Help Center> > Permission Policy

Permission Policy

Updated at: Jun 04, 2019 17:43

Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies.

IAM supports default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control.

Log in to the IAM console and choose Policies to view all default and custom policies. You can click the name of a policy to check its format. For details, see Policy Content.

Default Policy

NOTE:
  • Application scope: Scope where a policy takes effect. HUAWEI CLOUD services are classified into global-level and project-level services based on the locations they are deployed.
    • Global-level services: These services are not differentiated by physical areas. Permissions on these services are granted through the Global project.
    • Project-level services: These services are differentiated by physical areas. Permissions on these services are granted in the required regions and take effect only in the regions. To make the permissions take effect in all regions, they need to be granted in all regions.
  • Permission granularity: Minimum authorization granularity provided by IAM. Currently, service-level and operation-level granularities are supported.
    • Service level: grants users permission of a service.
    • Operation level: grants users permissions of operations defined by APIs.

    Only services with the operation-level granularity support custom policies. For details, see Creating Custom Policies. The policies allow you to allow or disallow users to perform certain operations on services or resources.

Service

System Policy

Permissions

Granularity

BASE

Security Administrator

Permissions:

  • Creating, deleting, and modifying users.
  • Granting permissions to users.

Scope: Global services

-

Agent Operator

Permissions: Switching roles to delegating accounts to access their resources

Scope: Global services

Tenant Administrator

Permissions:

  • All operations on the My Account, Billing Center, and Resource Center pages
  • All operations on cloud resources owned by an account

Scope: Global and project-level services

Full Access

Permissions: All operations on cloud resources owned by an account

Scope: Global services

Tenant Guest

Permissions: Read-only permissions for cloud resources owned by an account

Scope: Global and project-level services

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

Server Administrator

Permissions:

  • Creating, deleting, and modifying ECSs
  • Creating, deleting, and modifying EVS disks
  • All operations on security groups, security group rules, ports, firewalls, EIPs, and bandwidth, if the Tenant Guest policy is also assigned
  • Creating, deleting, querying, and modifying images

Scope: Project-level services

-

Object Storage Service (OBS)

OBS Buckets Viewer

Permissions: Listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects

Scope: OBS

Service level

Elastic Cloud Server (ECS)

ECS Admin

Permissions: All operations on ECS

Scope: Project-level services

Operation level

ECS Viewer

Permissions: Read-only permissions for ECS

Scope: Project-level services

ECS User

Permissions: Starting, stopping, restarting, and querying ECSs

Scope: Project-level services

Auto Scaling (AS)

AutoScaling Admin

Permissions: All operations on all AS resources

Scope: Project-level services

Operation level

AutoScaling Viewer

Permissions: Read-only permissions for all AS resources

Scope: Project-level services

AutoScaling Administrator

Permissions:

  • All operations on AS resources. Users granted permissions of this policy must also be granted permissions of the Server Administrator and Tenant Guest policies.
  • If a user needs to use ELB and CES, the user must also be granted permissions of the ELB Administrator and CES Administrator policies.

Scope: Project-level services

Service level

Image Management Service (IMS)

IMS Admin

Permissions: All operations on IMS

Scope: Project-level services

Operation level

IMS Viewer

Permissions: Read-only permissions for IMS

Scope: Project-level services

IMS Administrator

Permissions:

  • All operations on IMS
  • Users granted permissions of this policy and the Tenant Guest policy in the OBS project can create images using image files.

Scope: Project-level services

Elastic Volume Service (EVS)

EVS Admin

Permissions: All operations on EVS

Scope: Project-level services

Operation level

EVS Viewer

Permissions: Read-only permissions for EVS

Scope: Project-level services

Cloud Server Backup Service (CSBS)

CSBS Administrator

Permissions:

Deleting cloud server backups. Users also granted permissions of the Server Administrator policy can create cloud server backups, restore cloud servers, and manage backup policies.

