups only the permissions essentially required to perform specific tasks by following the PoLP. If the responsibilities of a group were changed, adjust the granted permissions immediately.
  • To simplify authorization, grant permissions to user groups instead of users.
  • Ensure that permission configuration, permission use, and permission audit are performed by different natural persons or teams who are not part of the community of shared interests.
  • Perform secondary authentication for sensitive operations such as deleting and updating key resources and using a large amount of money.
  • Do not share your password. Instead, create a user for each person who needs to manage or use Huawei Cloud resources, and assign permissions to that user. In this way, all operations performed on Huawei Cloud can be tracked and audited.
  • The enterprise CTO or CIO keeps the password of the root user (with the same name as the account) of the master account. The owner of the business unit to which the member account belongs keeps the password of the member account's root user.
  • The root user (with the same name as the account) has high permissions. Do not use the root user to access Huawei Cloud. Instead, create one or more common users and grant permissions to them by following the PoLP, and then use these users to perform routine management.
  • Use service control policies (SCPs) to control the permissions of the root user of the member account.