Help Center> >Permission Description

Permission Description

Permissions include user management and cloud service management permissions. User management involves creating, deleting, and modifying users and granting permissions to users. Cloud service management involves creating, viewing, modifying, and deleting resources of cloud services. After granting user management and cloud service management permissions to a user group, the users added to the user group can inherit permissions of the user group. User group-specific permissions simplify permission management.

Permission Relationship

Default Permissions

The system provides two types of permissions by default: user management and cloud service management.

Table 1 User management permissions

Node Name

Permission Name

Permitted Operations

Base

Security Administrator

  • Create, delete, and modify users.
  • Grant permissions to users.

IAM

Agent Operator

Switching the role to a delegated account to access resources

NOTE:

Currently, policies only support fine-grained authorization of ECS, EVS, VPC, and DSS. ECS Admin, ECS User, ECS Viewer, EVS Admin, EVS Viewer, VPC Admin, VPC Viewer, DSS Admin, and DSS Viewer are preset fine-grained authorization policies.

Table 2 Cloud service management permissions

Node Name

Permission Name

Managed Cloud Service

Permission Description

Base

Tenant Administrator

All services

  • All operations for My Account, Billing Center, Support Center, and Resource Center
  • All operations on cloud resources owned by an enterprise

Tenant Guest

All services

Users with this permission can query the usage of all cloud resources owned by an enterprise.

Server Administrator

Elastic Volume Service (EVS)

Elastic Cloud Server (ECS)

Virtual Private Cloud (VPC)

  • For the EVS service: creating, deleting, and modifying EVS disks
  • For the ECS service: creating, deleting, and modifying ECSs
  • For the VPC service: Users with this permission and the Tenant Guest permission can perform all operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth.

ECS

ECS Admin

Elastic Cloud Server (ECS)

Users with this permission can perform all operations on ECSs, including creating, deleting, querying ECSs, and modifying ECS specifications.

ECS User

Users with this permission can perform general operations such as querying and restarting ECSs, but cannot create, delete, reinstall ECSs, switch OS for ECSs, and modify ECS specifications.

ECS Viewer

Users with this permission only have the read-only permission and can perform query operations, for example, querying ECS lists.

EVS

EVS Admin

Elastic Volume Service (EVS)

Users with this permission can perform all operations on EVS disks, including creating, deleting, querying, and updating EVS disks.

EVS Viewer

Users with this permission only have the read-only permission and can perform query operations, for example, querying EVS disk lists and details.

VPC

VPC Administrator

Virtual Private Cloud (VPC)

Users with this permission can perform all operations on VPCs, subnets, ports, VPNs, and Direct Connect connections. To be granted this permission, users must also have the Tenant Guest permission.

VPC Admin

Users with this permission can perform all operations on VPCs, including creating, querying, updating, and deleting VPCs, subnets, and security groups.

VPC Viewer

Users with this permission only have the read-only permission and can perform query operations, for example, querying VPC lists.

DSS

DSS Admin

Dedicated Distributed Storage Service (DDS)

Users with this permission can perform all operations on DSS and EVS, including creating, deleting, querying, and updating these resources.

DSS Viewer

Users with this permission only have the read-only permission and can perform query operations, for example, querying lists of DSS storage pools and EVS disks.

Anti-DDoS

Anti-DDoS Administrator

Anti-DDoS

Users with this permission and the Tenant Guest permission can query EIPs in VPCs and perform all operations on Anti-DDoS.

APM

APM Admin

ServiceStage

Users with this permission can manage account monitoring data.

CCS

CCS

Cloud Catalog Service (CCS)

Users with this permission can customize products, product portfolios, and versions, add a product to a product portfolio, add authorization and constraints, perform O&M on product instances, and manage quotas.

CCS User

Users with this permission can view products and manage product instances.

CCI

CCI Administrator

Cloud Container Engine (CCE)

Users with this permission can create, delete, and modify cloud container instances.

CDE

CDE Admin

ServiceStage

Users with this permission can manage application orchestration of accounts.

CDE Developer

ServiceStage

Users with this permission can orchestrate applications.

CDN

CDN Administrator

CDN

Users with this permission can perform all operations on CDN, including creating, viewing, modifying, and deleting acceleration domain names, modifying CDN billing modes, viewing statistics, and refreshing and preheating the cache.

LSA

LSA Administrator

Live Streaming Acceleration (LSA)

Users with this permission can perform all operations on LSA, including creating, viewing, modifying, and deleting acceleration domain names, modifying LSA billing modes, and viewing statistics.

CTS

CTS Administrator

Cloud Trace Service (CTS)

Users with this permission and the Tenant Guest and Tenant Administrator permissions for the regions where OBS is deployed can perform the following operations:

  • Enable CTS.
  • Create, modify, disable, or enable a tracker.
  • Receive or view traces.