Users without permissions of the Server Administrator policy cannot obtain cloud server information when:

  • Creating a backup or restoring a cloud server
  • Associating a cloud server with a backup policy

Scope: Project-level services

Service level

Volume Backup Service (VBS)

VBS Administrator

Permissions:

Users also granted permissions of the Server Administrator and Guest policies can perform the following operations:

  • Creating EVS disk backups
  • Deleting EVS disk backups
  • Restoring EVS disks

Scope: Project-level services

Service level

Dedicated Distributed Storage Service (DSS)

DSS Admin

Permissions: All operations on DSS

Scope: Project-level services

Operation level

DSS Viewer

Permissions: Read-only permissions for DSS

Scope: Project-level services

Virtual Private Cloud (VPC)

VPC Admin

Permissions: All operations on VPC

Scope: Project-level services

Operation level

VPC Viewer

Permissions: Read-only permissions for VPC

Scope: Project-level services

VPC Administrator

Permissions: All operations on VPC Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Cloud Container Engine (CCE)

CCE Admin

Permissions: All operations on CCE

Scope: Project-level services

Operation level

CCE Viewer

Permissions: Read-only permissions for CCE and all operations on Kubernetes resources

Scope: Project-level services

CCE Administrator

Permissions:

All operations on CCE. Users granted permissions of this policy must also be granted permissions of the ECS Administrator, VPC Administrator, EVS Administrator, IMS Administrator, SvcStg Admin, and SWR Admin policies as well as the Tenant Administrator policy in the OBS project.

  • Users also granted permissions of the ELB Administrator policy can use ELB functions in clusters.
  • Users also granted permissions of the NAT Gateway Administrator policy can use NAT Gateway functions in clusters.
  • Users also granted permissions of the SFS Administrator policy can perform all operations on SFS.

Scope: Project-level services

Service level

Application Operations Management (AOM)

AOM Admin

Permissions: All operations on AOM

Scope: Project-level services

Operation level

AOM Viewer

Permissions: Read-only permissions for AOM

Scope: Project-level services

Application Performance Management (APM)

APM Admin

Permissions: All operations on APM

Scope: Project-level services

Operation level

APM Viewer

Permissions: Read-only permissions for APM

Scope: Project-level services

Cloud Eye

CES Administrator

Permissions:

  • Viewing metrics
  • Adding, modifying, and deleting alarm rules
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Web Application Firewall (WAF)

WAF Administrator

Permissions:

  • Creating and deleting WAF instances
  • Configuring, enabling, and disabling WAF instances
  • Modifying protection policies of WAF instances
  • Configuring alarm notifications for WAF instances
  • Querying the WAF instance list and details
  • Authenticating domain names of WAF instances

Scope: Project-level services

Service level

Host Security Service (HSS)

HSS Administrator

Permissions:

  • Enabling and disabling HSS
  • Performing manual detections
  • Setting alarm information and performing security configurations
  • Viewing security overview on the Dashboard page
  • Viewing the ECS list and risk details
  • Viewing reports of asset management, vulnerability management, intrusion detection, and baseline inspection

Scope: Project-level services

Service level

SSL Certificate Manager (SCM)

SC Administrator

Permissions: All operations on SCM

Scope: Global and project-level services

Service level

Vulnerability Scan Service (VSS)

VSS Administrator

Permissions:

  • Creating, restarting, and canceling scan tasks
  • Querying task lists and details
  • Querying vulnerability lists and details
  • Putting mis-reporting tags on vulnerabilities
  • Authenticating domain names

Scope: Project-level services

Service level

Security Expert Service (SES)

SES Administrator

Permissions:

  • Purchasing SES services
  • Completing and modifying service order information
  • Viewing the service order list and service order details
  • Authenticating the hosts or domains to be assessed, hardened, or monitored
  • Downloading assessment reports
  • Evaluating SES services

Scope: Project-level services

Service level

Database Security Service (DBSS)

DBSS System Administrator

Permissions:

  • Buying instances
  • Viewing the instance list
  • Starting, stopping, and restarting instances
  • Upgrading instances
  • Binding or unbinding EIPs
  • Logging in to the DBSS console
NOTE:

To purchase instances, users must also have VPC and BSS permissions.

