SupportDocumentationCloud ComputingHuawei Cloud StackHUAWEI CLOUD StackLearn About SolutionsSolution Description

Huawei Cloud Stack 8.3.1 Solution Description 04

User Roles and Permissions

User Roles and Permissions

ManageOne Operation Portal (ManageOne Operation Portal for Admins in B2B scenarios) provides role management and access control for cloud services. Role management refers to management of users and user groups. Access control refers to management of their permissions.

ManageOne Operation Portal (ManageOne Operation Portal for Admins in B2B scenarios) allows users to control access to RDS resources. One or more of the permissions listed in Table 15-9 can be assigned to a user to use RDS.

RDS Permissions

Table 15-9 lists all the system-defined roles and policies supported by RDS.

Table 15-9 RDS system permissions

Policy Name/System Role

Description

Category

RDS FullAccess

Full permissions for RDS

System-defined policy

RDS ReadOnlyAccess

Read-only permissions for RDS

System-defined policy
  • Some RDS functions also require permissions of other services. For example, when creating an RDS instance, you also need read-only permissions of the VPC and security group. You can obtain such read-only permissions using the default role Tenant Guest assigned to you.
  • To perform resource-related operations, such as creating an RDS instance, changing a single instance to a primary/standby instance, and changing the instance class, you need the Tenant Administrator permission.

Table 15-10 lists the common operations supported by each RDS system policy.

Table 15-10 Common operations supported by RDS system policies

Operation

RDS FullAccess

RDS ReadOnlyAccess

Creating an RDS instance

x

Deleting an RDS instance

x

Querying RDS instances

Table 15-11 lists common RDS operations and corresponding actions. You can refer to this table to customize permission policies.

Table 15-11 Common operations and supported actions

Operation

Actions

Remarks

Creating a DB instance

rds:instance:create

rds:param:list

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

To create an encrypted instance, configure the KMS Administrator permission for the project.

Changing DB instance specifications

rds:instance:modifySpec

N/A

Scaling up storage space

rds:instance:extendSpace

N/A

Changing a DB instance type from single to primary/standby

rds:instance:singleToHa

If the original single DB instance is encrypted, you need to configure the KMS Administrator permission in the project.

Rebooting a DB instance

rds:instance:restart

N/A

Deleting a DB instance

rds:instance:delete

N/A

Querying a DB instance list

rds:instance:list

N/A

Querying DB instance details

rds:instance:list

If the VPC, subnet, and security group are displayed in the DB instance list, you need to configure vpc:*:get and vpc:*:list.

Changing a DB instance password

rds:password:update

N/A

Changing a database port

rds:instance:modifyPort

N/A

Changing a floating IP address

rds:instance:modifyIp

To query the list of unused IP addresses, configure the following actions:

vpc:subnets:get

vpc:ports:get

Changing a DB instance name

rds:instance:modify

N/A

Changing a maintenance window

rds:instance:modify

N/A

Performing a manual switchover

rds:instance:switchover

N/A

Changing the replication mode

rds:instance:modifySynchronizeModel

N/A

Changing the failover priority

rds:instance:modifyStrategy

N/A

Changing a security group

rds:instance:modifySecurityGroup

N/A

Binding or unbinding an EIP

rds:instance:modifyPublicAccess

To query public IP addresses, configure the following actions:

vpc:publicIps:get

vpc:publicIps:list

Modifying the recycling policy

rds:instance:setRecycleBin

Users who have enabled the enterprise project function cannot modify the recycling policy based on enterprise project authorization. To modify the recycling policy, the project-based rds:instance:setRecycleBin permission is required.

Querying the recycling policy

rds:instance:list

N/A

Enabling or disabling SSL

rds:instance:modifySSL

N/A

Enabling or disabling event scheduler

rds:instance:modifyEvent

N/A

Configuring read/write splitting

rds:instance:modifyProxy

N/A

Applying for a private domain name

rds:instance:createDns

N/A

Migrating a standby DB instance to another AZ

rds:instance:create

Standby DB instance migration involves operations on the IP address in the subnet. For encrypted DB instances, you need to configure the KMS Administrator permission in the project.

