Help Center> >Permission Policy

Permission Policy

Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies.

IAM supports default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control.

Log in to the IAM console and choose Policies to view all default and custom policies. You can click the name of a policy to check its format. For details, see Policy Content.

Default Policy

NOTE:
  • Application scope: Scope where a policy takes effect. HUAWEI CLOUD services are classified into global-level and project-level services based on the locations they are deployed.
    • Global-level services: These services are not differentiated by physical areas. Permissions on these services are granted through the Global project.
    • Project-level services: These services are differentiated by physical areas. Permissions on these services are granted in the required regions and take effect only in the regions. To make the permissions take effect in all regions, they need to be granted in all regions.
  • Permission granularity: Minimum authorization granularity provided by IAM. Currently, service-level and operation-level granularities are supported.
    • Service level: grants users permission of a service.
    • Operation level: grants users permissions of operations defined by APIs.

    Only services with the operation-level granularity support custom policies. For details, see Creating Custom Policies. The policies allow you to allow or disallow users to perform certain operations on services or resources.

Service

System Policy

Permissions

Granularity

BASE

Security Administrator

Permissions: All operations on IAM

  • Creating, modifying, and deleting IAM users
  • Creating, modifying, and deleting user groups, and granting them permissions
  • Creating, modifying, and deleting custom policies
  • Creating and modifying projects
  • Creating, modifying, and deleting agencies
  • Creating, modifying, and deleting identity providers
  • Setting the account security policy

Scope: Global services

-

Agent Operator

Permissions: Switching roles to delegating accounts to access their resources

Scope: Global services

Tenant Administrator

Permissions:

  • All operations on the My Account, Billing Center, and Resource Center pages
  • All operations on cloud resources owned by an account

Scope: Global and project-level services

Full Access

Permissions: All operations on cloud resources owned by an account

Scope: Global services

Tenant Guest

Permissions: Read-only permissions for cloud resources owned by an account

Scope: Global and project-level services

Elastic Cloud Server (ECS)

Elastic Volume Service (EVS)

Virtual Private Cloud (VPC)

Image Management Service (IMS)

Server Administrator

Permissions:

  • Creating, deleting, and modifying ECSs
  • Creating, deleting, and modifying EVS disks
  • All operations on security groups, security group rules, ports, firewalls, EIPs, and bandwidth, if the Tenant Guest policy is also assigned
  • Creating, deleting, querying, and modifying images

Scope: Project-level services

-

Object Storage Service (OBS)

OBS Buckets Viewer

Permissions: Listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects

Scope: OBS

Service level

OBS Viewer

Permissions: Listing buckets, obtaining basic bucket information, obtaining bucket metadata, and listing objects

Scope: OBS

Operation level

Elastic Cloud Server (ECS)

ECS Admin

Permissions: All operations on ECS

Scope: Project-level services

Operation level

ECS Viewer

Permissions: Read-only permissions for ECS

Scope: Project-level services

ECS User

Permissions: Starting, stopping, restarting, and querying ECSs

Scope: Project-level services

Bare Metal Server (BMS)

BMS Admin

Permissions: All operations on BMS

Scope: Project-level services

Operation level

BMS Viewer

Permissions: Read-only permissions for BMS

Scope: Project-level services

BMS User

Operation permissions: Starting, stopping, restarting, and querying BMSs

Scope: Project-level services

Auto Scaling (AS)

AutoScaling Admin

Permissions: All operations on all AS resources

Scope: Project-level services

Operation level

AutoScaling Viewer

Permissions: Read-only permissions for all AS resources

Scope: Project-level services

AutoScaling Administrator

Permissions:

  • All operations on AS resources. Users granted permissions of this policy must also be granted permissions of the Server Administrator and Tenant Guest policies.
  • If a user needs to use ELB and CES, the user must also be granted permissions of the ELB Administrator and CES Administrator policies.

Scope: Project-level services

Service level

Image Management Service (IMS)

IMS Admin

Permissions: All operations on IMS

Scope: Project-level services

Operation level

IMS Viewer

Permissions: Read-only permissions for IMS

Scope: Project-level services

IMS Administrator

Permissions:

  • All operations on IMS
  • Users granted permissions of this policy and the Tenant Guest policy in the OBS project can create images using image files.

