Permissions Policies · For services that provide both policies and roles, preferentially use...
Transcript of Permissions Policies · For services that provide both policies and roles, preferentially use...
Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. i
Contents
1 System Permissions................................................................................................................. 1
Permissions Policies Contents
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. ii
1 System Permissions
By default, new IAM users do not have permissions assigned. You need to add auser to one or more groups, and attach permissions policies or roles to thesegroups. Users inherit permissions from the groups to which they are added andcan perform specified operations on cloud services based on the permissions.
Region: A geographic area for which permissions take effect. Select proper regionswhen you assign permissions.
● Global service project: Services deployed without specifying physical regionsare called global services. Permissions for these services must be assigned inthe Global region.
● Region-specific projects: Services deployed in specific regions are calledproject-level services. Permissions for accessing these services need to beassigned in specific regions and take effect only for these regions. To makethe permissions take effect in all regions, assign the permissions in each ofthese regions.
Type: You can grant users permissions by using roles and policies. Policies are atype of fine-grained authorization mechanism that defines permissions required toperform operations on specific cloud resources under certain conditions.
● For services that provide both policies and roles, preferentially usepolicies to assign permissions.
● For services that support policy-based access control, you can create custompolicies to supplement system-defined policies to allow or deny access tospecific types of resources under certain conditions.
System-Defined Policies
Service Region Role/PolicyName
Type Description
BASE Global FullAccess Policy Full permissions for cloudservices supportingpolicy-basedauthorization
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 1
Service Region Role/PolicyName
Type Description
Global IAMReadOnlyAccess
Policy Read-only permissions forIdentity and AccessManagement. Usersgranted these permissionscan view only users, usergroups, policies, roles,agencies, and accountsecurity settings. Theycannot view projects oridentity providers.
All regions TenantAdministrator
Role Full permissions for allservices except IAM
All regions TenantGuest
Role Read-only permissions forall services except IAM
Global SecurityAdministrator
Role Full permissions for IAM
Global AgentOperator
Role Permissions for switchingroles to access resourcesof delegating accounts
ObjectStorageService(OBS)
Global OBSOperateAccess
Policy Basic object operationpermissions, such asviewing buckets,uploading, obtaining, anddeleting objects, andobtaining object ACLs
OBSReadOnlyAccess
Permissions for listingbuckets, obtaining bucketmetadata, listing objectsin a bucket, and queryingbucket locations
OBSBucketsViewer
Role Permissions for listingbuckets, obtaining bucketinformation, andobtaining bucketmetadata
ContentDeliveryNetwork(CDN)(Globalservice)
Global CDNDomainReadOnlyAccess
Policy Read-only permissions forCDN acceleration domainnames
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 2
Service Region Role/PolicyName
Type Description
CDNStatisticsReadOnlyAccess
Read-only permissions forCDN statistics
CDNLogsReadOnlyAccess
Read-only permissions forCDN logs
CDNDomainConfigurationOperator
Permissions forconfiguring CDNacceleration domainnames
CDNRefreshAndPreheatAccess
Permissions for cacherefreshing and preheating
CDNAdministrator
Role Full permissions for CDNThis role must be usedtogether with theTenant Guest role in thesame project.
SSLCertificateManager(SCM)(Globalservice)
Global SCMAdministrator
Role Full permissions for SCMThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
SCMFullAccess
Policy Full permissions for SCM
SCMReadOnlyAccess
Read-only permissions forSCM. Users with thesepermissions can onlyquery certificates butcannot add, delete, ormodify certificates.
BusinessSupportSystem(BSS)
Specificregions
BSSAdministrator
Role Full permissions forBilling Center, ResourceCenter, and My Account
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 3
Service Region Role/PolicyName
Type Description
(Project-levelservice)
NOTICEThese arethe regionswherepermissionsof thepoliciessupportedby thisservice canbe assigned.
