Using IAM Identity Policies to Grant Access to SecMaster
You can perform identity policy-based authorization for SecMaster using Identity and Access Management (IAM). With IAM, you can:
- Create IAM users under your account for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing SecMaster resources.
- Grant only the permissions required for users to perform a task.
- Entrust an account or a cloud service to perform professional and efficient O&M on your SecMaster resources.
If your account meets your access control needs, you can skip over this topic.
Figure 1 shows the process flow of identity policy-based authorization.
Prerequisites
Before authorization, learn about the SecMaster permissions you can authorize and select the permissions based on the site requirements. For details about the system policies supported by SecMaster, see Identity Policy Permissions Management. For details about the permissions of other services, see System Permissions.
Permission Granting Process
- On the IAM console, .
- Attach a system-defined policy to the user or user group.
Grant the SecMaster ReadOnly permission to a user or user group, and attach a policy to the user or user group.
- Log in as the IAM user and verify permissions.
Log in to the console as an authorized user and test the permissions.
- Choose Service List > SecMaster. Then click Buy SecMaster. If you cannot buy SecMaster (assuming that the current permissions include only SecMasterReadOnly), the SecMasterReadOnly permission has already taken effect.
- Choose any other service in the Service List. (The current policy contains only SecMasterReadOnly.) If a message appears indicating insufficient permissions, the SecMasterReadOnly policy has already taken effect.
Example Custom Identity Policies for SecMaster
If the system-defined policies of SecMaster cannot meet your needs, you can create custom identity policies. Then, you can add actions in custom identity policies. For details, see Actions Supported by Identity Policies.
You can create custom identity policies in either of the following ways on Huawei Cloud:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about the resource types and condition keys, see Actions Supported by Identity Policy-based Authorization. The following is an example of custom identity policies for SecMaster.
- Example 1: Granting the permissions to create and delete workspaces
1 2 3 4 5 6 7 8 9 10 11 12
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "secmaster:workspace:create", "secmaster:workspace:delete" ] } ] }
- Example 2: Defining permissions for multiple services in a policy
A custom policy can contain the actions of multiple services. The following is an example policy containing actions of multiple services:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "secmaster:workspace:create", "secmaster:task:create" ] }, { "Effect": "Allow", "Action": [ "evs:volumes:create", "evs:volumes:list" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServers:createServers", "ecs:cloudServers:listServersDetails" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
