Policies and groups
In this article:
Policies and groups#
The user should be explicitly granted rights to work with a particular K2 Cloud service. The rights are granted to the user by assigning policies, which describe the allowed actions. As a rule, a user is assigned several policies, so the user rights are defined by a set of such policies. Policy descriptions are stored as a JSON document.
Instead of assigning rights to each user separately, K2 Cloud uses groups. Like every user, each group can be assigned its policies. When a user is included in a group, all the group rights are assigned to this user. A user can be included in more than one group. Rights so obtained are combined with the rights granted by individual policies to the user.
Policies and groups are divided into global and project-specific ones, depending on which services they authorize actions with. Global policies grant rights to global services, while project-specific ones grant rights to project services. Both types of policies cannot be assigned to the same group, i.e. a group can be either global or project-specific. When assigning a project policy to a user or including a user in a project group, the project is specified in which this user is granted the corresponding rights.
Attention
We recommend using groups rather than policies to manage user privileges, as it simplifies rights granting: you can avoid assigning policies to each user individually and thus save time.
Policies#
Policies describe a set of permissions for actions that a user can perform on cloud resources. For example, a user may be allowed to start and stop instances, but not to delete them.
Policies can be global or project-specific depending on which services they authorize actions with. You cannot combine permissions for services of different types in a single policy. When assigning a project-specific policy to a user, it is necessary to specify a project in which the privileges are granted.
You can use predefined policies provided by K2 Cloud or define your own ones. The following policies are available in K2 Cloud by default:
Policy |
Description |
---|---|
BillingFullAccess |
Full access to billing information |
IAMFullAccess |
Full set of permissions to administer users, projects, and groups under IAM |
Policy |
Description |
---|---|
AutoScalingFullAccess |
Full set of permissions to work with instance groups and manage scaling policies |
BackupFullAccess |
Full set of permissions to manage backup operations |
BackupOperationsPolicy |
All actions with recovery points except for deletion |
CloudTrailFullAccess |
Full set of permissions to work with activity log |
CloudWatchFullAccess |
Full set of permissions to operate monitoring service |
CloudWatchReadOnlyAccess |
Full set of permissions to view the monitoring service |
EC2FullAccess |
Full set of permissions to manage infrastructure service |
EC2ReadOnlyAccess |
Full set of permissions to view the infrastructure service |
EFSFullAccess |
Full set of permissions to work with Elastic File System |
EKSCSIPolicy |
Required permissions for a special user in the EBS provider to manage volumes |
EKSFullAccess |
Full set of permissions to manage Kubernetes clusters |
ELBFullAccess |
Full set of permissions to manage load balancers |
PaaSBackupPolicy |
Required permissions for a PaaS service to make backup copies |
PaaSFullAccess |
Full set of permissions to manage all PaaS services |
RCFullAccess |
Full set of privileges to access the remote console via web |
RCReadOnlyAccess |
Full set of privileges to view the remote console via web |
Route53FullAccess |
Full set of privileges to manage the DNS service |
S3FullAccess |
Full set of grants to operate with cloud object storage |
Important
CloudTrail administrator policy allows users to control events in all projects of the company, regardless of which project they have been added to.
Create a policy#
Go to the section IAM Policies.
Click Create.
Specify the policy name and select its type (global or project-specific). You can also add a policy description (optional). Click Next to go the next step.
Select the service for which you want to add permissions. To select all possible actions, select
*
. Click Select to add actions to the selection list.If you want to add permissions to work with another service, repeat this step.
Note
The policy wizard provides the ability to set and edit a policy directly in JSON format. To do so, go to the next step by clicking Edit JSON.
Once you have selected all the allowed actions, click Create.
Edit permissions#
You can edit the policy’s permissions at any time. When you add permissions, all users to whom the policy is assigned will get the corresponding privileges. For example, if you add the permission to delete instances, they will be able to delete instances. However, when you remove permissions from a policy, some users may still have the corresponding privileges if such are granted by other policies that are assigned to them or by groups to which they belong.
Important
Predefined policies cannot be modified.
To modify permissions granted by a policy:
Go to the section IAM Policies.
Select a relevant policy in the resource table and click Modify permissions.
In the new window, select the service for which you want to modify permissions. To add permissions, select actions in available permissions and click Add. To delete permissions, select actions in the Selected permissions block and click Delete.
If you want change permissions for actions with another service, repeat this step.
Note
The policy wizard provides the ability to set and edit a policy directly in JSON format. To do so, go to the next step by clicking Edit JSON.
Once you have selected all the allowed actions, click Create.
You can also modify permissions at the policy page in the Permissions tab.
View a policy in JSON format#
Go to the section IAM Policies.
Select a policy you want to view in the resource table and click Show JSON.
You can modify the policy, if necessary. To do so, click Modify permissions to go to policy edit dialog.
Once you have viewed the policy, click Close.
Delete a policy#
Before deleting a policy, first delete it from all users to whom it is assigned and from all groups to which it is added.
Note
Predefined policies cannot be deleted.
Go to the section IAM Policies.
Select a policy you want to delete and click Delete.
In the dialog window, confirm the action.
Alternatively, you can delete a policy on its page in the Information tab.
Groups#
Using groups allows you to grant the same privileges to all members of a group at once, rather than assigning them to each user individually. When a user is included in a group, this user gets all the privileges that the group grants. When the group privileges are edited, the privileges of all users in the group are automatically changed.
Group’s privileges are determined by policies that are assigned to it. Depending on the type (global or project-specific) groups can only be assigned policies of the appropriate type. When you include users in a project group, specify the project in which they will be granted group privileges.
You can use predefined groups provided by K2 Cloud or create your own ones. The following groups are available in K2 Cloud by default:
Group |
Type |
Description |
Applicable policies |
---|---|---|---|
ActivityLogAdministrators |
Project |
Full set of privileges to work with the Activity log service |
CloudTrailFullAccess |
AutoScalingAdministrators |
Project |
Full set of privileges to work with the Auto Scaling service |
AutoScalingFullAccess |
BackupAdministrators |
Project |
Full set of privileges to manage backup operations |
BackupFullAccess |
BackupOperators |
Project |
All actions with recovery points except for deletion |
BackupOperationsPolicy |
BillingAdministrators |
Global |
Full access to billing information |
BillingFullAccess |
CloudAdministrators |
Project |
Full set of privileges to work with all project resources, except for accessing the Activity log service and deleting recovery points |
AutoScalingFullAccess |
ELBAdministrators |
Project |
Full set of privileges to work with load balancers |
ELBFullAccess |
IAMAdministrators |
Global |
Full set of privileges to administer users and projects under IAM |
IAMFullAccess |
InstanceAdministrators |
Project |
Full set of privileges to work with instances |
CloudWatchFullAccess |
InstanceViewers |
Project |
Required privileges to view instances |
CloudWatchReadOnlyAccess |
ObjectStorageAdministrators (object storage administrators) |
Project |
Full set of grants to operate with cloud object storage |
S3FullAccess |
Route53Administrators (DNS service administrators) |
Project |
Full set of privileges to work with the DNS service |
Route53FullAccess |
Create a group#
Go to the section IAM Группы.
In the window that opens, specify the group name and select its type (global or project-specific). Click Next to go to the next step.
In the policies list, check the policies to assign to the group and click Select. To revert the selection, check the policies in the Selected policies block and click Remove.
Click Create to create the group.
Modify assigned policies#
You can assign other policies to a group after it has been created. This will change the corresponding privileges of the users who are members of the group.
Important
You cannot change the set of policies assigned to the predefined group.
Add policies to a group#
Go to the section IAM Группы.
Find the group in the resource table and click the group name to go to its page.
Open the Policies tab and click Add.
In the window that opens, check the policies to be added and click Select.
Click Add to save the changes.
Delete policies from a group#
Go to the section IAM Группы.
Find the group in the resource table and click the group name to go to its page.
Open the Policies tab.
In the resource list, select the policies to be deleted and click Delete.
In the dialog window, confirm the action.
Change the group members#
Add users to a group#
When adding users to a project group, it is necessary to specify a project in which they will be granted the privileges of the group.
Go to the section IAM Группы.
Find the group in the resource table and click the group name to go to its page.
Open the Users tab and click Create.
For a project group, select the project to which users will be added and click Next. This step is not available for a global group.
Check the users to be granted privileges and click Select.
To add a user to the group click :bdg-primary: Add.
Delete users from a group#
In a project group, one user can have privileges in several projects. Therefore, to delete a user from the group, select all projects where the user has privileges.
Go to the section IAM Группы.
Find the group in the resource table and click the group name to go to its page.
Open the Users tab.
Select users you want to delete from the group in the resource table and click Delete.
In the dialog window, confirm the action.
Revoke group privileges in a project#
To revoke group privileges in a particular project in a project group:
Go to the section IAM Группы.
Find the group in the resource table and click the group name to go to its page.
Open the Users tab and select the desired project in the project selector.
Select a user or users to be deprived of group privileges and click Delete.
In the dialog window, confirm the action.
Delete a group#
Note
To delete a group, first delete all users from it.
Go to the section IAM Группы.
In the resource table, select the group to be deleted and click Delete.
In the dialog window, confirm the action.
You can also delete a specific group on its page in the Information tab.