Scope: Project-level services

Elastic Volume Service (EVS)

EVS Admin

Permissions: All operations on EVS

Scope: Project-level services

Operation level

EVS Viewer

Permissions: Read-only permissions for EVS

Scope: Project-level services

Storage Disaster Recovery Service (SDRS)

SDRS Administrator

Permissions:

  • All operations on SDRS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.

Scope: Project-level services

Service level

Cloud Server Backup Service (CSBS)

CSBS Administrator

Permissions:

Users with permissions of this policy can delete cloud server backups. Users also granted permissions of the Server Administrator policy can create cloud server backups, restore cloud servers, and manage backup policies.

Users without permissions of the Server Administrator policy cannot obtain cloud server information when:

  • Creating a backup or restoring a cloud server
  • Associating a cloud server with a backup policy

Scope: Project-level services

Service level

Volume Backup Service (VBS)

VBS Administrator

Permissions:

Users also granted permissions of the Server Administrator and Guest policies can perform the following operations:

  • Creating EVS disk backups
  • Deleting EVS disk backups
  • Restoring EVS disks

Scope: Project-level services

Service level

Dedicated Distributed Storage Service (DSS)

DSS Admin

Permissions: All operations on DSS

Scope: Project-level services

Operation level

DSS Viewer

Permissions: Read-only permissions for DSS

Scope: Project-level services

Virtual Private Cloud (VPC)

VPC Admin

Permissions: All operations on VPC

Scope: Project-level services

Operation level

VPC Viewer

Permissions: Read-only permissions for VPC

Scope: Project-level services

VPC Administrator

Permissions: All operations on VPC Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Cloud Container Engine (CCE)

CCE Admin

Permissions: All operations on CCE

Scope: Project-level services

Operation level

CCE Viewer

Permissions: Read-only permissions for CCE and all operations on Kubernetes resources

Scope: Project-level services

CCE Administrator

Permissions:

All operations on CCE. Users granted permissions of this policy must also be granted permissions of the ECS Administrator, VPC Administrator, EVS Administrator, IMS Administrator, SvcStg Admin, and SWR Admin policies as well as the Tenant Administrator policy in the OBS project.

  • Users also granted permissions of the ELB Administrator policy can use ELB functions in clusters.
  • Users also granted permissions of the NAT Gateway Administrator policy can use NAT Gateway functions in clusters.
  • Users also granted permissions of the SFS Administrator policy can perform all operations on SFS.

Scope: Project-level services

Service level

Cloud Container Instance (CCI)

CCI Admin

Permissions: Administrator permissions for CCI

Scope: Project-level services

Service level

Data Ingestion Service (DIS)

DIS Administrator

Permissions: All operations on DIS

Scope: Project-level services

Service level

DIS Operator

Permissions: Stream management permissions for DIS. Users granted these permissions can manage streams, such as creating or deleting streams, but cannot upload or download data.

Scope: Project-level services

Service level

DIS User

Permissions: Permissions for using DIS streams. Users granted these permissions can upload and download data but cannot manage streams.

Scope: Project-level services

Service level

Data Warehouse Service (DWS)

DWS Admin

Permissions: All operations on DWS

Scope: Project-level services

Operation level

DWS Viewer

Permissions: Read-only permissions for DWS

Scope: Project-level services

DWS Administrator

Permissions:

  • Administrator permissions for all operations on DWS resources. Users granted these permissions must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can view monitoring information of data warehouse clusters.

Scope: Project-level services

Service level

DWS Database Access

Permissions: DWS database access permissions. Users with these permissions can generate temporary credentials based on IAM users to connect to DWS cluster databases.

Scope: Project-level services

Service level

CloudTable Service (CloudTable)

CloudTable

Administrator

Permissions:

Administrator permissions for all operations on CloudTable resources. Users granted these permissions must also be granted permissions of the Tenant Guest and Server Administrator policies.

Users with permissions of this policy can perform the following operations:

  • Creating, restarting, and deleting CloudTable clusters
  • Enabling OpenTSDB and GeoMesa
  • Viewing and configuring CloudTable cluster parameters
  • Viewing the overview page, cluster list, and cluster details
  • Viewing service monitoring information and the alarm list
  • Querying service operation logs

Scope: Project-level services

Service level

Data Lake Factory (DLF)

DLF Administrator

Permissions:

  • All operations on DLF
  • Users granted permissions of this policy must also be granted permissions of the Tenant Administrator policy.

