Help Center/ Cloud Adoption Framework / Cloud Adoption Framework and Practices/ O&M Governance/ Lean Governance/ Refined Permission Control
Updated on 2025-05-07 GMT+08:00
View PDF
Share

Refined Permission Control

As security rules get stricter, enterprises give users only the permissions they need for their jobs. Refined permission control allows enterprises to accurately set five access control elements: Who, What, How, Where, and When. "Who" shows who can access cloud resources. "What" lists the resources that can be accessed. "How" explains the actions users can perform on these resources. "Where" specifies the locations from which users can access the resources. "When" sets the time period when users can access the resources. Refined permission control is implemented in the following aspects:

  • Refined resources: Authorize users to access only a specific resource, resources with a specific tag, or the resources under an enterprise project. To allow user access to multiple resources, put them under the same enterprise project or add the same tag to them. Then, configure permissions for the project or tag.
  • Refined operations: Configure permissions for read, write, and list operations performed on specific objects. For example, the read permissions for cloud server specifications, tags, server details, mounted disks, and NICs are separately configured. In this way, you can grant users the minimum permissions they need.
  • Refined attributes: Attribute-based access control (ABAC) is more flexible and refined than role-based access control (RBAC). You can add attribute-based conditions to permission settings to allow only access requests that meet the conditions. Attributes include: identity details like username, MFA status, and root user status; network details like source IP address and VPC ID; resource details like tags and names; time details like access and token issuance time; and environment details like requesting and target accounts.

    For details about the global and service-specific condition keys supported by Huawei Cloud, see SCP Syntax. ABAC allows for more granular access control permissions. For example, O&M engineer Shane can only shut down and restart a specified ECS after MFA authentication is enabled and between midnight and 4:00 AM.

Parent topic: Lean Governance