Permissions Management

If you need to assign different permissions to employees in your enterprise to access your DRS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to have a secure access to cloud resources.

With IAM, you can use your cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use DRS resources but must not delete DRS tasks or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DRS resources.

If your account does not need individual IAM users for permissions management, you may skip over this topic.

IAM can be used free of charge. You pay only for the resources in your cloud account. For more information about IAM, see IAM Service Overview.

DRS Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

DRS is a project-level service deployed and accessed in specific physical regions. To assign DRS permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing DRS, users need to switch to a region where they have been authorized to use DRS.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.

  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant ECS users only the permissions for managing a certain type of ECSs. Most fine-grained policies are API-based.

Table 1 lists all the system policies supported by DRS.

Table 1 System-defined roles and policies supported by DRS

Policy Name/System Role

Description

Type

Dependency

Security Administrator

Security administrator

To improve your experience with DRS, add the Security Administrator permission using IAM in case some functions become unavailable, such as scheduled task startup, automatic ending of full-migration tasks, and automatic retry of failed tasks.

System-defined role

None

DRS Administrator

DRS administrator

Basic permission, which must be added when DRS is used.

System role

Dependent on the Tenant Guest, Server Administrator, and RDS Administrator roles.

  • Tenant Guest: A project-level role, which must be assigned in the same project.

  • Server Administrator: A project-level role, which must be assigned in the same project.

  • RDS Administrator: A project-level role, which must be assigned in the same project.

DRS FullAccess

Full permissions for DRS

System policy

Dependent on the VPC FullAccess, RDS ReadOnlyAccess, and SMN Administrator, OBS Administrator, and EPS ReadOnlyAccess policies.

  • VPC FullAccess: This parameter needs to be configured when the VPC and subnet are selected.

  • RDS ReadOnlyAccess: This parameter needs to be configured when RDS is selected.

  • SMN Administrator: This parameter needs to be configured when SMN is selected.

  • OBS Administrator: This parameter needs to be configured when bucket information is selected for a backup task.

  • EPS ReadOnlyAccess: This parameter needs to be configured when an enterprise project is selected.

DRS ReadOnlyAccess

Read-only permissions for DRS resources.

System policy

Configure the following policies as required:

RDS ReadOnlyAccess: This parameter needs to be configured when RDS is selected.

SMN Administrator: This parameter needs to be configured when SMN is selected.

DRS FullWithOutDeletePermission

All permissions on DRS except the deletion permission

System Policy

Dependent on the VPC FullAccess, RDS ReadOnlyAccess, and SMN Administrator, and OBS Administrator policies.

  • VPC FullAccess: This parameter needs to be configured when the VPC and subnet are selected.

  • RDS ReadOnlyAccess: This parameter needs to be configured when RDS is selected.

  • SMN Administrator: This parameter needs to be configured when SMN is selected.

  • OBS Administrator: This parameter needs to be configured when bucket information is selected for a backup task.

Table 2 lists the common operations supported by the DRS system policy.

Table 2 Common operations supported by the DRS system policy

Procedure

DRS FullAccess

DRS ReadOnlyAccess

DRS Administrator

DRS FullWithOutDeletePermission

Creating a task

Y

x

Y

Y

Editing a task

Y

x

Y

Y

Deleting a task

Y

x

Y

x

Starting a task

Y

x

Y

Y

Retrying a task

Y

x

Y

Y

Stopping a task

Y

x

Y

Y

Table 3 lists common DRS operations and corresponding actions. You can refer to this table to customize permission policies.

Table 3 Common operations and supported actions

Permission

Actions

Remarks

Performing operations on tasks.

drs:migrationJob:action

The VPC FullAccess permission for the project is required.

If the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Stopping a task

drs:migrationJob:terminate

Permissions required for the project:

VPC FullAccess

RDS ReadOnlyAccess

Modifying a migration task

drs:migrationJob:modify

Permission required for selecting VPCs and subnets on the GUI:

VPC FullAccess

Permission required for selecting RDS on the GUI:

RDS ReadOnlyAccess

Creating a migration task

drs:migrationJob:create

Permission required for selecting VPCs and subnets on the GUI:

VPC FullAccess

Permission required for selecting RDS on the GUI:

RDS ReadOnlyAccess

Deleting a migration task

drs:migrationJob:delete

None

Updating the database user information.

drs:migrationJob:modifyUserInfo

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the following permission for the project: RDS ReadOnlyAccess

Controlling the migration speed

drs:migrationJob:setMigrationTransSpeed

None

Modify database parameters

drs:dataBaseParams:modify

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Updating the data processing information

drs:dataTransformation:update

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Adding the data processing information

drs:dataTransformation:add

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Deleting the data processing data

drs:dataTransformation:delete

None

Updating the database object selection information

drs:migrationJob:update

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Updating the task configuration

drs:migrationJob:updateJobConfig

None

Updating the DDL filtering policy.

drs:migrationJob:updateDDLPolicy

None

Modifying the comparison policy

drs:healthCompare:modify

None

Stopping a comparison task

drs:healthCompare:stop

None

Creating an object-level table comparison task

drs:migrationCompareJob:create

None

Canceling a data-level table comparison task

drs:migrationCompareJob:delete

None

Immediately starting a data-level table comparison task

drs:migrationCompareJob:start

None

Cleaning up resources

drs:cleanJob:clean

The VPC FullAccess permission is required.

Verifying the backup task name.

drs:backupMigrationJob:check

None

Verifying data processing

drs:dataTransformation:check

None

Verifying online task names

drs:migrationJob:check

None

Obtaining database parameters

drs:databaseParameters:get

None

Querying operation results

drs:job:getResult

None

Querying the data processing information

drs:migrationTransformationJob:get

None

Obtaining the task pre-check results

drs:precheckJob:get

None

Obtaining the object-level migration comparison overview

drs:compareJob:getOverview

None

Querying data-level table comparison tasks

drs:compareJob:list

None

Querying data-level table comparison results

drs:compareJob:getResult

None

Obtaining object-level migration comparison details

drs:compareJob:getDetails

None

Querying details about a data-level table comparison task

drs:compareJob:getContentsInfo

None

Querying the estimated time of a comparison task

drs:compareJob:getEstimateTime

None

Querying the value comparison overview.

drs:compareJob:getContentOverview

None

Querying the row comparison overview

drs:compareJob:getLineOverview

None

Querying row comparison details

drs:compareJob:getLineDetail

None

Querying value comparison details

drs:compareJob:getContentDetail

None

Querying value comparison differences

drs:compareJob:getContentDiff

None

Obtaining the online migration task list

drs:migrationJob:list

None

Obtaining the online migration task details

drs:migrationJob:get

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Obtaining the object-level migration comparison overview

drs:migrationJob:getCompareStruct

None

Obtaining the data-level stream comparison

drs:migrationJob:getStreamComparison

None

Obtaining the source database user list

drs:migrationJob:getSrcUsers

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Obtaining the migration progress of a specified migration task

drs:migrationJob:getSpecifiedProgress

None

Obtaining the database affected time of a specified task.

drs:migrationJob:getEffectTime

None

Querying the migration progress

drs:migrationJobs:getProgress

None

Processing data

drs:migrationJob:action

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Starting a task

drs:migrationJob:action

The VPC FullAccess permission is required.

Querying task details

drs:migrationJob:get

The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project.

Querying task statuses

drs:migrationJob:get

None

Querying resource tags

drs:tag:get

None

Deleting resource tags

drs:tags:delete

None

Adding a resource tag

drs:tag:add

None

Modifying resource tags

drs:tag:modify

None

Obtaining migration logs

drs:migrationJob:getLog

None