Permissions¶
Permission Description¶
Permissions are user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to users. Cloud service management involves creating, viewing, modifying, and deleting resources of cloud services. After granting user management and cloud service management permissions to a user group, the users added to the user group can inherit permissions of the user group. User group-specific permissions simplify permission management.
Permission Relationship¶
Default Permissions¶
The system provides two types of default permissions: user management and cloud service management.
Node Name | Permission Name | Description |
|---|---|---|
Base | Security Administrator | Users with this permission can: Create, delete, and modify users. Grant permissions to users. |
IAM | Agent Operator | Users with this permission can switch to an entrusted user for processing services. |
Note
Currently, policies only support fine-grained authorizationof ECS, EVS, and VPC. ECS Admin, ECS User, ECS Viewer, EVS Admin, EVS Viewer,VPC Admin, and VPC Viewer are preset fine-grained authorization policies.
Permission Name | Managed Cloud Resource | Description |
|---|---|---|
Agent Operator | Identity and Access Management | Permissions for switching roles to access resources of delegating accounts. |
IAM ReadOnlyAccess | Identity and Access Management | Read-only permissions for IAM. |
CBR FullAccess | Cloud Backup and Recovery | Administrator permissions for CBR. Users granted these permissions can operate and use all vaults, backups, and policies. |
CBR BackupsAndVaultsFullAccess | Cloud Backup and Recovery | Common user permissions for CBR. Users granted these permissions can create, view, and delete vaults and backups, but cannot create, update, or delete policies. |
CBR ReadOnlyAccess | Cloud Backup and Recovery | Read-only permissions for CBR. Users granted these permissions can only view CBR data. |
CCE Admin | Cloud Container Engine | Read and write permissions for CCE clusters, including creating, deleting, and updating a cluster. |
CCE Administrator | Cloud Container Engine | All permissions related to CCE service resources. Users who use this permission must have Tenant Guest, Server Administrator, OBS Tenant Administrator, and ELB Administrator permissions. |
CCE Viewer | Cloud Container Engine | Read-only permissions for CCE clusters. |
CES Administrator | Cloud Eye | Permissions to view monitoring metrics as well as add, modify, and delete alarm rules. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy. |
CSBS Administrator | Cloud Server Backup Service | Permissions to create, restore, and delete backups of ECSs, and manage backup policies. The creation, restoration, and management permissions depend on the Server Administrator permission. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users create and restore backups. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users associate ECSs with backup policies.. |
CSS Administrator | Cloud Search Service | Management permissions on all CSS resources.The permissions depend on the Tenant Guest and Server Administrator permissions. CSS cannot run properly if either of the permissions is unavailable. |
CTS Administrator | Cloud Trace Service | Full permissions for CTS. This policy depends on the Tenant Guest policy in the same project and the Tenant Administrator policy in the OBS project. |
DCS Administrator | Distributed Cache Service | Permissions to: Create, start, stop, restart, and delete DCS instances. Change passwords of DCS instances. Configure DCS instance parameters. |
DDS Administrator | Document Database Service | Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use DDS. Users who have the VPC Administrator right can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances. |
DIS Administrator | Data Ingestion Service | Permissions to: Create, delete, query, and list DIS streams. Push data to DIS streams or pull data from them. Query stream monitoring metrics. |
DMS Administrator | Distributed Message Service | Administrator permissions for DMS. Users granted these permissions can perform all operations on DMS queues. |
DNS Administrator | Domain Name Service | Permissions to create, query, and delete zones and record sets. |
DWS Administrator | Data Warehouse Service | Management permissions on all DWS resources. The permissions depend on the Tenant Guest and Server Administrator permissions. DWS cannot run properly if either of the permissions is unavailable. If DWS users are to create a VPC or a subnet, the VPC Administrator permission is required. If DWS users are to view monitoring metrics of data warehouse clusters, the CES Administrator permission is required. |
DWS Database Access | Data Warehouse Service | DWS Database Access permission. Users with this permission can generate temporary database user credentials based on IAM users to connect to the DWS cluster database. |
ECS Admin | Elastic Cloud Server | All ECS operation permissions, including creating, deleting, and viewing ECSs and modifying ECS specifications. |
ECS User | Elastic Cloud Server | General operation permissions on ECSs (such as viewing and restarting ECSs), but not advanced operation permissions (such as creating or deleting ECSs, or reinstalling/changing ECS OSs). |
ECS Viewer | Elastic Cloud Server | ECS read-only permissions, such as viewing ECSs. |
ELB Administrator | Elastic Load Balancing | Permissions on all ELB resources. This permission depends on the VPC Administrator, Server Administrator, CES Administrator, and OBS Administrator permissions. Users who use the ELB Administrator permission cannot use some functions provided by the ELB service if they do not have the preceding permissions. If users who use this permission do not have the VPC Administrator and Server Administrator permissions, they cannot create or delete load balancers and backend servers. If users who use this permission do not have the CES Administrator permission, monitoring data cannot be reported to Cloud Eye. If users who use this permission do not have the OBS Administrator permission, data backups cannot be stored in OBS buckets. |
EVS Admin | Elastic Volume Service | All EVS operation permissions, including creating, deleting, and viewing EVS disks and modifying EVS disk specifications. |
EVS Viewer | Elastic Volume Service | EVS read-only permission, such as viewing EVS disks and EVS disk details. |
GaussDB FullAccess | GaussDB(for MySQL) | Full permissions for GaussDB |
GaussDB ReadOnlyAccess | GaussDB(for MySQL) | Read-only permissions for GaussDB |
IAM ReadOnlyAccess | Identity and Access Management | Read-only permissions for IAM. |