Scope: Project-level services

Service level

Deep Learning Service (DLS)

DLS Service User

Permissions: All operations on DLS

Scope: Project-level services

Service level

Machine Learning Service (MLS)

MLS Administrator

Permissions:

  • All operations on MLS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.

Scope: Project-level services

Service level

Data Lake Insight (DLI)

DLI Service Admin

Permissions: All operations on DLI

Scope: Project-level services

Service level

DLI Service User

Permissions: Permissions for using DLI rather than creating resources

Scope: Project-level services

Graph Engine Service (GES)

GES Administrator

Permissions:

  • All operations on GES
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.

Scope: Project-level services

Service level

GES Operator

Permissions:

  • Read-only and access permissions for graphs
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Cloud Data Migration (CDM)

CDM Administrator

Permissions:

  • Administrator permissions for all operations on CDM resources. Users granted these permissions must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can view monitoring information of data warehouse clusters.

Scope: Project-level services

Service level

Cloud Search Service (CSS)

Elasticsearch Administrator

Permissions:

  • All operations on CSS
  • Users granted permissions of this policy must also be granted permissions of the Server Administrator and Tenant Guest policies.

Scope: Project-level services

Service level

Log Tank Service (LTS)

LTS Viewer

Permissions: Read-only permissions for LTS

Scope: Project-level services

Operation level

LTS Admin

Permissions: All operations on LTS

Scope: Project-level services

LTS Administrator

Permissions: All operations on LTS

Scope: Project-level services

Service level

Domain Name Service (DNS)

DNS Administrator

Permissions: All operations on DNS

Scope: Project-level services

Service level

Cloud Trace Service (CTS)

CTS Administrator

Permissions:

All operations on CTS. Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy and the Tenant Administrator policy in the OBS project. Users with all these permissions can perform the following operations:

  • Enabling CTS
  • Creating, modifying, disabling, or enabling trackers
  • Receiving or viewing traces
  • Storing user events to OBS buckets

Scope: Project-level services

Service level

Tag Management Service (TMS)

TMS Administrator

Permissions: Creating, modifying, and deleting predefined tags

Scope: Global services

Service level

Simple Message Notification (SMN)

SMN Administrator

Permissions: All operations on SMN

Scope: Project-level services

Service level

Cloud Phone (CPH)

CPH Administrator

Permissions: All operations on CPH Users granted permissions of this policy must also be granted purchasing permissions.

Scope: Project-level services

Service level

CPH User

Permissions: Read-only permissions for CPH

Scope: Project-level services

Service level

Resource Template Service (RTS)

RTS Administrator

Permissions:

All operations on RTS. To orchestrate a resource, users with permissions of this policy must also be granted administrator permissions for the resource. For example:

  • Users also granted permissions of the Server Administrator policy can create stacks for ECS, VPC, EVS, and IMS resources.
  • Users also granted permissions of the ELB Administrator policy can create ELB resource stacks.

Scope: Project-level services

Service level

Relational Database Service (RDS)

RDS Admin

Permissions: All operations on RDS

Scope: Global and project-level services

Operation level

RDS Viewer

Permissions: Read-only permissions for RDS

Scope: Global and project-level services

RDS DBA

Permissions: Database administrator permissions on RDS except permissions for deleting resources

Scope: Global and project-level services

RDS Administrator

Permissions:

  • All operations on RDS. Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can modify or create alarm rules for database instances.
  • Users also granted permissions of the TMS Administrator policy can query predefined tags of TMS and create, modify, and delete predefined tags on TMS.
  • Users also granted permissions of the KMS Administrator policy can buy KMS keys and encrypt RDS DB instances.
  • Users also granted permissions of the Security Administrator policy can buy both RDS and DBSS services.

