检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Creating a User and Granting Permissions This section describes how to use IAM to implement fine-grained permissions control for your Enterprise Router resources. With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise.
IAM Functions Permissions Parent topic: Security
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
If your account does not need individual IAM users, you may skip this topic. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign policies or roles to these groups.
If the authorization scope is set to IAM projects only, the custom policy will take effect only for user groups in IAM projects.
IAM provides functions such as identity authentication, permissions management, and access control. On the IAM console, you can create IAM users and assign permissions to control their access to specific resources.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
name "password": "********", // IAM user password "domain": { "name": "domainname" // Name of the account that the IAM user belongs to } } } }, "scope"
Identity and Access Management (IAM) You can use IAM to assign different permissions to different users to control their access to enterprise router resources.
Quota Management Permission API Action IAM Project Enterprise Project Querying quotas GET /v3/{project_id}/enterprise-router/quotas er:quotas:list √ √ Parent topic: Permissions Policies and Supported Actions
Other Types of Attachments Permission API Action IAM Project Enterprise Project Updating an attachment PUT /v3/{project_id}/enterprise-router/{er_id}/attachments/{attachment_id} er:attachments:update √ √ Querying details about an attachment GET /v3/{project_id}/enterprise-router/{
Associations Permission API Action IAM Project Enterprise Project Creating an association POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/associate er:associations:associate √ √ Querying the association list GET /v3/{project_id}/enterprise-router/{er_id
Propagations Permission API Action IAM Project Enterprise Project Creating a propagation POST /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id}/enable-propagations er:propagations:enable √ √ Querying the propagation list GET /v3/{project_id}/enterprise-router
Enterprise Routers Permission API Action IAM Project Enterprise Project Creating an enterprise router POST /v3/{project_id}/enterprise-router/instances er:instances:create √ √ Updating an enterprise router PUT /v3/{project_id}/enterprise-router/instances/{enterprise_router_id} er:
Route Tables Permission API Action IAM Project Enterprise Project Creating a route table POST /v3/{project_id}/enterprise-router/{er_id}/route-tables er:routeTables:create √ √ Updating a route table PUT /v3/{project_id}/enterprise-router/{er_id}/route-tables/{route_table_id} er:routeTables
Tags Permission API Action IAM Project Enterprise Project Querying tags by resource type GET /v3/{project_id}/{resource_type}/tags er:tags:list √ √ Querying resource tags GET /v3/{project_id}/{resource_type}/{resource_id}/tags er:tags:get √ √ Creating a resource tag POST /v3/{project_id
Routes Permission API Action IAM Project Enterprise Project Creating a static route POST /v3/{project_id}/enterprise-router/route-tables/{route_table_id}/static-routes er:routes:create √ √ Updating a static route PUT /v3/{project_id}/enterprise-router/route-tables/{route_table_id}
Flow Logs Permission API Action IAM Project Enterprise Project Creating a flow log POST /v3/{project_id}/enterprise-router/{er_id}/flow-logs er:flowlogs:create √ √ Querying the flow log list GET /v3/{project_id}/enterprise-router/{er_id}/flow-logs er:flowlogs:list √ √ Querying details
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
Key Operations Recorded by CTS Permissions You can use Identity and Access Management (IAM) to set different permissions for employees in your enterprise to control their access to enterprise routers.