How to set the permission of VPC

How to set the permission of VPC

       How to set the permission of IAM to meet the customer’s requirement?

         Customer needs a sub-user, which has all permission except the VPC (can’t change the security group).

         Now this is the best practice on Huawei cloud, you can follow this guide to realize it.

1.         Login in —— console —— IAM —— create s sub-user:

2.         Create a user group

3.         Add the new sub-user to this group

4.         Click the permissions to create the custom policy. (Apply the permission first)

         After you have the permission, you can have some default permission and also can create new one by yourself.

5.         Create new policy——set name ——choose project-level services——choose deny

6.         Search “VPC”

7.         Choose the actions you want to deny:

For this requirement , choose “readwrite” ,then the sub-user can’t read & write the VPC configuration.

         All permissions are listed here:

8.         Back to user group ,click “more”——“manage permissions”

9.         Ensure that you already added the user:

10.     Add the permissions for sub-user

11.     Assign the 1^st permission: Scope(Bangkok region)——search “Tenant”——choose “Tenant administrator”

12.     Assign the 2^nd permission (the most important permission to forbid sub-user change VPC configuration): Choose the custom policy we just created.

13.     Now we can test the permissions we set:

Use the link to login in as a sub-user:

14.     Login in as a sub-user, and choose some services to test the permissions:

15.     Click “VPC” ,try to create a new VPC

16.     It will show that you don’t have the permission:

17.     Try to change the existing VPC, it will show that you don’t have the permission:

         You even can’t change the name of VPC:

Now you already set the permission you need, let’s try more：

1)       How to set the permission that only have the permission of VPC?

2)       How to set the permission that have all permission?