IMS Administrator | Image Management Service | Permissions to create, modify, delete, and share images. The permissions depend on the Server Administrator and OBS Tenant Administrator permissions. To create an image using an ECS, users need to configure this permission as well as the Server Administrator permission. To create an image using an image file, users need to configure this permission as well as the OBS Tenant Guest permission. To export an image, users need to configure this permission as well as the OBS Tenant Administrator permission. To query predefined tags when adding a tag to an image or searching for an image by tag, users need to configure this permission as well as the TMS Administrator permission. |
KMS Administrator | Key Management Service | Permissions to: Create, enable, disable, schedule the deletion of, and cancel the scheduled deletion of CMKs. Query the list of CMKs and information about CMKs. Create random numbers. Create DEKs. Create DEKs without plaintext. Encrypt and decrypt DEKs. Change the aliases and description of CMKs. Create, revoke, and query grants on CMKs. Import, delete CMK material. Add, delete, and query CMK tags. |
LTS Administrator | Log Tank Service | Permissions to create log groups, query log groups, delete log groups, create log topics, query log topics, and delete log topics. |
ModelArts CommonOperations | ModelArts | Common user permissions for ModelArts. Users granted these permissions can operate and use ModelArts, but cannot manage dedicated resource pools. |
ModelArts FullAccess | ModelArts | Administrator permissions for ModelArts. Users granted these permissions can operate and use ModelArts. |
MRS Administrator | MapReduce Service | Permissions to view MRS overview information, operation logs, cluster information, job information, HDFS file operation information, alarm list, and MRS Manager portal. |
NAT Gateway Administrator | NAT Gateway | Permissions to create, delete, modify, and query all resources of the NAT Gateway service. The permissions depend on the Tenant Guest permission. If a NAT user needs resources, including VPCs, subnets, and EIPs, to create NAT gateways, the VPC Administrator and Server Administrator permissions are required. |
OBS Buckets Viewer | Object Storage Service | Operation permissions: listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects. |
RDS Administrator | Relational Database Service | Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on RDS and DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use RDS and DDS. NOTE Users who have the VPC Administrator right can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances. |
RTS Administrator | Resource Template Service | Operation permissions: All operations on RTS. To orchestrate a resource, users with this permission must also have the Administrator permission. For example: Users with this permission and the Server Administrator permission can create stacks for ECS, VPC, EVS, and IMS resources. Users with this permission and the ELB Administrator permission can create an ELB resource stack. |
SDRS Administrator | Storage Disaster Recovery Service | Users with this permission can create, modify, delete, and query SDRS resources. |
Security Administrator | Base | Full permissions for IAM. |
Server Administrator | Base | For the EVS service, users with this permission can create, modify, and delete EVS disks. For the ECS service, users with this permission can create, modify, and delete ECSs.This role must be used together with the Tenant Guest role in the same project. For the VPC service, users with this permission and the Tenant Guest permission can perform all operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth. For the IMS service, users with this permission can create, delete, query, and modify images.This role must be used together with the IMS Administrator role in the same project. |
SFS Administrator | Scalable File Service | Users with both this permission and the Tenant Guest permission can create, delete, query, expand, and downsize the file system. |
SFS Turbo Administrator | Scalable File Service | Users with both this permission and the Tenant Guest permission can create, delete, query, and expand the SFS Turbo file system. |
SFS Turbo Viewer | Scalable File Service | Read-only permissions. Users granted these permissions can only view file system data. |
SMN Administrator | Simple Message Notification | Permissions to: Create, modify, delete, and view topics. Create, delete, and view subscriptions. Create, modify, delete, and view message templates. |
SWR Administrator | Software Repository for Container | All SWR operation permissions, including pushing and pulling images, and granting permissions. |
Tenant Administrator | Base | Administrator permissions for all services except IAM. |
Tenant Guest | Base | Read-only permissions for all services except IAM. |
TMS Administrator | Tag Management Service | Users with this permission can create, modify, and delete predefined tags. |
VBS Administrator | Volume Backup Service | Permissions to create backups, delete backups, and restore data using backups. This permission depends on the ServerAdministrator and Tenant Guest permissions. The VBS administrator must have permissions to manage EVS disks and read images. |
VPC Admin | Virtual Private Cloud | All VPC operation permissions, including creating, querying, modifying, and deleting VPCs, subnets, and security groups. |
VPC Administrator | Virtual Private Cloud | All operation permissions on VPCs, subnets, ports, VPNs, and Direct Connect resources. A user with the VPC Administrator permission must have the Tenant Guest permission. |
VPC Viewer | Virtual Private Cloud | VPC real-only permission, such as querying VPCs. |
VPCEndpoint Administrator | VPC Endpoint | Full permissions for VPCEP. This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project. |
WAF Administrator | Web Application Firewall | Permissions to: Create and delete WAF instances. Configure, enable, disable WAF instances. Modify the protection policies of WAF instances. Configure alarm notification for WAF instances. Query the WAF instance list and details. Authenticate the domain name of a WAF instance. |
Anti-DDoS Administrator | Anti-DDoS | Permissions to enable, disable, and modify configurations. This permission depends on the Tenant Guest permission and must have permission to query EIPs in VPCs. |
DRS Administrator | Data Replication Service | Basic permission, which must be added when DRS is used.Dependent on the Tenant Guest, Server Administrator, and RDS Administrator policies. |