Introduction to IAM Permissions
If you need to grant your enterprise personnel permission to access Huawei Cloud Cost Center, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
With IAM, you can assign permissions to control their access to specific resources. For example, if you want finance personnel in your enterprise to use view cost data but do not want them to create budgets, you can use IAM to grant permission to view cost data but not permission to manage cost data.
IAM supports role/policy-based authorization and identity policy-based authorization.
The following table describes the differences between these two authorization models.
|
Authorization Model |
Core Relationship |
Permissions |
Authorization Method |
Description |
|---|---|---|---|---|
|
Role/Policy-based authorization |
User-permission-authorization scope |
|
Assigning roles or policies to principals |
To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises. |
|
Identity policy |
User-policy |
|
|
You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises. |
Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.
For more information about IAM, see IAM Service Overview.
Role/Policy-based Permissions Management
Cost Center supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
Table 2 lists all the system-defined permissions for Cost Center. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.
|
Role/Policy Name |
Description |
Type |
Dependencies |
|---|---|---|---|
|
BSS Administrator |
Full permissions for Cost Center. This policy is generally granted to the administrator. |
System-defined role |
None |
|
BSS ReadonlyAccess |
Read-only permissions for Billing Center, Cost Center, and Message Center. |
System-defined policy |
None |
|
BSS FinanceAccess |
Financial administrator of Billing Center, who has full permissions for financial operations. |
System-defined policy |
None |
Table 3 lists the common operations supported by system-defined permissions for Cost Center.
|
Function |
BSS Administrator |
BSS ReadonlyAccess |
BSS FinanceAccess |
|---|---|---|---|
|
Viewing budget reports, including the report list and details of each report |
Supported |
Supported |
Supported |
|
Viewing cost monitors and anomalies |
Supported |
Supported |
Supported |
|
Viewing cost anomaly notifications |
Supported |
Supported |
Supported |
|
Viewing cost analyses |
Supported |
Supported |
Supported |
|
Exporting cost data, including analysis results, cost details, and budgets |
Supported |
Not supported |
Supported |
|
Analyzing utilization and coverage of savings plans |
Supported |
Supported |
Supported |
|
Evaluating the cost optimization option of changing pay-per-use to yearly/monthly |
Supported |
Supported |
Supported |
|
Viewing cost tags |
Supported |
Supported |
Supported |
|
Viewing cost optimization subscriptions |
Supported |
Supported |
Supported |
|
Viewing a list of cost reports |
Supported |
Supported |
Supported |
|
Viewing the task list for exporting cost details to OBS |
Supported |
Supported |
Supported |
|
Viewing the analysis of RI utilization and coverage |
Supported |
Supported |
Supported |
|
Viewing cost optimization summary |
Supported |
Supported |
Supported |
|
Viewing the percentage of costs that are allocated |
Supported |
Supported |
Supported |
|
Viewing maturity scores |
Supported |
Supported |
Supported |
|
Viewing savings plans |
Supported |
Supported |
Supported |
|
Viewing bills, monthly costs, usage details, cost management, expenditures and revenues, and cost trends |
Supported |
Supported |
Supported |
|
Viewing budget information, including the budget list and details of each budget. |
Supported |
Supported |
Supported |
|
Viewing parameter settings for Cost Center |
Supported |
Not supported |
Not supported |
|
Obtaining recommendations for savings plans |
Supported |
Not supported |
Supported |
|
Viewing cost category information, including the cost category list and the details of each cost category |
Supported |
Supported |
Supported |
|
Exporting bills, monthly costs, and usage details, and creating, deleting, modifying, exporting cost reports, and exporting income and revenues |
Supported |
Not supported |
Supported |
|
Disabling functions |
Supported |
Not supported |
Supported |
|
Enabling Cost Center |
Supported |
Not supported |
Supported |
|
Setting parameters for Cost Center |
Supported |
Not supported |
Not supported |
|
Deleting cost monitors |
Supported |
Not supported |
Supported |
|
Enabling functions |
Supported |
Not supported |
Supported |
|
Configuring cost categories, including creating and editing cost categories |
Supported |
Not supported |
Supported |
|
Managing cost reports, including creating, modifying, and deleting custom reports. |
Supported |
Not supported |
Supported |
|
Activating or deactivating cost tags |
Supported |
Not supported |
Supported |
|
Creating and modifying cost monitors |
Supported |
Not supported |
Supported |
|
Creating cost anomaly notifications |
Supported |
Not supported |
Supported |
|
Deleting cost categories |
Supported |
Not supported |
Supported |
|
Deleting budget reports |
Supported |
Not supported |
Supported |
|
Managing budgets, including creating, modifying, and deleting budgets |
Supported |
Not supported |
Supported |
|
Configuring cost optimization subscriptions |
Supported |
Not supported |
Supported |
|
Creating and modifying budget reports |
Supported |
Not supported |
Supported |
|
Creating, modifying, or deleting the tasks of exporting cost details to OBS |
Supported |
Not supported |
Supported |
Identity Policy-based Permissions Management
Cost Center supports identity policy-based authorization. Table 4 lists all the system-defined identity policies for Cost Center. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.
