yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/kms/umn/dew_01_0135.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

67 lines
9.3 KiB
HTML
Raw Blame History

<a name="dew_01_0135"></a><a name="dew_01_0135"></a>
<h1 class="topictitle1">Creating a User and Authorizing the User the Permission to Access DEW</h1>
<div id="body1557739025604"><p id="dew_01_0135__p42518416717">This section describes IAM's fine-grained permissions management for your DEW resources. With IAM, you can:</p>
<ul id="dew_01_0135__ul85672198415"><li id="dew_01_0135__li356710192413">Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.</li><li id="dew_01_0135__li155677191444">Grant users only the permissions required to perform a task.</li><li id="dew_01_0135__li1228204419810">Entrust an account or cloud service to perform efficient O&amp;M on your KMS resources.</li></ul>
<p id="dew_01_0135__p218629171015">If your account does not need individual IAM users, skip this chapter.</p>
<p id="dew_01_0135__p156801910419">This section describes the procedure for granting permissions (see <a href="#dew_01_0135__fig23111471897">Figure 1</a>).</p>
<div class="section" id="dew_01_0135__section121325115513"><h4 class="sectiontitle">Prerequisites</h4><p id="dew_01_0135__p189502021161412">Before granting permissions to a user group, you need to understand the available DEW permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in DEW.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="dew_01_0135__table159711515155618" frame="border" border="1" rules="all"><caption><b>Table 1 </b>DEW permissions</caption><thead align="left"><tr id="dew_01_0135__dew_01_0018_row1735318551813"><th align="left" class="cellrowborder" valign="top" width="34.73%" id="mcps1.3.5.3.2.4.1.1"><p id="dew_01_0135__dew_01_0018_p9353175515119">Role/Policy</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="44.31%" id="mcps1.3.5.3.2.4.1.2"><p id="dew_01_0135__dew_01_0018_p135320551113">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="20.96%" id="mcps1.3.5.3.2.4.1.3"><p id="dew_01_0135__dew_01_0018_p23531655713">Type</p>
</th>
</tr>
</thead>
<tbody><tr id="dew_01_0135__dew_01_0018_row1535320551819"><td class="cellrowborder" valign="top" width="34.73%" headers="mcps1.3.5.3.2.4.1.1 "><p id="dew_01_0135__dew_01_0018_p135375510114">KMS Administrator</p>
</td>
<td class="cellrowborder" valign="top" width="44.31%" headers="mcps1.3.5.3.2.4.1.2 "><p id="dew_01_0135__dew_01_0018_p1535318551415">Administrator permissions for the encryption key</p>
</td>
<td class="cellrowborder" valign="top" width="20.96%" headers="mcps1.3.5.3.2.4.1.3 "><p id="dew_01_0135__dew_01_0018_p435319550116">Role</p>
</td>
</tr>
<tr id="dew_01_0135__dew_01_0018_row173535551818"><td class="cellrowborder" valign="top" width="34.73%" headers="mcps1.3.5.3.2.4.1.1 "><p id="dew_01_0135__dew_01_0018_p153532551912">KMS CMKFullAccess</p>
</td>
<td class="cellrowborder" valign="top" width="44.31%" headers="mcps1.3.5.3.2.4.1.2 "><p id="dew_01_0135__dew_01_0018_p535455513112">All permissions for the encryption keys</p>
</td>
<td class="cellrowborder" valign="top" width="20.96%" headers="mcps1.3.5.3.2.4.1.3 "><p id="dew_01_0135__dew_01_0018_p1235415557118">Policy</p>
</td>
</tr>
<tr id="dew_01_0135__dew_01_0018_row74361151122916"><td class="cellrowborder" valign="top" width="34.73%" headers="mcps1.3.5.3.2.4.1.1 "><p id="dew_01_0135__dew_01_0018_p4436135117297">KMS CMK Admin</p>
</td>
<td class="cellrowborder" valign="top" width="44.31%" headers="mcps1.3.5.3.2.4.1.2 "><p id="dew_01_0135__dew_01_0018_p16436195172917">All permissions for the encryption keys</p>
</td>
<td class="cellrowborder" valign="top" width="20.96%" headers="mcps1.3.5.3.2.4.1.3 "><p id="dew_01_0135__dew_01_0018_p4572133510301">Policy</p>
</td>
</tr>
<tr id="dew_01_0135__dew_01_0018_row878163103113"><td class="cellrowborder" valign="top" width="34.73%" headers="mcps1.3.5.3.2.4.1.1 "><p id="dew_01_0135__dew_01_0018_p1781113153118">KMS CMKReadOnlyAccess</p>
</td>
<td class="cellrowborder" valign="top" width="44.31%" headers="mcps1.3.5.3.2.4.1.2 "><p id="dew_01_0135__dew_01_0018_p2781163193120">Read-only permission for encryption keys</p>
</td>
<td class="cellrowborder" valign="top" width="20.96%" headers="mcps1.3.5.3.2.4.1.3 "><p id="dew_01_0135__dew_01_0018_p13597337133111">Policy</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="dew_01_0135__section882111167912"><h4 class="sectiontitle">Authorization Process</h4><div class="fignone" id="dew_01_0135__fig23111471897"><a name="dew_01_0135__fig23111471897"></a><a name="fig23111471897"></a><span class="figcap"><b>Figure 1 </b>Authorizing the DEW access permission to a user</span><br><span><img class="vsd" id="dew_01_0135__image731144710916" src="en-us_image_0220982951.png"></span></div>