Scope: Project-level services

Service level

Distributed Message Service (DMS)

DMS Administrator

Permissions: All operations on DMS

Scope: Project-level services

-

Document Database Service (DDS)

DDS Admin

Permissions: All operations on DDS

Scope: Global and project-level services

Operation level

DDS Viewer

Permissions: Read-only permissions for DDS

Scope: Global and project-level services

DDS DBA

Permissions: Database administrator permissions on DDS except permissions for deleting resources

Scope: Global and project-level services

DDS Administrator

Permissions:

  • All operations on DDS. Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.
  • Users also granted permissions of the VPC Administrator policy can create VPCs or subnets.
  • Users also granted permissions of the CES Administrator policy can modify or create alarm rules for database instances.
  • Users also granted permissions of the TMS Administrator policy can query predefined tags of TMS and create, modify, and delete predefined tags on TMS.
  • Users also granted permissions of the KMS Administrator policy can buy KMS keys and encrypt DDS instances.

Scope: Project-level services

Service level

Data Replication Service (DRS)

DRS Administrator

Permissions:

  • All operations on DRS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest and Server Administrator policies.

Scope: Project-level services

Service level

Data Admin Service (DAS)

DAS Administrator

Permissions:

  • All operations on DAS
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Distributed Database Middleware (DDM)

DDM Admin

Permissions: Administrator permissions for all operations on DDM

Scope: Project-level services

Operation level

DDM User

Permissions: Common permissions for DDM

Users with common permissions cannot perform the following operations:

  • Buying DDM instances
  • Deleting DDM instances
  • Scaling up instances
  • Rolling back instances or clearing data when scale-up fails

Scope: Project-level services

DDM Viewer

Permissions: Viewing DDM resources

Scope: Project-level services

Application Operations Management (AOM)

AOM Admin

Permissions: All operations on AOM

Scope: Project-level services

Operation level

AOM Viewer

Permissions: Read-only permissions for AOM

Scope: Project-level services

Application Performance Management (APM)

APM Admin

Permissions: All operations on APM

Scope: Project-level services

Operation level

APM Viewer

Permissions: Read-only permissions for APM

Scope: Project-level services

API Gateway

APIG Administrator

Permissions: All operations on API Gateway

Scope: Project-level services

Service level

Software Repository for Container (SWR)

SWR Admin

Permissions: All operations on SWR

Scope: Project-level services

Operation level

Cloud Eye

CES Administrator

Permissions:

  • Viewing metrics
  • Adding, modifying, and deleting alarm rules
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Web Application Firewall (WAF)

WAF Administrator

Permissions:

  • Creating and deleting WAF instances
  • Configuring, enabling, and disabling WAF instances
  • Modifying protection policies of WAF instances
  • Configuring alarm notifications for WAF instances
  • Querying the WAF instance list and details
  • Authenticating domain names of WAF instances

Scope: Project-level services

Service level

Host Security Service (HSS)

HSS Administrator

Permissions:

  • Enabling and disabling HSS
  • Performing manual detections
  • Setting alarm information and performing security configurations
  • Viewing security overview on the Dashboard page
  • Viewing the ECS list and risk details
  • Viewing reports of asset management, vulnerability management, intrusion detection, and baseline inspection

Scope: Project-level services

Service level

SSL Certificate Manager (SCM)

SC Administrator

Permissions: All operations on SCM

Scope: Global and project-level services

Service level

Vulnerability Scan Service (VSS)

VSS Administrator

Permissions:

  • Creating, restarting, and canceling scan tasks
  • Querying task lists and details
  • Querying vulnerability lists and details
  • Putting mis-reporting tags on vulnerabilities
  • Authenticating domain names

Scope: Project-level services

Service level

Container Guard Service (CGS)

CGS Administrator

Permissions:

  • Installing and uninstalling the container security Shield
  • Enabling and disabling node protection
  • Adding, editing, deleting, and applying policies
  • Ignoring vulnerabilities on images
  • Canceling ignored vulnerabilities on images
  • Viewing the cluster and node lists
  • Viewing the policy list and the policies applied to images
  • Viewing vulnerability information
  • Checking the exception information about running containers

Scope: Project-level services

Service level

Security Expert Service (SES)

SES Administrator

Permissions:

  • Purchasing SES services
  • Completing and modifying service order information
  • Viewing the service order list and service order details
  • Authenticating the hosts or domains to be assessed, hardened, or monitored
  • Downloading assessment reports
  • Evaluating SES services

Scope: Project-level services

Service level

Database Security Service (DBSS)

