Help Center/ Database Security Service/ User Guide/ Using IAM to Grant Access to DBSS/ Using IAM Roles or Policies to Grant Access to DBSS
Updated on 2025-11-27 GMT+08:00
View PDF
Share

Using IAM Roles or Policies to Grant Access to DBSS

Role/policy-based permission provided by Identity and Access Management (IAM) let you control access to DBSS. With IAM, you can:

  • Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing DBSS resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust an account or cloud service to perform professional and efficient O&M on your DBSS resources.

If your Huawei Cloud account does not require individual IAM users, skip this chapter.

This section describes how to assign permissions based on roles and policies. Figure 1 shows the authorization process.

Prerequisites

Before assigning permissions to a user group, you need to understand the DBSS permissions. For details, see Role and Policy Permission Management. For details about the permissions of other services, see System-defined Permissions.

Process Flow

Figure 1 Process of granting DBSS permissions
  1. On the IAM console, create a user group and grant it permissions (ECS ReadOnlyAccess as an example).

    Create a user group on the IAM console, and assign the DBSS ReadOnlyAccess permission to the group.

  2. Create an IAM user and add it to the created user group.

    On the IAM console, create an IAM user and add it to the user group created in 1.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Database Security Service in the service list and click Buy DBSS on the DBSS console. If you cannot buy DBSS (assuming that the current permissions include only DBSS ReadOnlyAccess), the DBSS ReadOnlyAccess policy has already taken effect.
    • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the DBSS ReadOnlyAccess policy is in effect.

Examples of Custom Policies

Custom policies can be created to supplement the system-defined policies of DBSS. Then, you can add actions in custom policies. For details, see Actions Supported by Identity Policies.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit policies from scratch or based on an existing policy in JSON format.

For details, see Creating a Custom Policy. The following lists examples of common DBSS custom policies.

  • Example 1: Allowing a user to query the database audit list 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    		 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dbss:auditInstance:list"
            ]
        }
    ]
}
  • Example 2: Denying database audit instance deletion

    A policy with only "Deny" permissions must be used together with other policies. If the policies assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    The following method can be used if you need to assign permissions of the DBSS FullAccess policy to a user but also forbid the user from deleting database audit instances. Create a custom policy to disallow audit instance deletion and assign both policies to the group the user belongs to. Then the user can perform all operations on DBSS except deleting database audit instances. The following is an example of a deny policy:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    		 
    { 
         "Version": "1.1", 
         "Statement": [ 
                 { 
                         "Action": [ 
                                 "dbss:auditInstance:delete" 
                         ], 
                         "Effect": "Deny" 
                 } 
         ] 
 }
  • Example 3: Creating a custom policy containing multiple actions.

    A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    		 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dbss:defendInstance:eipOperate",
                "dbss:auditInstance:getSpecification"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "hss:accountCracks:unblock",
                "hss:commonIPs:set"
            ]
        }
    ]
}