Restoring tables to a specified point in time

rds:instance:tableRestore

N/A

Configuring TDE permission

rds:instance:tde

N/A

Changing host permission

rds:instance:modifyHost

N/A

Querying hosts of the corresponding database account

rds:instance:list

N/A

Obtaining a parameter template list

rds:param:list

N/A

Creating a parameter template

rds:param:create

N/A

Modifying parameters in a parameter template

rds:param:modify

N/A

Applying a parameter template

rds:param:apply

N/A

Modifying parameters of a specified DB instance

rds:param:modify

N/A

Obtaining the parameter template of a specified DB instance

rds:param:list

N/A

Obtaining parameters of a specified parameter template

rds:param:list

N/A

Deleting a parameter template

rds:param:delete

N/A

Resetting a parameter template

rds:param:reset

N/A

Comparing parameter templates

rds:param:list

N/A

Saving parameters in a parameter template

rds:param:save

N/A

Querying a parameter template type

rds:param:list

N/A

Setting an automated backup policy

rds:instance:modifyBackupPolicy

N/A

Querying an automated backup policy

rds:instance:list

N/A

Creating a manual backup

rds:backup:create

N/A

Obtaining a backup list

rds:backup:list

N/A

Obtaining the link for downloading a backup file

rds:backup:download

N/A

Deleting a manual backup

rds:backup:delete

N/A

Replicating a backup

rds:backup:create

N/A

Querying the restoration time range

rds:instance:list

N/A

Restoring data to a new DB instance

rds:instance:create

To select a VPC, subnet, and security group, configure the following actions:

vpc:vpcs:list

vpc:vpcs:get

vpc:subnets:get

vpc:securityGroups:get

Restoring data to an existing or original DB instance

rds:instance:restoreInPlace

N/A

Obtaining the binlog clearing policy

rds:binlog:get

N/A

Merging binlog files

rds:binlog:merge

N/A

Downloading a binlog file

rds:binlog:download

N/A

Deleting a binlog file

rds:binlog:delete

N/A

Configuring a binlog clearing policy

rds:binlog:setPolicy

N/A

Querying a database error log

rds:log:list

N/A

Querying a database slow log

rds:log:list

N/A

Downloading a database error log

rds:log:download

N/A

Downloading a database slow log

rds:log:download

N/A

Enabling or disabling the audit log function

rds:auditlog:operate

N/A

Obtaining an audit log list

rds:auditlog:list

N/A

Querying the audit log policy

rds:auditlog:list

N/A

Obtaining the link for downloading an audit log

rds:auditlog:download

N/A

Obtaining a switchover log

rds:log:list

N/A

Creating a database

rds:database:create

N/A

Querying details about databases

rds:database:list

N/A

Querying authorized databases of a specified user

rds:database:list

N/A

Dropping a database

rds:database:drop

N/A

Creating a database account

rds:databaseUser:create

N/A

Querying details about database accounts

rds:databaseUser:list

N/A

Querying authorized accounts of a specified database

rds:databaseUser:list

N/A

Deleting a database account

rds:databaseUser:drop

N/A

Authorizing a database account

rds:databasePrivilege:grant

N/A

Revoking permissions of a database account

rds:databasePrivilege:revoke

N/A

Viewing a task center list

rds:task:list

N/A

Deleting a task from the task center

rds:task:delete

N/A

Managing a tag

rds:instance:modify

N/A

Configuring autoscaling

rds:instance:extendSpace

To enable autoscaling, configure the following actions for the IAM users instead of your Huawei account:

  • Creating a custom policy
    • iam:agencies:listAgencies
    • iam:agencies:createAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:grantRoleToGroupOnProject
    • iam:roles:listRoles
  • Adding system role Security Administrator:
    1. Select a user group to which the user belongs.
    2. Click Authorize in the Operation column.
    3. Add the Security Administrator role.

Querying the storage autoscaling policy

rds:instance:list

N/A

Stopping or starting a DB instance

rds:instance:operateServer

N/A

Stopping an instance

rds:instance:stop

N/A

Starting an instance

rds:instance:start

N/A

Modifying the remarks of a database account

rds:databaseUser:update

Only available to RDS for MySQL 8.0.25 and later versions.