DBSS System Administrator

  • Permissions for database security defence operations:
    • Buying instances
    • Viewing the instance list
    • Starting, stopping, and restarting instances
    • Upgrading instances
    • Binding or unbinding EIPs
    • Logging in to the DBSS console
  • Permissions for database security audit operations:
    • Buying instances
    • Starting, stopping, and restarting instances
    • Viewing the instance list
    • Viewing basic instance information
    • Viewing audit information
    • Viewing monitoring information
    • Querying operation logs
    • Managing databases
    • Managing agents
    • Configuring email notifications
    • Backing up and restoring audit logs
NOTE:

To purchase instances, users must also have permissions of both the VPC Admin and BSS Administrator policies.

Scope: Project-level services

Service level

DBSS Audit Administrator

  • Permissions for database security defence operations:
    • Viewing the instance list
    • Logging in to the DBSS console
  • Permissions for database security audit operations:
    • Viewing the instance list
    • Viewing basic instance information
    • Viewing audit information
    • Viewing reporting results
    • Viewing audit rules
    • Viewing SQL statement information
    • Viewing session information
    • Viewing monitoring information
    • Querying operation logs
    • Viewing the database list
    • Managing reports

Scope: Project-level services

DBSS Security Administrator

  • Permissions for database security defence operations:
    • Viewing the instance list
    • Logging in to the DBSS console
  • Permissions for database security audit operations:
    • Viewing the instance list
    • Viewing basic instance information
    • Viewing audit information
    • Viewing reporting results
    • Viewing audit rules
    • Viewing SQL statement information
    • Viewing session information
    • Viewing monitoring information
    • Querying operation logs
    • Viewing the database list
    • Configuring audit rules
    • Configuring alarm notifications
    • Managing reports

Scope: Project-level services

Data Encryption Workshop (DEW)

KMS Administrator

Permissions:

  • Key management

    Users with this permission can perform the following operations:

    • Creating, enabling, disabling, scheduling the deletion of, and canceling the deletion of keys
    • Querying the key list
    • Querying key information
    • Creating random numbers and data keys, including plaintext-free keys
    • Encrypting and decrypting data keys
    • Changing the aliases and descriptions of keys.
    • Creating, querying, revoking, and retiring grants on keys
    • Importing and deleting key materials
    • Adding, deleting, and querying key tags
  • Key pair management

    Users granted permissions of this policy and the Server Administrator policy can perform the following operations:

    • Creating, importing, and deleting key pairs
    • Querying the key pair list
    • Querying key pair information
    • Resetting, replacing, binding, and unbinding key pairs
    • Importing, exporting, and clearing private keys
    • Querying and deleting records about failed tasks
  • Dedicated encryption

    Users with this permission can perform the following operations:

    • Inquiring prices, submitting orders, obtaining order information, and paying for orders
    • Querying the HSM instance list
    • Checking the network information
    • Checking in-use IP addresses under a subnet
    • Checking product specifications
    • Obtaining and verifying verification codes

Scope: Project-level services

Service level

Intelligent CAPTCHA Service (ICS)

ICS Administrator

Permissions:

  • Buying ICS traffic resources
  • Adding, deleting, and viewing CAPTCHA IDs and keys
  • Viewing ICS statistics
  • Configuring ICS alarm notifications

Scope: Project-level services

Service level

Anti-DDoS

Anti-DDoS Administrator

Permissions: Users granted permissions of this policy and the Tenant Guest policy can query EIPs in VPCs and perform all operations on Anti-DDoS.

Scope: Project-level services

Service level

Advanced Anti-DDoS (AAD)

CAD Administrator

Permissions: Users granted permissions of this policy can perform all operations on AAD, but cannot purchase new instances. To purchase new instances, users must also have permissions of the Tenant Administrator policy.

Scope: Project-level services

Service level

Video on Demand (VOD)

VOD Administrator

Permissions: All operations on VOD content

Scope: Project-level services

Service level

VOD Group Administrator

Permissions: All VOD operations except global configuration. The operation object is the VOD content created by users in the current user group.

Scope: Project-level services

VOD Group Operator

Permissions: All VOD operations except content release, cancellation of content release, content deletion, and global configuration. The operation object is the VOD content created by users in the current user group.