BSSOperator
Query permissions forBilling Center andmanagement permissionsfor Resource Center andMy Account
BSSFinance
● Topping up accounts,withdrawing money,and setting balancealerts
● Viewing, paying, andexporting orders, andrenewing resources
● Viewing and exportingthe expendituresummary, expendituredetails, and incomeand expense details,and analyzing bills
● Viewing and activatingcoupons, issuinginvoices, applying foronline contracts, andviewing commercialdiscounts
EnterpriseProjectBSSFullAccess
Policy Permissions foraccounting managementof enterprise projects
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 4
Service Region Role/PolicyName
Type Description
ElasticCloudServer(ECS)ElasticVolumeService(EVS)VirtualPrivateCloud(VPC)ImageManagement Service(IMS)(Project-levelservice)
Specificregions
ServerAdministrator
Role ● Full permissions forECS. This role must beused together withthe Tenant Guest rolein the same project.If a user needs tocreate, delete, orchange resources ofother services, the usermust also be grantedadministratorpermissions of thecorresponding servicesin the same project.For example, if a userneeds to create a newVPC when creating anECS, the user mustalso be grantedpermissions with theVPC Administratorrole.
● Full permissions forEVS.
● Permissions forperforming operationson EIPs, securitygroups, and ports. Thisrole must be usedtogether with theTenant Guest role inthe same project.
● Permissions forcreating, deleting,querying, modifying,and uploading images.This role must beused together withthe IMSAdministrator role inthe same project.
ElasticCloudServer(ECS)
Specificregions
ECSFullAccess
Policy Full permissions for ECS
ECSReadOnlyAccess
Read-only permissions forECS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 5
Service Region Role/PolicyName
Type Description
(Project-levelservice)
ECSCommonOperations
Permissions for starting,stopping, restarting, andquerying ECSs
AutoScaling(AS)(Project-levelservice)
Specificregions
AutoScalingFullAccess
Policy Full permissions for all ASresources
AutoScalingReadOnlyAccess
Read-only permissions forall AS resources
AutoScalingAdministrator
Role Full permissions for all ASresourcesThis role must be usedtogether with the ELBAdministrator and CESAdministrator roles inthe same project.
ImageManagement Service(IMS)(Project-levelservice)
Specificregions
IMSFullAccess
Policy Full permissions for IMS
IMSReadOnlyAccess
Read-only permissions forIMS
IMSAdministrator
Role Full permissions for IMSThis role must be usedtogether with theTenant Administratorrole in the global serviceproject.
ElasticVolumeService(EVS)(Project-levelservice)
Specificregions
EVSFullAccess
Policy Full permissions for EVS
EVSReadOnlyAccess
Read-only permissions forEVS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 6
Service Region Role/PolicyName
Type Description
CloudServerBackupService(CSBS)(Project-levelservice)
Specificregions
CSBSAdministrator
Role Full permissions for CSBSThis role must be usedtogether with the ServerAdministrator role inthe same project.
VolumeBackupService(VBS)(Project-levelservice)
Specificregions
VBSAdministrator
Role Full permissions for VBSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
DedicatedDistributed StorageService(DSS)(Project-levelservice)
Specificregions
DSSFullAccess
Policy Full permissions for DSS
DSSReadOnlyAccess
Read-only permissions forDSS
VirtualPrivateCloud(VPC)(Project-levelservice)
Specificregions
VPCFullAccess
Policy Full permissions for VPC
VPCReadOnlyAccess
Read-only permissions forVPC
VPCAdministrator
Role Full permissions for VPCThis role must be usedtogether with theTenant Guest role in thesame project.
CloudContainerEngine(CCE)(Project-levelservice)
Specificregions
CCEFullAccess
Policy Full permissions for CCE
CCEReadOnlyAccess
Read-only permissions forCCE and all operations onKubernetes resources
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 7
Service Region Role/PolicyName
Type Description
CCEAdministrator
Role Read and writepermissions for CCEclusters and all resources(including workloads,nodes, jobs, and Services)in the clusters.This role depends on thefollowing permissions:Global service: OBSBuckets ViewerRegional services (selectin the same project):Tenant Guest, ServerAdministrator, ELBAdministrator, OBSAdministrator, SFSAdministrator, SWRAdmin, and APMFullAccessNOTE
Users also grantedpermissions with NATGateway Administrator canuse NAT Gateway functionsfor clusters.
