Help Center/ SecMaster/ User Guide/ Using IAM to Manage SecMaster Permissions/ Using IAM Roles or Policies to Grant Access to SecMaster
Updated on 2025-11-14 GMT+08:00
View PDF
Share

Using IAM Roles or Policies to Grant Access to SecMaster

You can perform role/policy-based authorization using Identity and Access Management (IAM).

  • Create IAM users under your account for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing SecMaster resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust an account or a cloud service to perform professional and efficient O&M on your SecMaster resources.

If your account does not require individual IAM users, then you may skip over this chapter.

This section describes how to assign permissions based on roles and policies. Figure 1 shows the authorization process.

Prerequisites

Before assigning permissions to a user group, you need to understand the SecMaster permissions. For details, see Role and Policy Permission Management. For details about the permissions of other services, see System Permissions.

Permission Granting Process

Figure 1 Process for granting SecMaster permissions
  1. Creating a User Group and Assigning Permissions to It

    Create a user group on the IAM console, and assign the SecMaster ReadOnly permission to the group.

  2. Creating a User and Adding the User to a User Group

    Create a user on the IAM console and add the user to the group created in 1.

  3. Logging In as an IAM User and Verifying the Permissions

    Log in to the SecMaster console as the created user, and verify that the user only has read permissions for SecMaster.

    • Choose Service List > SecMaster. Then click Buy SecMaster. If you cannot buy SecMaster (assuming that the current permissions include only SecMaster ReadOnly), the SecMaster ReadOnly permission has already taken effect.
    • Choose any other service in the Service List. (The current policy contains only SecMaster ReadOnly.) If a message appears indicating insufficient permissions, the SecMaster ReadOnly policy has already taken effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of SecMaster. For the actions supported for custom policies, see Actions Supported by Policy-based Authorization.

Currently, Huawei Cloud allows you to create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following provides examples of common SecMaster custom policies.

  • Example 1: Authorizing a user to create and delete workspaces 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    		 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secmaster:workspace:delete",
                "secmaster:workspace:create"
            ]
        }
    ]
}
  • Example 2: Denying workspace deletion

    A deny policy must be used together with other policies. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

    If you grant the SecMaster FullAccess system policy to a user but do not want the user to have the workspace deletion permission defined in the policy, you can create a custom policy that denies workspace deletion and grant both the custom policy and the SecMaster FullAccess policy to the user. According to the "Deny first" principle, users can perform all operations on SecMaster except deleting workspaces. The following is an example of a deny policy:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    		 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "secmaster:workspace:delete",
                "secmaster:workspace:create",
                "secmaster:dataspace:delete"
            ]
        }
    ]
}
  • Example 3: Defining permissions for multiple services in a policy

    A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    		 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secmaster:playbook:update",
                "secmaster:playbook:updateVersion",
                "secmaster:workspace:delete",
                "secmaster:workspace:create",
                "secmaster:dataspace:delete",
                "secmaster:playbook:approve",
                "secmaster:playbook:createVersion"
            ]
        }
    ]
}

SecMaster Resources

Resources are objects in services. In SecMaster, resources include alerts, playbooks, workflows, and indicators. You can select specific resources by specifying resource paths when creating custom policies.

Table 1 SecMaster resources and their paths

Resource

Path

workspace

secmaster:<region>:<account-id>:workspace:<workspace-id>

playbook

secmaster:<region>:<account-id>:playbook:<workspace-id>/<playbook-id>

workflow

secmaster:<region>:<account-id>:workflow:<workspace-id>/<workflow-id>

connection

secmaster:<region>:<account-id>:connection:<workspace-id>/<connection-id>

task

secmaster:<region>:<account-id>:task:<workspace-id>/<task-id>

indicator

secmaster:<region>:<account-id>:indicator:<workspace-id>/<indicator-id>

alert

secmaster:<region>:<account-id>:alert:<workspace-id>/<alert-id>

incident

secmaster:<region>:<account-id>:incident:<workspace-id>/<incident-id>

dataobject

secmaster:<region>:<account-id>:dataobject:<workspace-id>/<dataobject-id>

metric

secmaster:<region>:<account-id>:metric:<workspace-id>/<metric-id>

resource

secmaster:<region>:<account-id>:resource:<workspace-id>/<resource-id>

report

secmaster:<region>:<account-id>:report:<workspace-id>/<report-id>

emergencyVulnerability

secmaster:<region>:<account-id>:emergencyVulnerability:<workspace-id>/<emergency-vulnerability-id>

dataspace

secmaster:<region>:<account-id>:dataspace:<workspace-id>/<dataspace-id>

pipe

secmaster:<region>:<account-id>:pipe:<workspace-id>/<pipe-id>

alertRule

secmaster:<region>:<account-id>:alertRule:<workspace-id>/<alertRule-id>

vulnerability

secmaster:<region>:<account-id>:vulnerability:<workspace-id>/<vulnerability-id>

alertRuleTemplate

secmaster:<region>:<account-id>:alertRuleTemplate:<workspace-id>/<alertRuleTemplate-id>

searchCondition

secmaster:<region>:<account-id>:searchCondition:<workspace-id>/<searchCondition-id>

dataclass

secmaster:<region>:<account-id>:dataclass:<workspace-id>/<dataclass-id>

mapping

secmaster:<region>:<account-id>:mapping:<workspace-id>/<mapping-id>

layout

secmaster:<region>:<account-id>:layout:<workspace-id>/<layout-id>

catalogue

secmaster:<region>:<account-id>:catalogue:<workspace-id>/<catalogue-id>

table

secmaster:<region>:<account-id>:table:<workspace-id>/<table-id>

policy

secmaster:<region>:<account-id>:policy:<workspace-id>/<policy-id>

baseline

secmaster:<region>:<account-id>:baseline:<workspace-id>/<baseline-id>

shipper

secmaster:<region>:<account-id>:shipper:<workspace-id>/<shipper-id>

analysisScript

secmaster:<region>:<account-id>:analysisScript:<workspace-id>/<analysisScript-id>

collectorChannel

secmaster:<region>:<account-id>:collectorChannel:<workspace-id>/<collectorChannel-id>

collectorChannelGroup

secmaster:<region>:<account-id>:collectorChannelGroup:<workspace-id>/<collectorChannelGroup-id>

collectorConnection

secmaster:<region>:<account-id>:collectorConnection:<workspace-id>/<collectorConnection-id>

collectorParser

secmaster:<region>:<account-id>:collectorParser:<workspace-id>/<collectorParser-id>

component

secmaster:<region>:<account-id>:component:<workspace-id>/<component-id>

node

secmaster:<region>:<account-id>:node:<workspace-id>/<node-id>

accountAgency

secmaster:<region>:<account-id>:accountAgency:<accountAgency-id>

SecMaster Request Conditions

Request conditions are useful in determining when a custom policy is in effect. A request condition consists of condition keys and operators. Condition keys are either global or service-specific and are used in the Condition element of a policy statement. Global condition keys (starting with g:) are available for operations of all services, while service-specific condition keys (starting with a service name such as secmaster:) are available only for operations of specific services. An operator must be used together with a condition key to form a complete condition statement.

secmaster:TargetRegion is a service-level condition key supported by SecMaster.

Table 2 Service-specific condition keys supported by SecMaster

SecMaster Condition Key

Operator

Description

secmaster:TargetRegion

String

Only the action secmaster:workspace:createAgency supports this service-level condition key.

The target region specified by the condition key secmaster:TargetRegion are filtered based on the region attribute of the managed workspace in the request.