Help Center> >System Permissions

System Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

Region: A geographic area for which permissions take effect. Select proper regions when you assign permissions.
  • Global service project: Services deployed without specifying physical regions are called global services. Permissions for these services must be assigned in the Global region.
  • Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for accessing these services need to be assigned in specific regions and take effect only for these regions. To make the permissions take effect in all regions, assign the permissions in each of these regions.

Type: You can grant users permissions by using roles and policies. Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

  • For services that provide both policies and roles, preferentially use policies to assign permissions.
  • For services that support policy-based access control, you can create custom policies to supplement system-defined policies to allow or deny access to specific types of resources under certain conditions. Click the Policy link in each table to view the supported policy actions.

BASE

Service

Region

Role/Policy Name

Type

Description

BASE

Global

FullAccess

Policy

Full permissions for all services

Global

IAM ReadOnlyAccess

Read-only permissions for Identity and Access Management. Users granted these permissions can view only users, user groups, policies, roles, agencies, and account security settings. They cannot view projects or identity providers.

All regions

Tenant Guest

Role

Read-only permissions for all services except IAM

All regions

Tenant Administrator

Full permissions for all services except IAM

Global

Security Administrator

Full permissions for IAM

Global

Agent Operator

Permissions for switching roles to access resources of delegating accounts

Compute

Service

Region

Role/Policy Name

Type

Description

Elastic Cloud Server (ECS)

(Project-level service)

Specific regions

ECS FullAccess

Policy

Full permissions for ECS

ECS ReadOnlyAccess

Read-only permissions for ECS

ECS CommonOperations

Permissions for starting, stopping, restarting, and querying ECSs

Server Administrator

Role

  • Full permissions for ECS. This role must be used together with the Tenant Guest role in the same project.

    If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project.

    For example, if a user needs to create a new VPC when creating an ECS, the user must also be granted permissions with the VPC Administrator role.

Cloud Container Engine (CCE)

(Project-level service)

Specific regions

CCE FullAccess

Policy

Read and write permissions for CCE clusters, including creating, deleting, and updating clusters.

CCE ReadOnlyAccess

Read-only permissions for CCE clusters.

CCE Administrator

Role

Read and write permissions for CCE clusters and all resources (including workloads and services) in clusters.

This role depends on the following permissions:

Global service: OBS Buckets Viewer

Regional services (select in the same project): Tenant Guest, Server Administrator, ELB Administrator, OBS Administrator, SFS Administrator, SWR Admin, and APM FullAccess

NOTE:

Users also granted permissions with NAT Gateway Administrator can use NAT Gateway functions for clusters.

Bare Metal Server (BMS)

(Project-level service)

Specific regions

BMS FullAccess

Policy

Full permissions for BMS

BMS ReadOnlyAccess

Read-only permissions for BMS

BMS CommonOperations

Permissions for starting, stopping, restarting, and querying BMSs

Auto Scaling (AS)

(Project-level service)

Specific regions

AutoScaling FullAccess

Policy

Full permissions for all AS resources

AutoScaling ReadOnlyAccess

Read-only permissions for all AS resources

AutoScaling Administrator

Role

Full permissions for all AS resources

This role must be used together with the ELB Administrator and CES Administrator roles in the same project.

Image Management Service (IMS)

(Project-level service)

Specific regions

IMS FullAccess

Policy

Full permissions for IMS

IMS ReadOnlyAccess

Read-only permissions for IMS

IMS Administrator

Role

Full permissions for IMS

This role must be used together with the Tenant Administrator role.

Server Administrator

Permissions for creating, deleting, querying, modifying, and uploading images. This role must be used together with the IMS Administrator role in the same project.

Cloud Container Instance (CCI)

(Project-level service)

Specific regions

CCI Administrator

Role

Full permissions for CCI

CCI FullAccess

Policy

Full permissions for CCI

CCI ReadOnlyAccess

Read-only permissions for CCI

FunctionGraph

(Project-level service)

Specific regions

FunctionGraph Administrator

Role

Permissions for managing FunctionGraph functions and triggers

This role must be used together with the Tenant Guest role in the same project.

FunctionGraph Invoker

Permissions for querying FunctionGraph functions and triggers

Cloud Phone (CPH)

(Project-level service)

Specific regions

CPH Administrator

Role

Full permissions for CPH

CPH User

Read-only permissions for CPH

Storage

Service

Region

Role/Policy Name

Type

Description

Object Storage Service (OBS)

(Global service)

Global

OBS OperateAccess

Policy

Basic object operation permissions, such as viewing buckets, uploading, obtaining, and deleting objects, and obtaining object ACLs

OBS ReadOnlyAccess

Permissions for listing buckets, obtaining bucket metadata, listing objects in a bucket, and querying bucket locations

OBS Buckets Viewer

Role

Permissions for listing buckets, obtaining bucket information, and obtaining bucket metadata

Elastic Volume Service (EVS)

(Project-level service)

Specific regions

EVS FullAccess

Policy

Full permissions for EVS

EVS ReadOnlyAccess

Read-only permissions for EVS

Server Administrator

Role

Full permissions for EVS.