CloudTable Service(CloudTable)(Project-levelservice)
Specificregions
CloudTableAdministrator
Role Full permissions forCloudTableThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
DomainNameService(DNS)(Project-levelservice)
Specificregions
DNSAdministrator
Role Full permissions for DNS
DNSFullAccess
Policy Administrator permissionsfor DNS. Users grantedwith these permissionscan perform alloperations on DNS,including creating,deleting, querying, andmodifying DNS resources
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 8
Service Region Role/PolicyName
Type Description
DNSReadOnlyAccess
Read-only permission forDNS. Users granted thesepermissions can only viewDNS resources
CloudTraceService(CTS)(Project-levelservice)
Specificregions
CTSAdministrator
Role Full permissions for CTSThis role must be usedtogether with theTenant Guest andTenant Administratorroles in the sameproject.
SimpleMessageNotification (SMN)(Project-levelservice)
Specificregions
SMNAdministrator
Role Full permissions for SMN
RelationalDatabaseService(RDS)(Project-levelservice)
Specificregions
RDSFullAccess
Policy Full permissions for RDS
RDSReadOnlyAccess
Read-only permissions forRDS
RDSManageAccess
Database administratorpermissions for alloperations exceptdeleting RDS resources
RDSAdministrator
Role Full permissions for RDSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
Distributed MessageService(DMS)(Project-levelservice)
Specificregions
DMSAdministrator
Role Full permissions for DMS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 9
Service Region Role/PolicyName
Type Description
DMS(DMSKafka andDMSRabbitMQ)(Project-levelservice)
Specificregions
DMSUseAccess
Policy Common userpermissions for DMS(DMS for Kafka and DMSfor RabbitMQ), excludingpermissions for creating,modifying, deleting,scaling up instances anddumping.
DMSReadOnlyAccess
Read-only permissions forDMS (DMS for Kafka andDMS for RabbitMQ).Users granted thesepermissions can only viewDMS data.
DMSFullAccess
Administrator permissionsfor DMS (DMS for Kafkaand DMS for RabbitMQ).Users granted thesepermissions can performall operations on DMS.
DocumentDatabaseService(DDS)(Project-levelservice)
Specificregions
DDSFullAccess
Policy Full permissions for DDS
DDSReadOnlyAccess
Read-only permissions forDDS
DDSManageAccess
Database administratorpermissions for alloperations exceptdeleting DDS resources
DDSAdministrator
Role Full permissions for DDSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.If a DDS enterpriseproject is configured,you need to assign theDAS Admin role to usersin the same project sothat the users can log into DAS from the DDSconsole.
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 10
Service Region Role/PolicyName
Type Description
DataReplication Service(DRS)(Project-levelservice)
Specificregions
DRSAdministrator
Role Full permissions for DRSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
DataAdminService(DAS)(Project-levelservice)
Specificregions
DASAdministrator
Role Full permissions for DASThis role must be usedtogether with theTenant Guest role in thesame project.
ApplicationOperationsManagement (AOM)(Project-levelservice)
Specificregions
AOMFullAccess
Policy Full permissions for AOM
AOMReadOnlyAccess
Read-only permissions forAOM
ApplicationPerformanceManagement (APM)(Project-levelservice)
Specificregions
APMFullAccess
Policy Full permissions for APM
APMReadOnlyAccess
Read-only permissions forAPM
SoftwareRepositoryforContainer(SWR)(Project-levelservice)
Specificregions
SWRAdmin
Role Full permissions for SWR
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 11
Service Region Role/PolicyName
Type Description
Cloud Eye(Project-levelservice)
Specificregions
CESAdministrator
Role Full permissions for CloudEyeThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
Specificregions
CESFullAccess
Policy Administrator permissionsfor performing alloperations on Cloud EyeThe monitoring functionof Cloud Eye involves thequery of cloud resources,which requires therelevant cloud servicesto support policy-basedauthorization.
Specificregions
CESReadOnlyAccess
Read-only permissions forviewing data on CloudEyeThe monitoring functionof Cloud Eye involves thequery of cloud resources,which requires therelevant cloud servicesto support policy-basedauthorization.