Scope: Project-level services

Service level

DBSS Audit Administrator

Permissions:

  • Viewing the instance list
  • Logging in to the DBSS console

Scope: Project-level services

DBSS Security Administrator

Permissions:

  • Viewing the instance list
  • Logging in to the DBSS console

Scope: Project-level services

Data Encryption Workshop (DEW)

KMS Administrator

Permissions:

  • Key management

    Users with this permission can perform the following operations:

    • Creating, enabling, disabling, scheduling the deletion of, and canceling the deletion of keys
    • Querying the key list
    • Querying key information
    • Creating random numbers and data keys, including plaintext-free keys
    • Encrypting and decrypting data keys
    • Changing the aliases and descriptions of keys.
    • Adding, deleting, and querying key tags
  • Key pair management

    Users granted permissions of this policy and the Server Administrator policy can perform the following operations:

    • Creating, importing, and deleting key pairs
    • Querying the key pair list
    • Querying key pair information
    • Resetting, replacing, binding, and unbinding key pairs
    • Importing, exporting, and clearing private keys
    • Querying and deleting records about failed tasks
  • Dedicated encryption

    Users with this permission can perform the following operations:

    Creating customized business orders

Scope: Project-level services

Service level

Anti-DDoS

Anti-DDoS Administrator

Permissions:

Users granted permissions of this policy and the Tenant Guest policy can query EIPs in VPCs and perform all operations on Anti-DDoS.

Scope: Project-level services

Service level

Simple Message Notification (SMN)

SMN Administrator

Permissions: All operations on SMN

Scope: Project-level services

Service level

Relational Database Service (RDS)

RDS Admin

Permissions: All operations on RDS

Scope: Global and project-level services

Operation level

RDS Viewer

Permissions: Read-only permissions for RDS

Scope: Global and project-level services

RDS DBA

Permissions: Database administrator permissions on RDS except permissions for deleting resources

Scope: Global and project-level services

RDS Administrator

Permissions:

  • All operations on RDS. Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can modify or create alarm rules for database instances.
  • Users also granted permissions of the TMS Administrator policy can query predefined tags of TMS and create, modify, and delete predefined tags on TMS.
  • Users also granted permissions of the KMS Administrator policy can buy KMS keys and encrypt RDS DB instances.
  • Users also granted permissions of the Security Administrator policy can buy both RDS and DBSS services.

Scope: Project-level services

Service level

Distributed Message Service (DMS)

DMS Administrator

Permissions: All operations on DMS

Scope: Project-level services

-

Document Database Service (DDS)

DDS Admin

Permissions: All operations on DDS

Scope: Global and project-level services

Operation level

DDS Viewer

Permissions: Read-only permissions for DDS

Scope: Global and project-level services

DDS DBA

Permissions: Database administrator permissions on DDS except permissions for deleting resources

Scope: Global and project-level services

DDS Administrator

Permissions:

  • All operations on DDS. Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can modify or create alarm rules for database instances.
  • Users also granted permissions of the TMS Administrator policy can query predefined tags of TMS and create, modify, and delete predefined tags on TMS.
  • Users also granted permissions of the KMS Administrator policy can buy KMS keys and encrypt DDS instances.

Scope: Project-level services

Service level

Data Replication Service (DRS)

DRS Administrator

Permissions:

  • All operations on DRS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.

Scope: Project-level services

Service level

Data Admin Service (DAS)

DRS Administrator

Permissions:

  • All operations on DAS
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Content Delivery Network (CDN)

CDN Administrator

Permissions: All operations on CDN

Scope: Global services

Operation level

CDN Domain Viewer

Permissions: Read-only permissions for CDN acceleration domain names

Scope: Global services

CDN Statistics Viewer

Permissions: Read-only permissions for CDN statistics

Scope: Global services

CDN Logs Viewer

Permissions: Read-only permissions for CDN logs

Scope: Global services

CDN Domain Configuration Operator

Permissions: Configuring CDN acceleration domain names

Scope: Global services

CDN Refresh And Preheat Operator

Permissions: CDN cache refreshing and preheating

Scope: Global services

Scalable File Service (SFS)

SFS Administrator

Permissions: All operations on SFS Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Software Repository for Container (SWR)

SWR Admin

Permissions: All operations on SWR

Scope: Project-level services

Operation level

Workspace

Workspace Administrator

Permissions:

  • All operations on Workspace. Users with permissions of this policy must also be granted permissions of the Tenant Guest, Server Administrator, and VPC Administrator policies.
  • Users also granted permissions of the Tenant Guest policy can query the image used for creating desktops.
  • Users also granted permissions of the Server Administrator policy can manage image authorization, ports, and security group rules.
  • Users also granted permissions of the VPC Administrator policy can query VPC and subnet information, manage security groups, and create, query, and delete IP addresses.