Cloud Backup and Recovery (CBR)

(Project-level service)

Specific regions

CBR FullAccess

Policy

Administrator permissions for using all vaults and policies on CBR

CBR BackupsAndVaultsFullAccess

Common user permissions for creating, viewing, and deleting vaults on CBR

CBR ReadOnlyAccess

Read-only permissions for viewing data on CBR

Content Delivery Network (CDN)

(Global service)

Global

CDN DomainReadOnlyAccess

Policy

Read-only permissions for CDN acceleration domain names

CDN StatisticsReadOnlyAccess

Read-only permissions for CDN statistics

CDN LogsReadOnlyAccess

Read-only permissions for CDN logs

CDN DomainConfigureAccess

Permissions for configuring CDN acceleration domain names

CDN RefreshAndPreheatAccess

Permissions for cache refreshing and preheating

CDN Administrator

Role

Full permissions for CDN

This role must be used together with the Tenant Guest role in the same project.

Storage Disaster Recovery Service (SDRS)

(Project-level service)

Specific regions

SDRS Administrator

Role

Full permissions for SDRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Scalable File Service (SFS)

(Project-level service)

Specific regions

SFS FullAccess

Policy

Full permissions for SFS

SFS ReadOnlyAccess

Read-only permissions for SFS

SFS Administrator

Role

Full permissions for SFS

This role must be used together with the Tenant Guest role in the same project.

Cloud Server Backup Service (CSBS)

(Project-level service)

Specific regions

CSBS Administrator

Role

Full permissions for CSBS

This role must be used together with the Server Administrator role in the same project.

Volume Backup Service (VBS)

(Project-level service)

Specific regions

VBS Administrator

Role

Full permissions for VBS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Network

Service

Region

Role/Policy Name

Type

Description

Virtual Private Cloud (VPC)

(Project-level service)

Specific regions

VPC FullAccess

Policy

Full permissions for VPC

VPC ReadOnlyAccess

Read-only permissions for VPC

VPC Administrator

Role

Full permissions for VPC

This role must be used together with the Tenant Guest role in the same project.

Server Administrator

Permissions for performing operations on EIPs, security groups, and ports.

This role must be used together with the Tenant Guest role in the same project.

Elastic Load Balance (ELB)

(Project-level service)

Specific regions

ELB FullAccess

Policy

Full permissions for ELB

ELB ReadOnlyAccess

Read-only permissions for ELB

ELB Administrator

Role

Full permissions for ELB

This role must be used together with the Tenant Guest role in the same project.

NAT Gateway

(Project-level service)

Specific regions

NAT FullAccess

Policy

Full permissions for NAT Gateway

NAT ReadOnlyAccess

Read-only permission for NAT Gateway

NAT Gateway Administrator

Role

Full permissions for NAT Gateway

This role must be used together with the Tenant Guest role in the same project.

Direct Connect

(Project-level service)

Specific regions

Direct Connect Administrator

Role

Full permissions for Direct Connect

This role must be used together with the Tenant Guest role in the same project.

Domain Name Service (DNS)

(Project-level service)

Specific regions

DNS Administrator

Role

Full permissions for DNS

DNS FullAccess

Policy

Administrator permissions for DNS. Users granted with these permissions can perform all operations on DNS, including creating, deleting, querying, and modifying DNS resources

DNS ReadOnlyAccess

Read-only permission for DNS. Users granted these permissions can only view DNS resources

VPC Endpoint (VPCEP)

(Project-level service)

Specific regions

VPCEndpoint Administrator

Role

Full permissions for VPCEP

This role must be used together with the Server Administrator, VPC Administrator, and DNS Administrator roles in the same project.

Security

Service

Region

Role/Policy Name

Type

Description

Anti-DDoS

(Project-level service)

Specific regions

Anti-DDoS Administrator

Role

Full permissions for Anti-DDoS

This role must be used together with the Tenant Guest role in the same project.

Advanced Anti-DDoS (AAD)

(Project-level service)

Specific regions

CAD Administrator

Role

Full permissions for AAD

Vulnerability Scan Service (VSS)

(Project-level service)

Specific regions

VSS Administrator

Role

Full permissions for VSS

Host Security Service (HSS)

(Project-level service)

Specific regions

HSS Administrator

Role

Full permissions for HSS

Database Security Service (DBSS)

(Project-level service)

Specific regions

DBSS System Administrator

Role

Full permissions for DBSS

DBSS Audit Administrator

Security auditing permissions for DBSS

DBSS Security Administrator

Security protection permissions for DBSS

Data Encryption Workshop (DEW)

(Project-level service)

Specific regions

KMS Administrator

Role

Full permissions for DEW

Security Expert Service (SES)

(Project-level service)

Specific regions

SES Administrator

Role

Full permissions for SES

Web Application Firewall (WAF)

(Project-level service)

Specific regions

WAF Administrator

Role

Full permissions for WAF

SSL Certificate Manager (SCM)

(Global service)

Global

SCM Administrator

Role

Full permissions for SCM

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

SCM FullAccess

Policy

Full permissions for SCM

SCM ReadOnlyAccess

Read-only permissions for SCM. Users with these permissions can only query certificates but cannot add, delete, or modify certificates.

Container Guard Service (CGS)

(Project-level service)

Specific regions

CGS FullAccess

Policy

Full permissions for CGS

CGS ReadOnlyAccess

Read-only permissions for CGS

CGS Administrator

Role

Full permissions for CGS

Management and Deployment

Service

Region

Role/Policy Name

Type

Description

Cloud Eye

(Project-level service)

Specific regions

CES Administrator

Role

Full permissions for Cloud Eye

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Specific regions

CES FullAccess

Policy

Administrator permissions for performing all operations on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization. For details, see Supported Cloud Services.

Specific regions

CES ReadOnlyAccess

Read-only permissions for viewing data on Cloud Eye

The monitoring function of Cloud Eye involves the query of cloud resources, which requires the relevant cloud services to support policy-based authorization. For details, see Supported Cloud Services.

Application Operations Management (AOM)

(Project-level service)

Specific regions

AOM FullAccess

Policy

Full permissions for AOM

AOM ReadOnlyAccess

Read-only permissions for AOM

Application Performance Management (APM)

(Project-level service)

Specific regions

APM FullAccess

Policy

Full permissions for APM

APM ReadOnlyAccess

Read-only permissions for APM

Cloud Trace Service (CTS)

(Project-level service)

Specific regions

CTS Administrator

Role

Full permissions for CTS

This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.

Log Tank Service (LTS)

(Project-level service)

Specific regions

LTS FullAccess

Policy

Full permissions for LTS

LTS ReadOnlyAccess

Read-only permissions for LTS

LTS Administrator

Role

Full permissions for LTS

This role must be used together with the Tenant Guest and Tenant Administrator roles in the same project.

Tag Management Service (TMS)

(Global service)

Global

TMS Administrator

Role

Full permissions for TMS

Resource Template Service (RTS)

(Project-level service)

Specific regions

RTS Administrator

Role

Full permissions for RTS

This role must be used together with the Server Administrator, ELB Administrator, and CES Administrator roles in the same project.

Application

Service

Region

Role/Policy Name

Type

Description

ServiceStage

Cloud Performance Test Service

(CPTS)

(Project-level service)

Specific regions

SvcStg Admin

Role

  • Full permissions for ServiceStage, including service, application, node, stack, and pipeline management.
  • Permissions for performing operations on test resources of all users in CPTS, such as adding, deleting, modifying, and querying test resources

SvcStg Developer

  • Common user permissions for ServiceStage except node management
  • Permissions for performing operations only on a user's own test resources, such as adding, deleting, modifying, and querying test resources

SvcStg Operator

  • Read-only permissions for ServiceStage
  • Read-only permissions only for a user's own test resources

Distributed Cache Service (DCS)

(Project-level service)

Specific regions

DCS FullAccess

Policy

Full permissions for DCS

DCS UseAccess

Common user permissions for DCS operations except creating, modifying, deleting, and scaling instances

DCS ReadOnlyAccess

Read-only permissions for DCS

DCS Administrator

Role

Full permissions for DCS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Distributed Message Service (DMS)

(Project-level service)

Specific regions

DMS Administrator

Role

Full permissions for DMS

Distributed Message Service (DMS for Kafka and DMS for RabbitMQ)

(Project-level service)

Specific regions

DMS UseAccess

Policy (DMS for Kafka)

Policy (DMS for RabbitMQ)

Common user permissions for DMS (DMS for Kafka and DMS for RabbitMQ), excluding permissions for creating, modifying, deleting, scaling up instances and dumping.

DMS ReadOnlyAccess

Read-only permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can only view DMS data.

DMS FullAccess

Administrator permissions for DMS (DMS for Kafka and DMS for RabbitMQ). Users granted these permissions can perform all operations on DMS.