For users with this permission but without the Tenant Administrator permission for the regions where OBS is deployed, the traces of these users cannot be saved to OBS buckets.

CRS

CRS Administrator

Cloud Report Service (CRS)

Users with this permission can perform the following operations:

  • Connect, delete, modify, and query data sources.
  • Create, delete, modify, query, and preview data sets.
  • Create, delete, modify, query, and analyze data in worksheets.
  • Create, delete, modify, and query dashboards.
  • Query quotas.

CS

CS Tenant Admin

Cloud Stream Service (CS)

Users with this permission can perform the following operations:

  • Create, delete, and modify jobs, templates, and independent clusters.
  • Allocate available clusters and quotas to sub-users with the CS User permission.
  • View all user jobs in independent clusters.

CS User

Users with this permission can create, delete, and modify jobs and templates

CSBS

CSBS Administrator

Cloud Server Backup Service (CSBS)

Users with this permission can delete cloud server backups. Users with this permission and the Server Administrator permission can create a cloud server backup, restore a cloud server, and manage backup policies.

If a user does not have the Server Administrator permission:

  • When the user creates a backup or restores a cloud server, the user cannot obtain information about the cloud server.
  • When the user associates a cloud server with a backup policy, the user cannot obtain information about the cloud server.

DWS

DWS Administrator

Data Warehouse Service (DWS)

DWS Administrator permission. Users with this permission and the Tenant Guest and Server Administrator permissions can perform all operations on DWS resources. DWS cannot run properly if either the Tenant Guest or the Server Administrator permission is unavailable.
NOTE:
  • Users with this permission and the VPC Administrator permission can create a VPC or subnet.
  • Users with this permission and the CES Administrator permission can view monitoring metrics of data warehouse clusters.

DWS Database Access

DWS Database Access permission. Users with this permission can generate temporary database user credentials based on IAM users to connect to the DWS cluster database.

DEW

KMS Administrator

Data Encryption Workshop (DEW)

  • Key Management Service

    Users with this permission can perform the following operations:

    • Create, enable, disable, schedule the deletion of, and cancel the deletion of CMKs.
    • Query the list of CMKs.
    • Query the information about CMKs.
    • Create random numbers and DEKs, including plaintext-free DEKs.
    • Encrypt and decrypt DEKs.
    • Change the aliases and description of CMKs.
    • Create, query, revoke, and retire grants on CMKs.
    • Import and delete CMK material.
    • Add, delete, and query CMK tags.
  • Key Pair Service

    Users with this permission and the Server Administrator permission can perform the following operations:

    • Create, import, and delete key pairs.
    • Query the list of key pairs.
    • Query the information about key pairs.
    • Reset, replace, bind, and unbind key pairs.
    • Import, export, and clear private keys.
    • Query and delete records about failed tasks.
  • Dedicated HSM

    Users with this permission can perform the following operations:

    • Inquire prices, submit orders, obtain order information, and pay for orders.
    • Query the list of HSM instances.
    • Check the network information.
    • Check in-use IP addresses under a subnet.
    • Check product specifications.
    • Obtain verification code, and verify the code.

SFS

SFS Administrator

Scalable File Service (SFS)

Users with this permission and the Tenant Guest permission can create, delete, query, expand, and downsize file systems.

SVCSTG

SvcStg Admin

ServiceStage

Users with this permission can manage all modules, such as creating clusters and nodes.

SvcStg Developer

Users with this permission can develop all modules, such as creating cloud projects and pipelines.

SvcStg Operator

Users with this permission can maintain all modules, such as creating monitor dashboard.

SWR

SWR Admin

ServiceStage

Users with this permission can manage software repositories of accounts.

MRS

MRS Administrator

MapReduce Service (MRS)

Users with this permission can view MRS overview information, cluster information, job information, HDFS file operation information, operation logs, alarm lists, and MRS Manager page.

RDS

RDS Administrator

Relational Database Service (RDS)

Document Database Service (DDS)

Users with this permission and the Tenant Guest and Server Administrator permissions can perform all operations on the RDS and DDS services, including

  • Create or delete database instances.
  • Restart database instances, expand capacities of database instances, and set database parameters.
  • Restore database instances.

Users with this permission but without the Tenant Guest or Server Administrator permission cannot properly use the RDS and DDS services.

NOTE:
  • Users with this permission and the VPC Administrator permission can create a VPC or subnet.
  • Users with this permission and the CES Administrator permission can modify or create alarm rules for database instances.
  • Users with this permission and the TMS Administrator permission can query predefined tags of Tag Management Service (TMS) and create, modify, and delete predefined tags.
  • Users with this permission and the KMS Administrator permission can buy KMS keys and encrypt RDS and DDS DB instances.
  • Users with this permission and the Security Administrator permission can buy the RDS and DBSS services together.

