Using IAM Roles or Policies to Grant Access to DSC

To manage DSC permissions based on roles and policies, you can use Identity and Access Management (IAM) to implement fine-grained permissions control over your IAM resources. With IAM, you can:

• Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing WAF resources
• Grant only the permissions required for users to perform a task.
• Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your DSC resources.

If your Huawei Cloud account does not require individual IAM users, skip this chapter.

This section describes the role-based authorization method. Process Flow shows the authorization process.

Process Flow

Figure 1 Process for granting permissions

1. Create a user group and assign permissions.

   Create a user group on the IAM console, and assign the DSC ReadOnlyAccess permission to the group.

2. Create an IAM user and add it to the user group.

   Create a user on the IAM console and add the user to the group created in 1.

3. Log in as an IAM user and verify permissions.

   Log in to the DSC console using the created user and verify that the user has administrator permissions for DSC.

   • Choose Service List > Data Security Center. On the DSC console, click Buy DSC. If the purchase fails (assuming that the current permission contains only DSC ReadOnlyAccess), the DSC ReadOnlyAccess policy has already taken effect.
   • Choose any other service in the Service List. (Assume that the current policy contains only DSC ReadOnlyAccess.) If a message appears indicating insufficient permissions to access the service, the DSC ReadOnlyAccess policy has already taken effect.

• Example 1: Allowing a user to query the big data assets

  1 2 3 4 5 6 7 8 9 10 11

  { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dsc:bigdataAsset:list" ] } ] }

• Example 2: Disallowing a user to query the OBS assets

  A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  The following method can be used if you need to assign permissions of the DSC FullAccess policy to a user but also forbid the user from querying the OBS asset list (dsc:obsAsset:list). Create a custom policy with the same action for denying querying the OBS asset list, and assign both policies to the group the user belongs to. Then, the user can perform all operations on DSC except querying the OBS asset list. The following is an example policy for denying querying OBS asset list.

  1 2 3 4 5 6 7 8 9 10 11

  { "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "dsc:obsAsset:list" ] }, ] }

• Multi-action policy

  A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

  { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dsc:obsAsset:list", "dsc:scanRule:list" ] }, { "Effect": "Allow", "Action": [ "hss:hosts:switchVersion", "hss:hosts:manualDetect", "hss:manualDetectStatus:get" ] } ] }