Permissions

Permission Description

Permissions are user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to users. Cloud service management involves creating, viewing, modifying, and deleting resources of cloud services. After granting user management and cloud service management permissions to a user group, the users added to the user group can inherit permissions of the user group. User group-specific permissions simplify permission management.

Permission Relationship

../_images/permissions.png

Default Permissions

The system provides two types of default permissions: user management and cloud service management.

Table 1 User management permissions

Node Name

Permission Name

Description

Base

Security Administrator

Users with this permission can: Create, delete, and modify users. Grant permissions to users.

IAM

Agent Operator

Users with this permission can switch to an entrusted user for processing services.

Note

Currently, policies only support fine-grained authorizationof ECS, EVS, and VPC. ECS Admin, ECS User, ECS Viewer, EVS Admin, EVS Viewer,VPC Admin, and VPC Viewer are preset fine-grained authorization policies.

Table 2 User group for cloud service management

Permission Name

Managed Cloud Resource

Description

Agent Operator

Identity and Access Management

Permissions for switching roles to access resources of delegating accounts.

IAM ReadOnlyAccess

Identity and Access Management

Read-only permissions for IAM.

CBR Administrator

Cloud Backup and Recovery

Administrator permissions for CBR. Users granted these permissions can operate and use all vaults, backups, and policies.

CBR User

Cloud Backup and Recovery

Common user permissions for CBR. Users granted these permissions can create, view, and delete vaults and backups, but cannot create, update, or delete policies.

CBR Viewer

Cloud Backup and Recovery

Read-only permissions for CBR. Users granted these permissions can only view CBR data.

CCE Admin

Cloud Container Engine

Read and write permissions for CCE clusters, including creating, deleting, and updating a cluster.

CCE Administrator

Cloud Container Engine

All permissions related to CCE service resources. Users who use this permission must have Tenant Guest, Server Administrator, OBS Tenant Administrator, and ELB Administrator permissions.

CCE Viewer

Cloud Container Engine

Read-only permissions for CCE clusters.

CES Administrator

Cloud Eye

Permissions to view monitoring metrics as well as add, modify, and delete alarm rules. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

CSBS Administrator

Cloud Server Backup Service

Permissions to create, restore, and delete backups of ECSs, and manage backup policies. The creation, restoration, and management permissions depend on the Server Administrator permission. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users create and restore backups. If the Server Administrator permission is unavailable, ECS information cannot be obtained when users associate ECSs with backup policies..

CSS Administrator

Cloud Search Service

Management permissions on all CSS resources.The permissions depend on the Tenant Guest and Server Administrator permissions. CSS cannot run properly if either of the permissions is unavailable.

CTS Administrator

Cloud Trace Service

Full permissions for CTS. This policy depends on the Tenant Guest policy in the same project and the Tenant Administrator policy in the OBS project.

DCS Administrator

Distributed Cache Service

Permissions to: Create, start, stop, restart, and delete DCS instances. Change passwords of DCS instances. Configure DCS instance parameters.

DDS Administrator

Document Database Service

Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use DDS. Users who have the VPC Administrator right can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances.

DIS Administrator

Data Ingestion Service

Permissions to: Create, delete, query, and list DIS streams. Push data to DIS streams or pull data from them. Query stream monitoring metrics.

DMS Administrator

Distributed Message Service

Administrator permissions for DMS. Users granted these permissions can perform all operations on DMS queues.

DNS Administrator

Domain Name Service

Permissions to create, query, and delete zones and record sets.

DWS Administrator

Data Warehouse Service

Management permissions on all DWS resources. The permissions depend on the Tenant Guest and Server Administrator permissions. DWS cannot run properly if either of the permissions is unavailable. If DWS users are to create a VPC or a subnet, the VPC Administrator permission is required. If DWS users are to view monitoring metrics of data warehouse clusters, the CES Administrator permission is required.

DWS Database Access

Data Warehouse Service

DWS Database Access permission. Users with this permission can generate temporary database user credentials based on IAM users to connect to the DWS cluster database.

ECS Admin

Elastic Cloud Server

All ECS operation permissions, including creating, deleting, and viewing ECSs and modifying ECS specifications.

ECS User

Elastic Cloud Server

General operation permissions on ECSs (such as viewing and restarting ECSs), but not advanced operation permissions (such as creating or deleting ECSs, or reinstalling/changing ECS OSs).

ECS Viewer

Elastic Cloud Server

ECS read-only permissions, such as viewing ECSs.

ELB Administrator

Elastic Load Balancing

Permissions on all ELB resources. This permission depends on the VPC Administrator, Server Administrator, CES Administrator, and OBS Administrator permissions. Users who use the ELB Administrator permission cannot use some functions provided by the ELB service if they do not have the preceding permissions. If users who use this permission do not have the VPC Administrator and Server Administrator permissions, they cannot create or delete load balancers and backend servers. If users who use this permission do not have the CES Administrator permission, monitoring data cannot be reported to Cloud Eye. If users who use this permission do not have the OBS Administrator permission, data backups cannot be stored in OBS buckets.

EVS Admin

Elastic Volume Service

All EVS operation permissions, including creating, deleting, and viewing EVS disks and modifying EVS disk specifications.

EVS Viewer

Elastic Volume Service

EVS read-only permission, such as viewing EVS disks and EVS disk details.