Scope: Project-level services

VOD Group Guest

Permissions: Querying VOD content created by users in the current user group

Scope: Project-level services

Content Delivery Network (CDN)

CDN Administrator

Permissions: All operations on CDN

Scope: Global services

Operation level

CDN Domain Viewer

Permissions: Read-only permissions for CDN acceleration domain names

Scope: Global services

CDN Statistics Viewer

Permissions: Read-only permissions for CDN statistics

Scope: Global services

CDN Logs Viewer

Permissions: Read-only permissions for CDN logs

Scope: Global services

CDN Domain Configuration Operator

Permissions: Configuring CDN acceleration domain names

Scope: Global services

CDN Refresh And Preheat Operator

Permissions: CDN cache refreshing and preheating

Scope: Global services

Scalable File Service (SFS)

SFS Administrator

Permissions:

  • All operations on SFS
  • Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Operation level

SFS Admin

Permissions: All operations on SFS

Scope: Project-level services

SFS Viewer

Permissions: Read-only permissions for SFS

Scope: Project-level services

Cloud Stream Service (CS)

CS Tenant Admin

Permissions:

  • Creating, deleting, and modifying jobs, templates, and independent clusters
  • Allocating available clusters and quotas to sub-users with permissions of the CS User policy
  • Viewing all user jobs in exclusive clusters

Scope: Project-level services

Operation level

CS User

Permissions: Creating, deleting, and modifying jobs and templates

Scope: Project-level services

Distributed Cache Service (DCS)

DCS User

Permissions: Common user permissions for DCS except permissions for creating, modifying, deleting, and scaling instances

Scope: Project-level services

Service level

DCS Admin

Permissions: All operations on DCS

Scope: Project-level services

DCS Viewer

Permissions: Read-only permissions for DCS

Scope: Project-level services

DCS Administrator

Permissions: All operations on DCS

Scope: Project-level services

MapReduce Service (MRS)

MRS Administrator

Permissions:

  • All operations on MRS
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest, Server Administrator, and BSS Administrator policies.

Scope: Project-level services

Service level

MRS Admin

Permissions: All operations on MRS

Scope: Project-level services

Operation level

MRS User

Permissions: Using MRS rather than adding and deleting resources

Scope: Project-level services

MRS Viewer

Permissions: Read-only permissions for MRS

Scope: Project-level services

FunctionGraph

FunctionGraph Administrator

Permissions:

  • Managing FunctionGraph functions, workflows, and triggers
  • Invoking FunctionGraph functions

Scope: Project-level services

Service level

FunctionGraph Invoker

Permissions:

  • Querying FunctionGraph functions, workflows, and triggers
  • Invoking FunctionGraph functions

Scope: Project-level services

Cloud Service Engine (CSE)

CSE Admin

Permissions: All operations on CSE

Scope: Project-level services

Service level

CSE Viewer

Permissions: Read-only permissions for CSE

Scope: Project-level services

ServiceStage

SvcStg Admin

Permissions:

  • Service management
  • Application management
  • Node management
  • Stack management
  • Pipeline management

Scope: Project-level services

Service level

SvcStg Developer

Permissions:

  • Service management
  • Application management
  • Stack management
  • Pipeline management

Scope: Project-level services

SvcStg Operator

Permissions:

  • Read-only permissions for services
  • Read-only permissions for applications
  • Read-only permissions for stacks
  • Read-only permissions for pipelines

Scope: Project-level services

Workspace

Workspace Administrator

Permissions:

  • All operations on Workspace. Users with permissions of this policy must also be granted permissions of the Tenant Guest, Server Administrator, and VPC Administrator policies.
  • Users also granted permissions of the Tenant Guest policy can query the image used for creating desktops.
  • Users also granted permissions of the Server Administrator policy can manage image authorization, ports, and security group rules.
  • Users also granted permissions of the VPC Administrator policy can query VPC and subnet information, manage security groups, and create, query, and delete IP addresses.