DIS

DIS Administrator

Data Ingestion Service (DIS)

Users with this permission can perform the following operations:

  • Create, delete, query, and list DIS streams.
  • Upload data to or download data from DIS streams.
  • Query stream monitoring metrics.

DNS

DNS Administrator

Domain Name Service (DNS)

Users with this permission can perform the following operations:

  • Create, query, and delete zones.
  • Create, query, and delete record sets.
  • Create, query, and delete PTR records.

WAF

WAF Administrator

Web Application Firewall (WAF)

Users with this permission can perform the following operations:

  • Create and delete WAF instances.
  • Configure, enable, disable WAF instances.
  • Modify the protection policies of WAF instances.
  • Configure alarm notification for WAF instances.
  • Query the WAF instance list and details.
  • Authenticate the domain name of a WAF instance.

HSS

HSS Administrator

Host Security Service (HSS)

Users with this permission can perform the following operations:

  • Enable and disable HSS.
  • Perform manual detections.
  • Set alarm information and perform security configurations.
  • View security overview on the Dashboard page.
  • View the ECS list and risk details.
  • View reports of asset management, vulnerability management, intrusion detection, and baseline inspection.

VulnScan

VSS Administrator

Vulnerability Scan Service (VSS)

Users with this permission can perform the following operations:

  • Create, restart, and cancel scan tasks.
  • Query task lists and details.
  • Query vulnerability lists and details.
  • Put mis-reporting tags on vulnerabilities.
  • Authenticate domain names.

VBS

VBS Administrator

Volume Backup Service (VBS)

Users with this permission and the Server Administrator and Tenant Guest permissions can perform the following operations:

  • Create an EVS disk backup.
  • Delete an EVS disk backup.
  • Restore an EVS disk.

WKS

Workspace Administrator

Workspace

  • Users with this permission and the Tenant Guest, Server Administrator, and VPC Administrator permissions can perform all operations on Workspace.
  • Users with this permission and the Tenant Guest permission can query the image used for creating desktops.
  • Users with this permission and the Server Administrator permission can manage image authorization, ports, and security group rules.
  • Users with this permission and the VPC Administrator permission can query VPC and subnet information as well as manage security groups and IP address creation, query, and deletion.

IMS

IMS Administrator

Image Management Service (IMS)

  • Users with this permission can create, modify, delete, and share images, and copy images across regions.
  • Users with this permission and the Server Administrator permission create an image using an ECS.
  • Users with this permission and the Tenant Guest permission for the regions where OBS is deployed can create an image using an image file.
  • Users with this permission and the Tenant Administrator permission for the regions where OBS is deployed can export images.
  • Users with this permission and the TMS Administrator permission can query predefined tags when adding a tag to an image or searching for an image by tag.
  • Users with this permission and the CSBS Administrator permission can create a full-ECS image.

RTS

RTS Administrator

Resource Template Service (RTS)

Users with this permission can create, modify, and delete cloud applications.

DLI

DLI Service User

Data Lake Insight Service (DLI)

Users with this permission can perform all operations on DLI, including:

  • Create and delete databases or tables.
  • Import and export data.
  • Query data.

TMS

TMS Administrator

Tag Management Service (TMS)

Users with this permission can create, modify, and delete predefined tags.

MLS

MLS Administrator

Machine Learning Service (MLS)

  • Users with this permission and the Tenant Guest and Server Administrator permissions can perform all operations on MLS resources. MLS cannot run properly if either of the Tenant Guest and Server Administrator permissions is unavailable.
  • Users with this permission and the VPC Administrator permission can create a VPC or subnet.

OBS

OBS Bucket Viewer

Object Storage Service (OBS)

Users with this permission can obtain the list, metadata, and location information of buckets.

BSS

BSS Administrator

My Account

Billing Center

Support Center

Users with this permission can perform operations on all menus in the My Account, Billing Center and Support Center.

BSS Operator

My Account

Billing Center

Support Center

Users with this permission can:

  • Access all menus in My Account and Support Center.
  • Performing the following operations in Billing Center:
    • View, cancel, and export orders, renew and change the tariff, and unsubscribe and release resources.
    • View and export the consumption summary and details, and analyze bills.
    • View and activate coupons, apply for online contracts, and view commercial discounts.

BSS Finance

Billing Center

Support Center

Users with this permission can perform the following operations in Billing Center:
  • Recharge accounts, withdraw cash, and set low balance warning.
  • View, pay, and export orders, and renew resources.
  • View and export the consumption summary, consumption details, and income and expense details, and analyze bills.
  • View and activate coupons, issue invoices, apply for online contracts, and view commercial discounts.