|
Identity Policy Name |
Description |
Type |
|---|---|---|
|
BillingFullAccessPolicy |
Full permissions for Billing Center, Account Center, Cost Center, and Enterprise Center. This policy is generally granted to the administrator. |
System-defined identity policy |
|
BillingFinancePolicy |
Permissions for financial operations, including payments, expenditures, invoicing, and costs. This policy does not have permissions to modify cloud services. It is generally granted to financial personnel. |
System-defined identity policy |
|
BillingOperatorPolicy |
Permissions to view information in Billing Center, Account Center, Cost Center, and Enterprise Center, for example, to view the change, management, and use of cloud services. This policy does not have financial permissions. It is generally granted to the technical personnel, such as R&D and O&M personnel. |
System-defined identity policy |
|
CostCenterFullAccessPolicy |
Full permissions for Cost Center. Generally, this policy is granted to cost administrators and cost analysis personnel. |
System-defined identity policy |
|
CostCenterReadOnlyPolicy |
Permissions to view data in Cost Center. Generally, this policy is granted to those who want to view cost reports. |
System-defined identity policy |
Table 5 lists the common operations supported by system-defined identity policies for Cost Center.
|
Operation |
BillingFullAccessPolicy |
BillingOperatorPolicy |
BillingFinancePolicy |
CostCenter FullAccessPolicy |
CostCenter ReadOnlyPolicy |
|---|---|---|---|---|---|
|
Viewing cost analyses |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Creating and saving reports |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Viewing reports |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Setting budgets |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Viewing budget details |
Supported |
Not supported |
Supported |
Supported |
Supported |
|
Analyzing RI utilization and coverage |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Viewing cost tags |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Activating cost tags |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Configuring budget reports |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Deleting budget reports |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Viewing budget reports |
Supported |
Not supported |
Supported |
Supported |
Supported |
|
Configuring cost categories |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Deleting cost categories |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Viewing cost category details |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Creating cost monitors |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Deleting cost monitors |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Viewing cost monitors and anomalies |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Creating cost anomaly notifications |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Viewing cost anomaly notifications |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Evaluating the cost optimization option of changing pay-per-use to yearly/monthly |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Defining idle resource identifying rules |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Viewing resource optimization recommendations |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Enabling functions |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Disabling functions |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Viewing savings plans (summary) |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Analyzing utilization and coverage of savings plans |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Viewing savings plans recommendations |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Viewing cost optimization summary |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Viewing cost optimization subscriptions |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Configuring cost optimization subscriptions |
Supported |
Supported |
Supported |
Supported |
Not supported |
|
Exporting cost details |
Supported |
Not supported |
Supported |
Supported |
Not supported |
|
Viewing tasks of exporting cost details to OBS |
Supported |
Supported |
Supported |
Supported |
Supported |
|
Creating, modifying, or deleting the tasks of exporting cost details to OBS |
Supported |
Supported |
Supported |
Supported |
Not supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
