fanqinying
03e77f3e5b
Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com> Co-authored-by: fanqinying <fanqinying@huawei.com> Co-committed-by: fanqinying <fanqinying@huawei.com>
19 KiB
Permissions
If you need to assign different permissions to employees in your enterprise to control their access to your enterprise switches, you can use Identity and Access Management (IAM) for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control.
With IAM, you can create IAM users and assign permissions to the users to control their access to specific resources.
If your account does not need individual IAM users for permissions management, skip this section.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see "Service Overview" in the Identity and Access Management User Guide.
Enterprise Switch Permissions
By default, new IAM users do not have any permissions assigned. You need to add them to one or more groups and attach roles to these groups so that these users can inherit permissions from the groups and perform specified operations on cloud services.
Enterprise Switch is a project-level service deployed and accessed in specific physical regions. You need to select a project for which the permissions will be granted. If you select All projects, the permissions will be granted for all the projects. You need to switch to the authorized region before accessing Enterprise Switch.
Enterprise Switch uses the same system permissions as VPC. Table 1 lists all the system-defined roles and policies supported by VPC. This VPC role is dependent on other roles. When assigning VPC roles to users, you need to also assign dependent roles for the VPC permissions to take effect.
Policy Name |
Description |
Policy Type |
Dependencies |
|---|---|---|---|
VPC FullAccess |
Full permissions for VPC. |
System-defined policy |
To use the VPC flow log function, users must also have the LTS ReadOnlyAccess permission. |
VPC ReadOnlyAccess |
Read-only permissions on VPC. |
System-defined policy |
None |
VPC Administrator |
Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules. To be granted this permission, users must also have the Tenant Guest and Server Administrator permission. |
System-defined role |
Tenant Guest and Server Administrator policies, which must be attached in the same project as VPC Administrator. |
Table 2 lists the common operations supported by system-defined identity policies for Enterprise Switch.
Operation |
VPC ReadOnlyAccess |
VPC Administrator |
VPC FullAccess |
Tenant Guest |
|---|---|---|---|---|
Creating an enterprise switch |
Not supported |
Supported |
Not supported |
Not supported |
Modifying an enterprise switch |
Not supported |
Supported |
Not supported |
Not supported |
Deleting an enterprise switch |
Not supported |
Supported |
Not supported |
Not supported |
Viewing an enterprise switch |
Not supported |
Supported |
Not supported |
Supported |
Creating a Layer 2 connection |
Not supported |
Supported |
Not supported |
Not supported |
Modifying a Layer 2 connection |
Not supported |
Supported |
Not supported |
Not supported |
Deleting a Layer 2 connection |
Not supported |
Supported |
Not supported |
Not supported |
Viewing a Layer 2 connection |
Not supported |
Supported |
Not supported |
Supported |
Viewing specifications |
Not supported |
Supported |
Not supported |
Supported |
Viewing quotas |
Not supported |
Supported |
Not supported |
Supported |
Viewing the AZ |
Not supported |
Supported |
Not supported |
Supported |
Binding a virtual IP address |
Not supported |
Supported |
Not supported |
Not supported |
Unbinding a virtual IP address |
Not supported |
Supported |
Not supported |
Not supported |