WebApplication Firewall(WAF)(Project-levelservice)
Specificregions
WAFAdministrator
Role Full permissions for WAF
HostSecurityService(HSS)(Project-levelservice)
Specificregions
HSSAdministrator
Role Full permissions for HSS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 12
Service Region Role/PolicyName
Type Description
Vulnerability ScanService(VSS)(Project-levelservice)
Specificregions
VSSAdministrator
Role Full permissions for VSS
SecurityExpertService(SES)(Project-levelservice)
Specificregions
SESAdministrator
Role Full permissions for SES
DatabaseSecurityService(DBSS)(Project-levelservice)
Specificregions
DBSSSystemAdministrator
Role Full permissions for DBSS
DBSSAuditAdministrator
Security auditingpermissions for DBSS
DBSSSecurityAdministrator
Security protectionpermissions for DBSS
DataEncryptionWorkshop(DEW)(Project-levelservice)
Specificregions
KMSAdministrator
Role Full permissions for DEW
Anti-DDoS(Project-levelservice)
Specificregions
Anti-DDoSAdministrator
Role Full permissions for Anti-DDoSThis role must be usedtogether with theTenant Guest role in thesame project.
ScalableFile
Specificregions
SFSFullAccess
Policy Full permissions for SFS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 13
Service Region Role/PolicyName
Type Description
Service(SFS)(Project-levelservice)
SFSReadOnlyAccess
Read-only permissions forSFS
SFSAdministrator
Role Full permissions for SFSThis role must be usedtogether with theTenant Guest role in thesame project.
Distributed CacheService(DCS)(Project-levelservice)
Specificregions
DCSFullAccess
Policy Full permissions for DCS
DCSUseAccess
Common userpermissions for DCSoperations exceptcreating, modifying,deleting, and scalinginstances
DCSReadOnlyAccess
Read-only permissions forDCS
DCSAdministrator
Role Full permissions for DCSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
MapReduce Service(MRS)(Project-levelservice)
Specificregions
MRSFullAccess
Policy Full permissions for MRS
MRSCommonOperations
Common userpermissions for MRSoperations exceptcreating and deletingresources
MRSReadOnlyAccess
Read-only permissions forMRS
MRSAdministrator
Role Full permissions for MRSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 14
Service Region Role/PolicyName
Type Description
ServiceStageCloudPerformance TestService(CPTS)(Project-levelservice)
Specificregions
SvcStgAdmin
Role ● Full permissions forServiceStage, includingservice, application,node, stack, andpipeline management.
● Permissions forperforming operationson test resources of allusers in CPTS, such asadding, deleting,modifying, andquerying test resources
SvcStgDeveloper
● Common userpermissions forServiceStage exceptnode management
● Permissions forperforming operationsonly on a user's owntest resources, such asadding, deleting,modifying, andquerying test resources
SvcStgOperator
● Read-only permissionsfor ServiceStage
● Read-only permissionsonly for a user's owntest resources
ElasticLoadBalance(ELB)(Project-levelservice)
Specificregions
ELBFullAccess
Policy Full permissions for ELB
ELBReadOnlyAccess
Read-only permissions forELB
ELBAdministrator
Role Full permissions for ELBThis role must be usedtogether with theTenant Guest role in thesame project.
NATGateway(Project-levelservice)
Specificregions
NATFullAccess
Policy Full permissions for NATGateway
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 15
Service Region Role/PolicyName
Type Description
NATReadOnlyAccess
Read-only permission forNAT Gateway
NATGatewayAdministrator
Role Full permissions for NATGatewayThis role must be usedtogether with theTenant Guest role in thesame project.
DirectConnect(Project-levelservice)
Specificregions
DirectConnectAdministrator
Role Full permissions for DirectConnectThis role must be usedtogether with theTenant Guest role in thesame project.