Querying tags

rds:tag:list

N/A

Enabling or disabling anomaly collection

rds:exceptionSnapshotConfig:modify

N/A

Obtaining anomaly snapshots

rds:exceptionSnapshot:get

N/A

Querying the status of the anomaly snapshot switch

rds:exceptionSnapshotConfig:get

N/A

Creating a User Group and Assigning Permissions

  1. Log in to ManageOne as an operation administrator using a browser.

    URL in non-B2B scenarios: https://Domain name of ManageOne Operation Portal, for example, https://console.demo.com

    URL in B2B scenarios: https://Domain name of ManageOne Operation Portal for Admins, for example, https://admin.demo.com

    URL of the unified portal: https://Domain name of the ManageOne unified portal, for example, https://console.demo.com/moserviceaccesswebsite/unifyportal#/home. On the homepage, choose Cloud Service Management Center to go to ManageOne Operation Portal.
    • Login using a password: Enter the username and password.
      • Default username of the operation administrator: bss_admin
      • Default password: See the default password of the account for logging to ManageOne Operation Portal, ManageOne Operation Portal for Admins, or ManageOne Unified Portal on the "Type A (Portal)" sheet in Huawei Cloud Stack 8.3.1 Account List.

  2. Choose Organization > VDCs. On the displayed page, select the target VDC user and click the VDC name.
  3. In the navigation pane, click User Groups. Then, click Create.

  4. In the displayed dialog box, configure the required parameters and click OK.

    • Type: Select Custom.
    • User Group Name: The name consists of 1 to 64 characters and cannot start with a digit. It can contain only letters, digits, hyphens (-), and underscores (_), and cannot be admin, power_user, or guest.
    • Description: The description can contain 0 to 255 characters.

  5. After the creation is complete, click Assign Permissions in the Operation column.

  6. On the displayed page, select the object to be authorized and click Next.
  7. Select the required policies (system-defined policies or user-defined policies created in Creating a Custom Policy) and click OK.

    After selecting the required policies:

    • To obtain read-only permissions of IaaS services, select Tenant Guest.
    • To perform resource-related operations (such as creating an RDS instance, changing a single instance to primary/standby instance, and changing the instance class), select Tenant Administrator.

Creating a Custom Policy

The service has multiple built-in operation controls. You can allow or deny some operations and apply policies to user groups.

  1. Log in to ManageOne as an operation administrator using a browser.

    URL in non-B2B scenarios: https://Domain name of ManageOne Operation Portal, for example, https://console.demo.com

    URL in B2B scenarios: https://Domain name of ManageOne Operation Portal for Admins, for example, https://admin.demo.com

    URL of the unified portal: https://Domain name of the ManageOne unified portal, for example, https://console.demo.com/moserviceaccesswebsite/unifyportal#/home. On the homepage, choose Cloud Service Management Center to go to ManageOne Operation Portal.
    • Login using a password: Enter the username and password.
      • Default username of the operation administrator: bss_admin
      • Default password: See the default password of the account for logging to ManageOne Operation Portal, ManageOne Operation Portal for Admins, or ManageOne Unified Portal on the "Type A (Portal)" sheet in Huawei Cloud Stack 8.3.1 Account List.

  2. Choose Organization > Roles.
  3. Click Create in the upper left corner of the page.

    Figure 15-2 Roles

  4. On the displayed page, configure related parameters.

    Figure 15-3 Creating a custom policy
    Table 15-12 Parameters for creating a custom policy

    Parameter

    Description

    Name

    The system provides a default policy name, for example, policy-RDS. You can change it.

    Tenant

    Select a tenant.

    Scope
    • Global services

      Global services that can be accessed in any regions.

    • Resource space services

      Services that are deployed in regions and provide resources.

    Description

    (Optional) Enter a description for the custom policy.

    Permission Configuration
    • Domain: Cloud services
    • Platform: Choose Huawei Cloud Stack > Relational Database Service (RDS).
    • Scope: Select All or Read-only as required.
    • Action: Select Permit or Reject as required.

    You can click Add Permission Configuration to add more permission configurations for the role.

  5. Click Confirm.
Translation
Favorite
Download
Update Date:2025-08-11
Document ID:EDOC1100372275
Views:71109
Downloads:510
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool