Permissions Management¶
If you need to assign different permissions to employees in your enterprise to access your DRS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you to have a secure access to cloud resources.
With IAM, you can use your cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use DRS resources but must not delete DRS tasks or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DRS resources.
If your account does not need individual IAM users for permissions management, you may skip over this topic.
IAM can be used free of charge. You pay only for the resources in your cloud account. For more information about IAM, see IAM Service Overview.
DRS Permissions¶
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
DRS is a project-level service deployed and accessed in specific physical regions. To assign DRS permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing DRS, users need to switch to a region where they have been authorized to use DRS.
You can grant users permissions by using roles and policies.
Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant ECS users only the permissions for managing a certain type of ECSs. Most fine-grained policies are API-based.
Table 1 lists all the system policies supported by DRS.
Policy Name/System Role | Description | Type | Dependency |
---|---|---|---|
Security Administrator | Security administrator To improve your experience with DRS, add the Security Administrator permission using IAM in case some functions become unavailable, such as scheduled task startup, automatic ending of full-migration tasks, and automatic retry of failed tasks. | System-defined role | None |
DRS Administrator | DRS administrator Basic permission, which must be added when DRS is used. | System role | Dependent on the Tenant Guest, Server Administrator, and RDS Administrator roles.
|
DRS FullAccess | Full permissions for DRS | System policy | Dependent on the VPC FullAccess, RDS ReadOnlyAccess, and SMN Administrator, OBS Administrator, and EPS ReadOnlyAccess policies.
|
DRS ReadOnlyAccess | Read-only permissions for DRS resources. | System policy | Configure the following policies as required: RDS ReadOnlyAccess: This parameter needs to be configured when RDS is selected. SMN Administrator: This parameter needs to be configured when SMN is selected. |
DRS FullWithOutDeletePermission | All permissions on DRS except the deletion permission | System Policy | Dependent on the VPC FullAccess, RDS ReadOnlyAccess, and SMN Administrator, and OBS Administrator policies.
|
Table 2 lists the common operations supported by the DRS system policy.
Procedure | DRS FullAccess | DRS ReadOnlyAccess | DRS Administrator | DRS FullWithOutDeletePermission |
---|---|---|---|---|
Creating a task | Y | x | Y | Y |
Editing a task | Y | x | Y | Y |
Deleting a task | Y | x | Y | x |
Starting a task | Y | x | Y | Y |
Retrying a task | Y | x | Y | Y |
Stopping a task | Y | x | Y | Y |
Table 3 lists common DRS operations and corresponding actions. You can refer to this table to customize permission policies.
Permission | Actions | Remarks |
---|---|---|
Performing operations on tasks. | drs:migrationJob:action | The VPC FullAccess permission for the project is required. If the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Stopping a task | drs:migrationJob:terminate | Permissions required for the project: VPC FullAccess RDS ReadOnlyAccess |
Modifying a migration task | drs:migrationJob:modify | Permission required for selecting VPCs and subnets on the GUI: VPC FullAccess Permission required for selecting RDS on the GUI: RDS ReadOnlyAccess |
Creating a migration task | drs:migrationJob:create | Permission required for selecting VPCs and subnets on the GUI: VPC FullAccess Permission required for selecting RDS on the GUI: RDS ReadOnlyAccess |
Deleting a migration task | drs:migrationJob:delete | None |
Updating the database user information. | drs:migrationJob:modifyUserInfo | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the following permission for the project: RDS ReadOnlyAccess |
Controlling the migration speed | drs:migrationJob:setMigrationTransSpeed | None |
Modify database parameters | drs:dataBaseParams:modify | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Updating the data processing information | drs:dataTransformation:update | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Adding the data processing information | drs:dataTransformation:add | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Deleting the data processing data | drs:dataTransformation:delete | None |
Updating the database object selection information | drs:migrationJob:update | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Updating the task configuration | drs:migrationJob:updateJobConfig | None |
Updating the DDL filtering policy. | drs:migrationJob:updateDDLPolicy | None |
Modifying the comparison policy | drs:healthCompare:modify | None |
Stopping a comparison task | drs:healthCompare:stop | None |
Creating an object-level table comparison task | drs:migrationCompareJob:create | None |
Canceling a data-level table comparison task | drs:migrationCompareJob:delete | None |
Immediately starting a data-level table comparison task | drs:migrationCompareJob:start | None |
Cleaning up resources | drs:cleanJob:clean | The VPC FullAccess permission is required. |
Verifying the backup task name. | drs:backupMigrationJob:check | None |
Verifying data processing | drs:dataTransformation:check | None |
Verifying online task names | drs:migrationJob:check | None |
Obtaining database parameters | drs:databaseParameters:get | None |
Querying operation results | drs:job:getResult | None |
Querying the data processing information | drs:migrationTransformationJob:get | None |
Obtaining the task pre-check results | drs:precheckJob:get | None |
Obtaining the object-level migration comparison overview | drs:compareJob:getOverview | None |
Querying data-level table comparison tasks | drs:compareJob:list | None |
Querying data-level table comparison results | drs:compareJob:getResult | None |
Obtaining object-level migration comparison details | drs:compareJob:getDetails | None |
Querying details about a data-level table comparison task | drs:compareJob:getContentsInfo | None |
Querying the estimated time of a comparison task | drs:compareJob:getEstimateTime | None |
Querying the value comparison overview. | drs:compareJob:getContentOverview | None |
Querying the row comparison overview | drs:compareJob:getLineOverview | None |
Querying row comparison details | drs:compareJob:getLineDetail | None |
Querying value comparison details | drs:compareJob:getContentDetail | None |
Querying value comparison differences | drs:compareJob:getContentDiff | None |
Obtaining the online migration task list | drs:migrationJob:list | None |
Obtaining the online migration task details | drs:migrationJob:get | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Obtaining the object-level migration comparison overview | drs:migrationJob:getCompareStruct | None |
Obtaining the data-level stream comparison | drs:migrationJob:getStreamComparison | None |
Obtaining the source database user list | drs:migrationJob:getSrcUsers | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Obtaining the migration progress of a specified migration task | drs:migrationJob:getSpecifiedProgress | None |
Obtaining the database affected time of a specified task. | drs:migrationJob:getEffectTime | None |
Querying the migration progress | drs:migrationJobs:getProgress | None |
Processing data | drs:migrationJob:action | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Starting a task | drs:migrationJob:action | The VPC FullAccess permission is required. |
Querying task details | drs:migrationJob:get | The read permission for the corresponding instance is required. For example, if the RDS database is used, you need to configure the RDS ReadOnlyAccess permission for the project. |
Querying task statuses | drs:migrationJob:get | None |
Querying resource tags | drs:tag:get | None |
Deleting resource tags | drs:tags:delete | None |
Adding a resource tag | drs:tag:add | None |
Modifying resource tags | drs:tag:modify | None |
Obtaining migration logs | drs:migrationJob:getLog | None |