CloudBackupandRecovery(CBR)(Project-levelservice)
Specificregions
CBRFullAccess
Policy Administrator permissionsfor using all vaults andpolicies on CBR
CBRBackupsAndVaultsFullAccess
Policy Common userpermissions for creating,viewing, and deletingvaults on CBR
CBRReadOnlyAccess
Policy Read-only permissions forviewing data on CBR
GraphEngineService(GES)(Project-levelservice)
Specificregions
GESAdministrator
Role Full permissions for GESThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
GESManager
Advanced user of GESwith permissions forperforming anyoperations on GESresources except creatingand deleting graphs.This role must be usedtogether with theTenant Guest role in thesame project.
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 16
Service Region Role/PolicyName
Type Description
GESOperator
Permissions for viewingand accessing graphsThis role must be usedtogether with theTenant Guest role in thesame project.
Specificregions
GESFullAccess
Policy Administrator permissionsfor performing alloperations (includingcreation, deletion, access,and upgrade operations)on GES
GESDevelopment
Operator permissions forall operations exceptcreating and deletinggraphs
GESReadOnlyAccess
Read-only permissions forviewing resources, such asgraphs, metadata, andbackup data
Data LakeFactory(DLF)
(Project-levelservice)
Specificregions
DLFAdministrator
Role Full permissions for DLFThis role must be usedtogether with theTenant Administratorrole in the same project.
DLFFullAccess
Policy Full permissions for DLF
DLFDevelopment
Developer permissions forDLF. Users granted thesepermissions can use DLFto develop scripts andorchestrate jobs, butcannot create, delete, ormodify workspaces.
DLFOperationAndMaintenanceAccess
O&M permissions for DLF.Users granted thesepermissions can maintainscripts, jobs, and otherresources, but cannotcreate, delete, or modifyany resources.
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 17
Service Region Role/PolicyName
Type Description
DLFReadOnlyAccess
Read-only permissions forDLF. Users granted thesepermissions can only viewDLF resources.
ModelArts(Project-levelservice)
Specificregions
ModelArtsFullAccess
Policy Administrator permissionsfor performing alloperations on ModelArts
ModelArtsCommonOperations
Permissions forperforming all operationsexcept managingdedicated resource poolson ModelArts
DataWarehouse Service(DWS)(Project-levelservice)
Specificregions
DWSFullAccess
Policy Full permissions for DWS
DWSReadOnlyAccess
Read-only permissions forDWS
DWSAdministrator
Role Full permissions for DWSThis role must be usedtogether with theTenant Guest and ServerAdministrator roles inthe same project.
DWSDatabaseAccess
Permissions for accessingDWS. Users granted thesepermissions can generatetemporary tokens forconnecting to DWScluster databases.
CloudStreamService(CS)(Project-levelservice)
Specificregions
CSFullAccess
Policy Full permissions for CS
CSCommonOperations
Common userpermissions for CS. Usersgranted these permissionscan create, delete, andmodify jobs andtemplates.
CSReadOnlyAccess
Read-only permissions forCS. Users granted thesepermissions can only viewCS jobs, templates, andexclusive clusters.
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 18
Service Region Role/PolicyName
Type Description
CS TenantUser
Role Common userpermissions for CS. Usersgranted these permissionscan create, delete, andmodify jobs andtemplates.
CS TenantAdmin
Administrator permissionsfor all operations on CS,including:● Creating, deleting, and
modifying CS jobs,templates, andexclusive clusters
● Allocating availableclusters and quotas tousers with permissionsof the CSCommonOperationspolicy
● Viewing all user jobs inexclusive clusters
Data LakeInsight(DLI)(Project-levelservice)
Specificregions
DLI ServiceAdmin
Role Full permissions for DLI
DLI ServiceUser
Permissions for using DLI,but not for creatingresources
DataIngestionService(DIS)(Project-levelservice)
Specificregions
DISAdministrator
Role Full permissions for DIS
DISOperator
Permissions for managingstreams, such as creatingand deleting streams, butnot for uploading anddownloading data
DIS User Permissions for uploadingand downloading data,but not for managingstreams
Conversational BotService
Specificregions
CBSAdministrator
Role Full permissions for CBS
Permissions Policies 1 System Permissions
Issue 01 (2020-04-07) Copyright © Huawei Technologies Co., Ltd. 19