<ol id="dew_01_0135__ol4600941100"><li id="dew_01_0135__li960014441019"><a name="dew_01_0135__li960014441019"></a><a name="li960014441019"></a><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.<p id="dew_01_0135__p160013481013">Create a user group on the IAM console and grant the user group the <span class="parmvalue" id="dew_01_0135__parmvalue354961174510"><b>KMS CMKFullAccess</b></span> permission (indicating full permissions for keys).</p>
</li><li id="dew_01_0135__li1360016421015"><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Create a user and add it to a user group.</a><p id="dew_01_0135__p860013441018">Create a user on the IAM console and add the user to the user group created in <a href="#dew_01_0135__li960014441019">1</a>.</p>
</li><li id="dew_01_0135__li86001745102"><a href="https://docs.otc.t-systems.com/usermanual/iam/iam_01_0032.html" target="_blank" rel="noopener noreferrer">Log in as the created user</a> and verify permissions.<p id="dew_01_0135__p1160010415103">Log in to the console as newly created user, and verify that the user only has the assigned permissions.</p>
</li></ol>
</div>
<div class="section" id="dew_01_0135__section722171853810"><h4 class="sectiontitle"><span id="dew_01_0135__text16717173511171">Tenant Guest Roles</span></h4><p id="dew_01_0135__p19707124093513">If you have configured <span id="dew_01_0135__text437764912510">Tenant Guest</span> permissions for the IAM account, apart from the read-only permissions for all cloud services except Identity and Access Management (IAM), you also have the following KMS permissions:</p>
<ul id="dew_01_0135__ul4776455153913"><li id="dew_01_0135__li17776105543912"><span id="dew_01_0135__text142952214146"><strong id="dew_01_0135__b81778262167">kms:cmk:create</strong></span>: <span id="dew_01_0135__text399027202110">Create a key.</span></li><li id="dew_01_0135__li2776125516394"><span id="dew_01_0135__text8931143551416"><strong id="dew_01_0135__b1152119298165">kms:cmk:createDataKey</strong></span>: <span id="dew_01_0135__text570164132717">Create a DEK.</span></li><li id="dew_01_0135__li13776855163919"><span id="dew_01_0135__text13563543161420"><strong id="dew_01_0135__b563113328168">kms:cmk:createDataKeyWithoutPlaintext</strong></span>: <span id="dew_01_0135__text311941442718">Create a plaintext-free DEK.</span></li><li id="dew_01_0135__li8776355123917"><span id="dew_01_0135__text2787251131412"><strong id="dew_01_0135__b97521028152711">kms:cmk:encryptDataKey</strong>: <span id="dew_01_0135__text775332819271">Encrypt the DEK.</span></span></li><li id="dew_01_0135__li1877613553398"><span id="dew_01_0135__text171161133202710"><strong id="dew_01_0135__b78979374168"><span id="dew_01_0135__text142911502156">kms:cmk:decryptDataKey</span></strong>:</span> <span id="dew_01_0135__text9349936152711">Decrypt a DEK.</span></li><li id="dew_01_0135__li1177711552392"><span id="dew_01_0135__text1462040172715"><span id="dew_01_0135__text2023617181510"><strong id="dew_01_0135__b11249841171617">kms:cmk:retireGrant</strong></span></span>: <span id="dew_01_0135__text9179164311274">Retire a grant.</span></li><li id="dew_01_0135__li67771555390"><span id="dew_01_0135__text188081464271"><span id="dew_01_0135__text420211184158"><strong id="dew_01_0135__b156491943141617">kms:cmk:decryptData</strong></span></span>: <span id="dew_01_0135__text582055012712">Decrypt data.</span></li><li id="dew_01_0135__li57774557395"><span id="dew_01_0135__text166415582716"><span id="dew_01_0135__text10186172610154"><strong id="dew_01_0135__b1624917462160">kms:cmk:encryptData</strong></span></span>: <span id="dew_01_0135__text19562257182715">Encrypt data.</span></li><li id="dew_01_0135__li127771355143911"><span id="dew_01_0135__text4881116282"><span id="dew_01_0135__text2189111611248"><strong id="dew_01_0135__b928710203243">kms::generateRandom</strong></span></span>: <span id="dew_01_0135__text1657864172813">Generate a random number.</span></li></ul>
<p id="dew_01_0135__p1705171514405">If you want to configure the Tenant Guest role for an IAM user but do not want to have the preceding permissions, you need to configure a custom deny policy for the IAM user. For details about how to configure a custom policy, see <a href="dew_01_0161.html">Creating a Custom KMS Policy</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0133.html">Permission Control</a></div>
</div>
</div>
View Git Blame Copy Permalink