Scope: Project-level services

Service level

Domain Name Service (DNS)

DNS Administrator

Permissions: All operations on DNS

Scope: Project-level services

Service level

Cloud Trace Service (CTS)

CTS Administrator

Permissions:

All operations on CTS. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy and the Tenant Administrator policy in the OBS project. Users with all these permissions can perform the following operations:

  • Enabling CTS
  • Creating, modifying, disabling, or enabling trackers
  • Receiving or viewing traces
  • Storing user events to OBS buckets

Scope: Project-level services

Service level

Business Support System

(BSS)

BSS Administrator

Permissions: All operations on all menus of the My Account, Billing Center, and Resource Center

Scope: Project-level services

Service level

BSS Operator

Permissions:

  • Accessing all menus in My Account and Resource Center
  • Performing the following operations in Billing Center:
    • Viewing, canceling, and exporting orders, changing the billing mode, and renewing, unsubscribing from, and releasing resources
    • Viewing and exporting the consumption summary and details, and analyzing bills
    • Viewing and activating coupons, applying for online contracts, and viewing commercial discounts

Scope: Project-level services

BSS Finance

Permissions:

  • Topping up accounts, withdrawing money, and setting balance alerts
  • Viewing, paying, and exporting orders, and renewing resources
  • Viewing and exporting the expenditure summary, expenditure details, and income and expense details, and analyzing bills
  • Viewing and activating coupons, issuing invoices, applying for online contracts, and viewing commercial discounts

Scope: Project-level services

Distributed Cache Service (DCS)

DCS User

Permissions: Common user permissions for DCS except permissions for creating, modifying, deleting, and scaling instances

Scope: Project-level services

Service level

DCS Admin

Permissions: All operations on DCS

Scope: Project-level services

DCS Viewer

Permissions: Read-only permissions for DCS

Scope: Project-level services

DCS Administrator

Permissions: All operations on DCS

Scope: Project-level services

MapReduce Service (MRS)

MRS Administrator

Permissions:

  • All operations on MRS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest, Server Administrator, and BSS Administrator policies.

Scope: Project-level services

Service level

ServiceStage

SvcStg Admin

Permissions:

  • Service management
  • Application management
  • Node management
  • Stack management
  • Pipeline management

Scope: Project-level services

Service level

SvcStg Developer

Permissions:

  • Service management
  • Application management
  • Stack management
  • Pipeline management

Scope: Project-level services

SvcStg Operator

Permissions:

  • Read-only permissions for services
  • Read-only permissions for applications
  • Read-only permissions for stacks
  • Read-only permissions for pipelines

Scope: Project-level services

Policy Content

On the IAM console, choose Policies and click a policy name, for example, IMS Administrator. Details about the policy are displayed in the Policy Content box. Each policy contains one or more statements, and each statement describes a set of permissions.

The policy content of IMS Administrator is as follows:

{
        "Version": "1.0",
        "Statement": [
                {
                        "Action": [
                                "ims:*:*",
                                "ecs:*:list",
                                "ecs:*:get",
                                "evs:*:get"
                        ],
                        "Effect": "Allow"
                }
        ],
        "Depends": [
                {
                        "catalog": "OBS",
                        "display_name": "Tenant Administrator"
                }
        ]
}
Table 1 Permission information parameters

Parameter

Description

Value

Version

Indicates the policy version.

  • 1.0: service-level policy
  • 1.1: operation-level policy

Statement

Action

Indicates allowed operations.

Format: Service name:Resource type:Action.

For example, "ims:*:*" indicates all operations on IMS. In the example, ims indicates the service name, the wildcard character * indicates all operations.

Effect

Indicates whether an operation included in an action is allowed.

Values:

  • Allow: Indicates the operation is allowed.
  • Deny: Indicates the operation is not allowed.
NOTE:

If both Allow and Deny are found in statements, the policy evaluation starts with Deny.

Depends

NOTE:

For a service-level policy, you can only specify operations in an individual service in the Action field. If this service depends on other permissions, you must define them in the Depends field.

When configuring permissions for a user group, you must select both the policy to be added and the depended policy.

catalog

Indicates the service associated with other permissions that users must have in order to be granted this permission.

Service name

For example: Base

display_name

Indicates the name of other permissions that users must have in order to be granted this permission.

Permission name

For example: Tenant Administrator

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel