Permissions¶
Permission Description¶
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
Scope: The projects for which permissions granted to a user group will be applied.
Global services: Services deployed without specifying physical regions, such as Object Storage Service (OBS) , are called global services. Permissions for these services must be assigned globally.
Region-specific projects: Services deployed in specific regions, such as Elastic Cloud Server (ECS) and Bare Metal Server (BMS), are called project-level services. Permissions for these services must be assigned in region-specific projects and will be applied only for specific regions.
All resources: Permissions will be applied for both global services and region-specific projects, including projects created later.
Region-specific projects: Permissions will be applied for the region-specific projects you select.
Type: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. For details, see Permission.
For services that provide both policies and roles, preferentially use policies to assign permissions.
For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions.
Permission Relationship¶
BASE¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
BASE | Global services | FullAccess | Policy | Full permissions for all services that support policy-based authorization. |
All resources | Tenant Guest | Role | Read-only permissions for all services except IAM. Note
| |
All resources | Tenant Administrator | Full permissions for all services except IAM. Note
| ||
Global services | Agent Operator | Permissions for switching roles to access resources of delegating accounts. |
Compute¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Elastic Cloud Server (ECS) (Project-level service) | Region-specific projects | ECS FullAccess | Policy | Full permissions for ECS. |
ECS ReadOnlyAccess | Read-only permissions for ECS. | |||
ECS CommonOperations | Permissions for starting, stopping, restarting, and querying ECSs. | |||
Server Administrator | Role | Full permissions for ECS. This role must be used together with the Tenant Guest role in the same project. If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project. For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the VPC Administrator role. | ||
Bare Metal Server (BMS) (Project-level service) | Region-specific projects | BMS FullAccess | Policy | Full permissions for BMS. |
Auto Scaling (AS) (Project-level service) | Region-specific projects | AutoScaling FullAccess | Policy | Full permissions for the Auto Scaling service. |
AutoScaling ReadOnlyAccess | Read-only permissions for AS. | |||
AutoScaling Administrator | Role | Full permissions for all AS resources. This role must be used together with the ELB Administrator, CES Administrator, Server Administrator, and Tenant Administrator roles in the same project. | ||
Image Management Service (IMS) (Project-level service) | Region-specific projects | IMS FullAccess | Policy | Full permissions for IMS. |
FunctionGraph (Project-level service) | Region-specific projects | FunctionGraph FullAccess | Policy | Full permissions for FunctionGraph. |
FunctionGraph ReadOnlyAccess | Read-only permissions for FunctionGraph. | |||
FunctionGraph CommonOperations | Common operation permissions for FunctionGraph, including permissions for querying functions and triggers and invoking functions. | |||
FunctionGraph Administrator | Role | Permissions for managing FunctionGraph functions and triggers. This role must be used together with the Tenant Guest role in the same project. | ||
FunctionGraph Invoker | Permissions for querying FunctionGraph functions and triggers. | |||
Dedicated Host (DeH) (Project-level service) | Region-specific projects | DeH FullAccess | Policy | Full permissions for DeH. |
DeH CommonOperations | Basic operation permissions for DeH. | |||
DeH ReadOnlyAccess | Read-only permissions for DeH. Users with these permissions can only query DeHs. |
Storage¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Object Storage Service (OBS) (Global service) | Global services | OBS OperateAccess | Policy | Users with this permission can perform all operations specified by OBS ReadOnlyAccess and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs. |
OBS Administrator | Allows you to perform any operation on all OBS resources under the account. | |||
OBS ReadOnlyAccess | Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects. | |||
OBS Buckets Viewer | Role | Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata. | ||
Elastic Volume Service (EVS) (Project-level service) | Region-specific projects | EVS Admin | Role | All EVS operation permissions, including creating, deleting, and viewing EVS disks and modifying EVS disk specifications. |
EVS Viewer | EVS read-only permission, such as viewing EVS disks and EVS disk details. | |||
Cloud Backup and Recovery (CBR) (Project-level service) | Region-specific projects | CBR FullAccess | Policy | Administrator permissions for using all vaults and policies on CBR. |
CBR BackupsAndVaultsFullAccess | Common user permissions for creating, viewing, and deleting vaults on CBR. | |||
CBR ReadOnlyAccess | Read-only permissions for viewing data on CBR. | |||
Storage Disaster Recovery Service (SDRS) (Project-level service) | Region-specific projects | SDRS Administrator | Role | Full permissions for SDRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. |
Scalable File Service (SFS) (Project-level service) | Region-specific projects | SFS Turbo FullAccess | Policy | All permissions of Scalable File Service (SFS Turbo). |
SFS Turbo ReadOnlyAccess | The read-only permissions to all Scalable File Service (SFS Turbo) resources. | |||
SFS Administrator | Role | Scalable File Service Administrator. | ||
Cloud Server Backup Service (CSBS) (Project-level service) | Region-specific projects | CSBS Administrator | Role | Full permissions for CSBS. This role must be used together with the Server Administrator role in the same project. |
Volume Backup Service (VBS) (Project-level service) | Region-specific projects | VBS Administrator | Role | Full permissions for VBS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. |
Network¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Virtual Private Cloud (VPC) (Project-level service) | Region-specific projects | VPC FullAccess | Policy | Full permissions for VPC. |
VPC ReadOnlyAccess | Read-only permissions for VPC. | |||
VPC Administrator | Role | Permissions for VPC, excluding permissions for creating, modifying, deleting, and viewing security groups and security group rules. This role must be used together with the Tenant Guest role in the same project. | ||
Server Administrator | Permissions for performing operations on EIPs, security groups, and ports. This role must be used together with the Tenant Guest role in the same project. | |||
Elastic Load Balance (ELB) (Project-level service) | Region-specific projects | ELB FullAccess | Policy | Full permissions for ELB. |
ELB ReadOnlyAccess | Read-only permissions for ELB. | |||
ELB Administrator | Role | Full permissions for ELB. This role must be used together with the Tenant Guest role in the same project. | ||
NAT Gateway (Project-level service) | Region-specific projects | NAT FullAccess | Policy | Full permissions for NAT Gateway. |
NAT ReadOnlyAccess | Read-only permissions for NAT Gateway. | |||
NAT GatewayAdministrator | Role | Full permissions for NAT Gateway. This role must be used together with the Tenant Guest role in the same project. | ||
Direct Connect (Project-level service) | Region-specific projects | Direct Connect Administrator | Role | Has all permissions for Direct Connect resources. For permissions of this role to take effect, users must also have the Tenant Guest and VPC Administrator permissions. |
DCAAS FullAccess | Policy | Full permissions for Direct Connect. | ||
DCAAS ReadOnlyAccess | Read-only permissions for Direct Connect. | |||
Virtual Private Network (VPN) (Project-level service) | Region-specific projects | VPN Administrator | Role | Administrator permissions for VPN. This role must be used together with the Tenant Guest and VPC Administrator roles in the same project. |
VPN FullAccess | Policy | Full permissions for VPN. | ||
VPN ReadOnlyAccess | Read-only permissions for VPN. | |||
Domain Name Service (DNS) (Project-level service) | Region-specific projects | DNS Administrator | Role | Full permissions for DNS. This role must be used together with the Tenant Guest and VPC Administrator roles in the same project. |
DNS FullAccess | Policy | Full permissions for DNS. | ||
DNS ReadOnlyAccess | Read-only permissions for DNS. Users granted these permissions can only view DNS resources. | |||
VPC Endpoint (VPCEP) (Project-level service) | Region-specific projects | VPCEndpoint Administrator | Role | Full permissions for VPCEP. This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project. |
Enterprise Router (Project-level service) | Region-specific projects | ER FullAccess | Policy | Full permissions for ER. |
ER ReadOnlyAccess | Read-only permissions for ER. |
Containers¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Cloud Container Engine (CCE) (Project-level service) | Region-specific projects | CCE FullAccess | Policy | Full permissions for CCE. |
CCE ReadOnlyAccess | Permissions to view CCE cluster resources, excluding namespace-level permissions for clusters that have Kubernetes RBAC enabled. | |||
CCE Administrator | Role | Read and write permissions for CCE clusters and all resources (including workloads and services) in the clusters. This role depends on the following permissions: Global services: OBS Buckets Viewer. Region-specific projects (same projects): Tenant Guest, Server Administrator, ELB Administrator, SFS Administrator, SWR Admin, and APM FullAccess. Note Users also granted permissions with the NAT Gateway Administrator role can use NAT Gateway functions for clusters. | ||
Cloud Container Instance (CCI) (Project-level service) | Region-specific projects | CCI FullAccess | Policy | Full permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources. |
CCI ReadOnlyAccess | Read-only permissions for CCI. Users granted these permissions can only view CCI resources. | |||
CCI CommonOperations | Common user permissions for CCI. Users granted these permissions can perform all operations except creating, deleting, and modifying role-based access control (RBAC) policies, networks, and namespaced resources. | |||
CCI Administrator | Role | Administrator permissions for CCI. Users granted these permissions can create, delete, query, and update all CCI resources. | ||
Software Repository for Container (SWR) (Project-level service) | Region-specific projects | SWR Administrator | Role | All SWR operation permissions, including pushing and pulling images, and granting permissions. |
Security & Compliance¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Anti-DDoS (Project-level service) | Region-specific projects | Anti-DDoS Administrator | Role | Full permissions for Anti-DDoS. This role must be used together with the Tenant Guest role in the same project. |
Anti-DDoS FullAccess | Policy | All permissions for Anti-DDoS. | ||
Anti-DDoS ReadOnlyAccess | Read-only permissions for Anti-DDoS. | |||
Host Security Service (HSS) (Project-level service) | Region-specific projects | HSS Administrator | Role | Full permissions for HSS. |
HSS FullAccess | Policy | Full permissions for HSS. | ||
HSS ReadOnlyAccess | Read-only permissions for HSS. | |||
Database Security Service (DBSS) (Project-level service) | Region-specific projects | DBSS System Administrator | Role | Full permissions for DBSS. |
DBSS Audit Administrator | Security auditing permissions for DBSS. | |||
DBSS Security Administrator | Security protection permissions for DBSS. | |||
DBSS FullAccess | Policy | Full permissions for DBSS. | ||
DBSS ReadOnlyAccess | Read-only permissions for DBSS. Users granted these permissions can only view this service and cannot configure resources in it. | |||
Web Application Firewall (WAF) (Project-level service) | Region-specific projects | WAF Administrator | Role | Permissions to: Create and delete WAF instances. Configure, enable, disable WAF instances. Modify the protection policies of WAF instances. Configure alarm notification for WAF instances. Query the WAF instance list and details. Authenticate the domain name of a WAF instance. |
Cloud Firewall (CFW) (Project-level service) | Region-specific projects | CFW FullAccess | Policy | Full permissions for CFW. |
Management & Governance¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Identity and Access Management (IAM) (Global service) | Global service | IAM ReadOnlyAccess | Policy | Read-only permissions for IAM. |
Agent Operator | Role | Permissions for switching roles to access services of a delegating account. | ||
Cloud Eye (Project-level service) | Region-specific projects | CES Administrator | Role | Administrator permissions for Cloud Eye |
CES FullAccess | Policy | Administrator permissions for Cloud Eye. Users granted these permissions can perform all operations on Cloud Eye. | ||
CES ReadOnlyAccess | Read-only permissions for Cloud Eye. Users granted these permissions can only view Cloud Eye data. | |||
Application Operations Management (AOM) (Project-level service) | Region-specific projects | AOM Admin | Policy | Administrator permissions for AOM. Users granted these permissions can operate and use AOM. |
AOM Viewer | Read-only permissions for AOM. Users granted these permissions can only view AOM data. | |||
Application Performance Management (APM) (Project-level service) | Region-specific projects | APM FullAccess | Policy | All permissions for APM. |
APM ReadOnlyAccess | Read-only permissions for APM. | |||
APM Administrator | Role | Administrator for APM.All permissions of APM. | ||
Cloud Trace Service (CTS) (Project-level service) | Region-specific projects | CTS FullAccess | Policy | Full permissions for CTS. |
CTS ReadOnlyAccess | Read-only permissions for CTS. | |||
Log Tank Service (LTS) (Project-level service) | Region-specific projects | LTS Administrator | Role | Permissions to create log groups, query log groups, delete log groups, create log topics, query log topics, and delete log topics. |
Tag Management Service (TMS) (Global service) | Global services | TMS Administrator | Role | Users with this permission can create, modify, and delete predefined tags. |
Resource Template Service (RTS) (Project-level service) | Region-specific projects | RTS Administrator | Role | Operation permissions: All operations on RTS. To orchestrate a resource, users with this permission must also have the Administrator permission. For example: Users with this permission and the Server Administrator permission can create stacks for ECS, VPC, EVS, and IMS resources. Users with this permission and the ELB Administrator permission can create an ELB resource stack. |
Config (Global service) | Global services | Config FullAccess | Policy | Full permissions for Config |
Config ReadOnlyAccess | Read-only permissions for Config. |
Application¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Cloud Service Engine (CSE) | Region-specific projects | CES Administrator | Role | Permissions to view monitoring metrics as well as add, modify, and delete alarm rules. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy. |
Distributed Cache Service (DCS) (Project-level service) | Region-specific projects | DCS FullAccess | Policy | Full permissions for DCS. |
DCS UserAccess | Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances. | |||
DCS ReadOnlyAccess | Read-only permissions for DCS. | |||
DCS Administrator | Role | Full permissions for DCS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. | ||
Distributed Message Service (DMS) (Project-level service) | Region-specific projects | DMS UserAccess | Policy | Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping. |
DMS ReadOnlyAccess | Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data. | |||
DMS FullAccess | Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS. | |||
DMS VPCAccess | VPC operation permissions to assign to DMS agencies. | |||
DMS KMSAccess | KMS operation permissions to assign to DMS agencies. | |||
DMS ELBAccess | ELB operation permissions to assign to DMS agencies. | |||
DMSAgencyCheckAccessPolicy | IAM operation permissions to assign to DMS agencies. | |||
Simple Message Notification (SMN) (Project-level service) | Region-specific projects | SMN Administrator | Role | Full permissions for SMN. This role must be used together with the Tenant Guest role in the same project. |
SMN FullAccess | Policy | Full permissions for SMN. | ||
SMN ReadOnlyAccess | Read-only permissions for SMN. | |||
API Gateway (APIG) (Project-level service) | Region-specific projects | APIG Administrator | Role | Administrator permissions for API Gateway. Users granted these permissions can use all functions of the shared and dedicated gateways. To use VPC channels, the user must also be assigned the VPC Administrator role. To use custom authentication, the user must also be assigned the FunctionGraph Administrator role. |
APIG FullAccess | Policy | Full permissions for API Gateway. Users granted these permissions can use all functions of dedicated API gateways. | ||
APIG ReadOnlyAccess | Read-only permissions for API Gateway. Users granted these permissions can only view dedicated API gateways. |
Database¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
Relational Database Service (RDS) (Project-level service) | Region-specific projects | RDS FullAccess | Policy | Full permissions for RDS. |
RDS ReadOnlyAccess | Read-only permissions for RDS. | |||
RDS ManageAccess | Database administrator permissions for all operations except deleting RDS resources. | |||
RDS Administrator | Role | Full permissions for RDS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. | ||
Document Database Service (DDS) (Project-level service) | Region-specific projects | DDS Administrator | Role | Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use DDS. Users who have the VPC Administrator right can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances. |
Data Replication Service (DRS) (Project-level service) | Region-specific projects | DRS FullAccess | Policy | Full permissions for DRS. |
DRS ReadOnlyAccess | Read-only permissions for DRS. | |||
DRS Administrator | Role | Full permissions for DRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. | ||
Data Admin Service (DAS) (Project-level service) | Region-specific projects | DAS Administrator | Role | DAS administrator with full permissions. This role must be used together with the Tenant Guest role in the same project. |
DAS FullAccess | Policy | Full permissions for DAS. | ||
Distributed Database Middleware (DDM) (Project-level service) | Region-specific projects | DDM FullAccess | Policy | Full permissions for DDM. |
DDM CommonOperations | Common permissions for DDM. Users with common permissions cannot perform the following operations:
| |||
DDM ReadOnlyAccess | Read-only permissions for DDM. | |||
GeminiDB (Project-level service) | Region-specific projects | GeminiDB FullAccess | Policy | Full permissions for multi-model NoSQL databases. |
GeminiDB ReadOnlyAccess | Read-only permissions for multi-model NoSQL databases. | |||
GaussDB (Project-level service) | Region-specific projects | GaussDB FullAccess | Policy | Full permissions for GaussDB. |
GaussDB ReadOnlyAccess | Read-only permissions for GaussDB. |
Enterprise Intelligence¶
Service | Scope | Policy/Role Name | Type | Description |
|---|---|---|---|---|
ModelArts (Project-level service) | Region-specific projects | ModelArts FullAccess | Policy | Administrator permissions for performing all operations on ModelArts. |
ModelArts CommonOperations | Permissions for performing all operations except managing dedicated resource pools on ModelArts. | |||
DataArts Studio (Project-level service) | Region-specific projects | DARTS Administrator | Role | Instance administrator who has all management permissions on a DataArts Studio instance and its workspaces, permissions of dependent services, and service operation permissions in all workspaces. |
DARTS User | Common user who has permissions to view a DataArts Studio instance and its workspaces, and the permissions of dependent services. After assigned a role, a common user has permissions of the role to perform service operations. | |||
MapReduce Service (MRS) (Project-level service) | Region-specific projects | MRS FullAccess | Policy | Full permissions for MRS. |
MRS CommonOperations | Common user permissions for MRS operations except creating and deleting resources. | |||
MRS ReadOnlyAccess | Read-only permissions for MRS. | |||
MRS Administrator | Role | Full permissions for MRS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. | ||
GaussDB(DWS) (Project-level service) | Region-specific projects | DWS FullAccess | Policy | Database administrator permissions for GaussDB(DWS). Users granted these permissions can perform all operations on GaussDB(DWS). |
DWS ReadOnlyAccess | Read-only permissions for GaussDB(DWS). Users granted these permissions can only view GaussDB(DWS) data. | |||
DWS Administrator | Role | Database administrator permissions for GaussDB(DWS). Users granted these permissions can perform operations on all GaussDB(DWS) resources. Users granted permissions of the VPC Administrator policy can create VPCs and subnets. Users granted permissions of the Cloud Eye Administrator policy can view monitoring information of data warehouse clusters. If you need to create an agency, you also need to configure the Security Administrator permission. | ||
DWS Database Access | GaussDB(DWS) database access permission. Users with this permission can generate the temporary database user credentials based on IAM users to connect to the database in the GaussDB(DWS) cluster. | |||
Data Lake Insight (DLI) (Project-level service) | Region-specific projects | DLI Service Admin | Role | Full permissions for DLI. |
DLI FullAccess | Policy | Full permissions for DLI. Users granted these permissions can perform all operations on DLI. | ||
DLI ReadOnlyAccess | Users granted these permissions can only view the queue list, job list, job details, database list, table list, table creation statements, table fields, and job metadata such as job creation, update, and deletion. | |||
Cloud Search Service (CSS) (Project-level service) | Region-specific projects | CSS Administrator | Role | Full permissions for CSS. This role must be used together with the Tenant Guest and Server Administrator roles in the same project. |