NAT Gateway

NAT Gateway Administrator

NAT Gateway

Users with this permission can manage all resources of NAT Gateway, VPC, floating IP addresses and ports. The NAT permission depends on the Guest permission.

If a NAT user needs to create subnets, the VPC Administrator permission is required.

FSS

FunctionStage Administrator

FunctionStage

Create, delete, modify, and query functions and triggers, and invoke functions.

FunctionStage Invoker

Query functions and triggers, and invoke functions.

CDM

CDM Administrator

Cloud Data Migration (CDM)

Users with this permission can perform all operations on CDM.

DMS

DMS Administrator

Distributed Message Service (DMS)

Users with this permission can perform the following operations:

  • Create or delete queues.
  • Create or delete consumer groups.
  • Create messages.
  • Consume messages.

If users need to create shared Kafka instances or RabbitMQ instances, users must have the Server Administrator and VPC Administrator permissions.

CloudTable

CloudTable

Administrator

CloudTable Service (CloudTable)

CloudTable Administrator permission. Users with this permission and the Tenant Guest and Server Administrator permissions can perform all operations on DWS resources. CloudTable cannot run properly if either Tenant Guest or Server Administrator permission is unavailable. Users with this permission can perform the following operations:

  • Create, restart, and delete a CloudTable cluster.
  • Enable OpenTSDB and GeoMesa.
  • View and configure CloudTable cluster parameters.
  • View the overview, cluster list, and cluster details of CloudTable.
  • View the monitoring information and alarm list of CloudTable.
  • Query operation logs of CloudTable.

DBSS

DBSS System Administrator

Database Security Service (DBSS)

Users with this permission can perform the following operations:
  • Buy instances.
  • Delete instances.
  • Obtain an instance list.
  • Start, stop, and restart an instance.
  • Upgrade service instances.
  • Bind or unbind an EIP.
NOTE:

To purchase an instance, users must have the VPC and BSS permissions.

DBSS Audit Administrator

Users with this permission can perform the following operations:
  • Obtain an instance list.
  • Log in to the DBSS console.

DBSS Security Administrator

Users with this permission can perform the following operations:
  • Obtain an instance list.
  • Log in to the DBSS console.

SES

SES Administrator

Security Expert Service (SES)

Users with this permission can perform the following operations:

  • Purchase SES.
  • Supplement and modify service order information.
  • View the service order list and service order details.
  • Authenticate the host or domain to be assessed, hardened, or monitored.
  • Download the assessment report.
  • Evaluate SES.

CGS

CGS Administrator

Container Guard Service (CGS)

Users with this permission can perform the following operations:

  • Install and uninstall the container security Shield.
  • Enable and disable node protection.
  • Add, edit, delete, and apply policies.
  • Ignore vulnerabilities on the image.
  • Cancel ignoring vulnerabilities on the image.
  • View the cluster and node list.
  • View the policy list and policies that are applied to the image.
  • View the information about vulnerabilities.
  • Check the exception information for a running container.

Permission Information

Select a permission name, for example: VPC Administrator. JSON-formatted information about the selected permission is displayed. Each permission contains one or more statements. Each statement describes a group of permissions.

The following is an example of the VPC Administrator permission information.

Description VPC Administrator
Content {
        "Version": "1.0",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "VPC:vpc:*",
                                "VPC:router:*",
                                "VPC:network:*",
                                "VPC:subnet:*",
                                "VPC:privateip:*",
                                "VPC:port:*",
                                "VPC:vpn:*",
                                "VPC:lbaas:*"
                        ]
                }
        ],
        "Depends": [
                {
                        "catalog": "BASE",
                        "display_name": "Tenant Guest"
                }
        ]
}
Table 3 Permission information parameters

Parameter

Description

Value

Description

Permission name

For example: VPC Administrator

Content

Detailed information about the permission (JSON format)

-

Version

Permission version

  • 1.0: Preset cloud service permission (non-fine-grained permission)
  • 1.1: Fine-grained permission

Statement

(Authorization statement)

Effect

Indicates whether an operation included in an action is allowed.

Values:

  • Allow: Indicates the operation is allowed.
  • Deny: Indicates the operation is not allowed.

If both Allow and Deny are found in statements, the policy evaluation starts with Deny.

Action

Indicates an operation for a service included in a permission.

The value format is Service name:Resource type:Action, for example, vpc:subnet:*.

Indicates all operations performed on a subnet. In this value, VPC is a service name, and the asterisk sign (*) is a wildcard character, indicating all operations.

Depends (dependent permission)

NOTE:

When you select a permission, you must also select other permissions that users must have in order to grant this permission. This is done to ensure that this permission takes effect.

catalog

Indicates the service associated with other permissions that users must have in order to be granted this permission.

Service name

For example: Base

display_name

Indicates the name of other permissions that users must have in order to be granted this permission.

Permission name

For example: Tenant Guest