GaussDB FullAccess

GaussDB(for MySQL)

Full permissions for GaussDB

GaussDB ReadOnlyAccess

GaussDB(for MySQL)

Read-only permissions for GaussDB

IAM ReadOnlyAccess

Identity and Access Management

Read-only permissions for IAM.

IMS Administrator

Image Management Service

Permissions to create, modify, delete, and share images. The permissions depend on the Server Administrator and OBS Tenant Administrator permissions. To create an image using an ECS, users need to configure this permission as well as the Server Administrator permission. To create an image using an image file, users need to configure this permission as well as the OBS Tenant Guest permission. To export an image, users need to configure this permission as well as the OBS Tenant Administrator permission. To query predefined tags when adding a tag to an image or searching for an image by tag, users need to configure this permission as well as the TMS Administrator permission.

KMS Administrator

Key Management Service

Permissions to: Create, enable, disable, schedule the deletion of, and cancel the scheduled deletion of CMKs. Query the list of CMKs and information about CMKs. Create random numbers. Create DEKs. Create DEKs without plaintext. Encrypt and decrypt DEKs. Change the aliases and description of CMKs. Create, revoke, and query grants on CMKs. Import, delete CMK material. Add, delete, and query CMK tags.

LTS Administrator

Log Tank Service

Permissions to create log groups, query log groups, delete log groups, create log topics, query log topics, and delete log topics.

ModelArts CommonOperations

ModelArts

Common user permissions for ModelArts. Users granted these permissions can operate and use ModelArts, but cannot manage dedicated resource pools.

ModelArts FullAccess

ModelArts

Administrator permissions for ModelArts. Users granted these permissions can operate and use ModelArts.

MRS Administrator

MapReduce Service

Permissions to view MRS overview information, operation logs, cluster information, job information, HDFS file operation information, alarm list, and MRS Manager portal.

NAT Gateway Administrator

NAT Gateway

Permissions to create, delete, modify, and query all resources of the NAT Gateway service. The permissions depend on the Tenant Guest permission. If a NAT user needs resources, including VPCs, subnets, and EIPs, to create NAT gateways, the VPC Administrator and Server Administrator permissions are required.

OBS Buckets Viewer

Object Storage Service

Operation permissions: listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects.

RDS Administrator

Relational Database Service

Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on RDS and DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use RDS and DDS. NOTE Users who have the VPC Administratorright can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances.

RTS Administrator

Resource Template Service

Operation permissions: All operations on RTS. To orchestrate a resource, users with this permission must also have the Administrator permission. For example: Users with this permission and the Server Administrator permission can create stacks for ECS, VPC, EVS, and IMS resources. Users with this permission and the ELB Administrator permission can create an ELB resource stack.

SDRS Administrator

Storage Disaster Recovery Service

Users with this permission can create, modify, delete, and query SDRS resources.

Security Administrator

Base

Full permissions for IAM.

Server Administrator

Base

For the EVS service, users with this permission can create, modify, and delete EVS disks. For the ECS service, users with this permission can create, modify, and delete ECSs.This role must be used together with the Tenant Guest role in the same project. For the VPC service, users with this permission and the Tenant Guest permission can perform all operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth. For the IMS service, users with this permission can create, delete, query, and modify images.This role must be used together with the IMS Administrator role in the same project.

SFS Administrator

Scalable File Service

Users with both this permission and the Tenant Guest permission can create, delete, query, expand, and downsize the file system.

SFS Turbo Administrator

Scalable File Service

Users with both this permission and the Tenant Guest permission can create, delete, query, and expand the SFS Turbo file system.

SFS Turbo Viewer

Scalable File Service

Read-only permissions. Users granted these permissions can only view file system data.

SMN Administrator

Simple Message Notification

Permissions to: Create, modify, delete, and view topics. Create, delete, and view subscriptions. Create, modify, delete, and view message templates.

SWR Administrator

Software Repository for Container

All SWR operation permissions, including pushing and pulling images, and granting permissions.

Tenant Administrator

Base

Administrator permissions for all services except IAM.

Tenant Guest

Base

Read-only permissions for all services except IAM.

TMS Administrator

Tag Management Service

Users with this permission can create, modify, and delete predefined tags.

VBS Administrator

Volume Backup Service

Permissions to create backups, delete backups, and restore data using backups. This permission depends on the ServerAdministrator and Tenant Guest permissions. The VBS administrator must have permissions to manage EVS disks and read images.

VPC Admin

Virtual Private Cloud

All VPC operation permissions, including creating, querying, modifying, and deleting VPCs, subnets, and security groups.

VPC Administrator

Virtual Private Cloud

All operation permissions on VPCs, subnets, ports, VPNs, and Direct Connect resources. A user with the VPC Administrator permission must have the Tenant Guest permission.

VPC Viewer

Virtual Private Cloud

VPC real-only permission, such as querying VPCs.

VPCEndpoint Administrator

VPC Endpoint

Full permissions for VPCEP. This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project.

WAF Administrator

Web Application Firewall

Permissions to: Create and delete WAF instances. Configure, enable, disable WAF instances. Modify the protection policies of WAF instances. Configure alarm notification for WAF instances. Query the WAF instance list and details. Authenticate the domain name of a WAF instance.

Anti-DDoS Administrator

Anti-DDoS

Permissions to enable, disable, and modify configurations. This permission depends on the Tenant Guest permission and must have permission to query EIPs in VPCs.

DRS Administrator

Data Replication Service

Basic permission, which must be added when DRS is used.Dependent on the Tenant Guest, Server Administrator, and RDS Administrator policies.