Scope: Project-level services

Service level

Business Support System

(BSS)

BSS Administrator

Permissions: All operations on all menus of the My Account, Billing Center, and Resource Center

Scope: Project-level services

Service level

BSS Operator

Permissions:

  • Accessing all menus in My Account and Resource Center
  • Performing the following operations in Billing Center:
    • Viewing, canceling, and exporting orders, changing the billing mode, and renewing, unsubscribing from, and releasing resources
    • Viewing and exporting the consumption summary and details, and analyzing bills
    • Viewing and activating coupons, applying for online contracts, and viewing commercial discounts

Scope: Project-level services

BSS Finance

Permissions:

  • Topping up accounts, withdrawing money, and setting balance alerts
  • Viewing, paying, and exporting orders, and renewing resources
  • Viewing and exporting the expenditure summary, expenditure details, and income and expense details, and analyzing bills
  • Viewing and activating coupons, issuing invoices, applying for online contracts, and viewing commercial discounts

Scope: Project-level services

EnterpriseProject_BSS_Administrator

Permissions:

  • Viewing fund quota settings of enterprise projects
  • Viewing fund quota adjustment records of enterprise projects
  • Viewing renewals of enterprise projects
  • Renewing resources manually or automatically, changing to yearly/monthly subscription, and releasing resources
  • Ordering resources in yearly/monthly mode and viewing order information
  • Unsubscribing from resources and viewing resource unsubscription records
  • Viewing and exporting expenditure summary of enterprise projects
  • Viewing and exporting expenditure details of enterprise projects
  • Viewing and exporting cost breakdowns of enterprise projects

Scope: Project-level services

Operation level

Enterprise Project Management Service (EPS)

EPS Admin

Permissions: All operations on EPS

Scope: Global services

Operation level

EPS Viewer

Permissions: Read-only permissions for EPS

Scope: Global services

Voice Call

Message & SMS

Private Number

RTC Administrator

Permissions: All operations on Voice Call, Message & SMS, and Private Number

Scope: Project-level services

Service level

Service Ticket

Ticket Administrator

Permissions: Submitting service tickets

Scope: Global services

Service level

Elastic Load Balance (ELB)

ELB Admin

Permissions: All operations on ELB

Scope: Project-level services

Operation level

ELB Viewer

Permissions: Read-only permissions for ELB

Scope: Project-level services

ELB Administrator

Permissions: All operations on ELB Users granted permissions of this policy must also be granted permissions of the Tenant Guest policy.

Scope: Project-level services

Service level

Recommender System (RES)

RES Admin

Permissions: Fine-grained administrator permissions for all operations on RES

Scope: Project-level services

Operation level

RES Viewer

Permissions: Read-only permissions for RES

Scope: Project-level services

RES Service Admin

Permissions: RBAC-based administrator permissions for all operations on RES

Scope: Project-level services

Service level

Policy Content

On the IAM console, choose Policies and click a policy name, for example, IMS Administrator. Details about the policy are displayed in the Policy Content box. Each policy contains one or more statements, and each statement describes a set of permissions.

The policy content of IMS Administrator is as follows:

{
        "Version": "1.0",
        "Statement": [
                {
                        "Action": [
                                "ims:*:*",
                                "ecs:*:list",
                                "ecs:*:get",
                                "evs:*:get"
                        ],
                        "Effect": "Allow"
                }
        ],
        "Depends": [
                {
                        "catalog": "OBS",
                        "display_name": "Tenant Administrator"
                }
        ]
}
Table 1 Permission information parameters

Parameter

Description

Value

Version

Indicates the policy version.

  • 1.0: service-level policy
  • 1.1: operation-level policy

Statement

Action

Indicates allowed operations.

Format: Service name:Resource type:Action.

For example, "ims:*:*" indicates all operations on IMS. In the example, ims indicates the service name, the wildcard character * indicates all operations.

Effect

Indicates whether an operation included in an action is allowed.

Values:

  • Allow: Indicates the operation is allowed.
  • Deny: Indicates the operation is not allowed.
NOTE:

If both Allow and Deny are found in statements, the policy evaluation starts with Deny.

Depends

NOTE:

For a service-level policy, you can only specify operations in an individual service in the Action field. If this service depends on other permissions, you must define them in the Depends field.

When configuring permissions for a user group, you must select both the policy to be added and the depended policy.

catalog

Indicates the service associated with other permissions that users must have in order to be granted this permission.

Service name

For example: Base

display_name

Indicates the name of other permissions that users must have in order to be granted this permission.

Permission name

For example: Tenant Administrator