Simple Message Notification (SMN)

(Project-level service)

Specific regions

SMN Administrator

Role

Full permissions for SMN

API Gateway

(Project-level service)

Specific regions

APIG Administrator

Role

Full permissions for API Gateway

Software Repository for Container (SWR)

(Project-level service)

Specific regions

SWR Admin

Role

Full permissions for SWR

DeC

Service

Region

Role/Policy Name

Type

Description

Dedicated Distributed Storage Service (DSS)

(Project-level service)

Specific regions

DSS FullAccess

Role

Full permissions for DSS

DSS ReadOnlyAccess

Read-only permissions for DSS

Database

Service

Region

Role/Policy Name

Type

Description

Relational Database Service (RDS)

(Project-level service)

Specific regions

RDS FullAccess

Policy

Full permissions for RDS

RDS ReadOnlyAccess

Read-only permissions for RDS

RDS ManageAccess

Database administrator permissions for all operations except deleting RDS resources

RDS Administrator

Role

Full permissions for RDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Document Database Service (DDS)

(Project-level service)

Specific regions

DDS FullAccess

Policy

Full permissions for DDS

DDS ReadOnlyAccess

Read-only permissions for DDS

DDS ManageAccess

Database administrator permissions for all operations except deleting DDS resources

DDS Administrator

Role

Full permissions for DDS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

If a DDS enterprise project is configured, you need to assign the DAS Admin role to users in the same project so that the users can log in to DAS from the DDS console.

Data Replication Service (DRS)

(Project-level service)

Specific regions

DRS Administrator

Role

Full permissions for DRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Admin Service (DAS)

(Project-level service)

Specific regions

DAS Administrator

Role

Full permissions for DAS

This role must be used together with the Tenant Guest role in the same project.

Distributed Database Middleware (DDM)

(Project-level service)

Specific regions

DDM FullAccess

Policy

Full permissions for DDM

DDM CommonOperations

Common permissions for DDM

Users with common permissions cannot perform the following operations:

  • Buying DDM instances
  • Deleting DDM instances
  • Scaling up instances
  • Rolling back instances or clearing data when scale-up fails

DDM ReadOnlyAccess

Read-only permissions for DDM

Migration

Service

Region

Role/Policy Name

Type

Description

Cloud Data Migration (CDM)

(Project-level service)

Specific regions

CDM Administrator

Role

Full permissions for CDM

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

CDM FullAccess

Policy

Administrator permissions for performing all operations on CDM.

CDM FullAccessExceptUpdateEIP

Permissions for performing all operations except binding and unbinding EIPs on CDM

CDM CommonOperations

Permissions for performing operations on CDM jobs and links

CDM ReadOnlyAccess

Read-only permissions for CDM. Users granted these permissions can only view CDM clusters, links, and jobs.

Enterprise Intelligence

Service

Region

Role/Policy Name

Type

Description

ModelArts

(Project-level service)

Specific regions

ModelArts FullAccess

Policy

Administrator permissions for performing all operations on ModelArts

ModelArts CommonOperations

Permissions for performing all operations except managing dedicated resource pools on ModelArts

DAYU

(Project-level service)

Specific regions

DAYU Administrator

Role

Full permissions for DAYU

DAYU User

Read-only permissions for DAYU

MapReduce Service (MRS)

(Project-level service)

Specific regions

MRS FullAccess

Policy

Full permissions for MRS

MRS CommonOperations

Common user permissions for MRS operations except creating and deleting resources

MRS ReadOnlyAccess

Read-only permissions for MRS

MRS Administrator

Role

Full permissions for MRS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Warehouse Service (DWS)

(Project-level service)

Specific regions

DWS FullAccess

Policy

Full permissions for DWS

DWS ReadOnlyAccess

Read-only permissions for DWS

DWS Administrator

Role

Full permissions for DWS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

DWS Database Access

Permissions for accessing DWS. Users granted these permissions can generate temporary tokens for connecting to DWS cluster databases.

Data Lake Insight (DLI)

(Project-level service)

Specific regions

DLI Service Admin

Role

Full permissions for DLI

DLI Service User

Permissions for using DLI, but not for creating resources

Graph Engine Service (GES)

(Project-level service)

Specific regions

GES Administrator

Role

Full permissions for GES

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

GES Manager

Advanced user of GES with permissions for performing any operations on GES resources except creating and deleting graphs.

This role must be used together with the Tenant Guest role in the same project.

GES Operator

Permissions for viewing and accessing graphs

This role must be used together with the Tenant Guest role in the same project.

Specific regions

GES FullAccess

Policy

Administrator permissions for performing all operations (including creation, deletion, access, and upgrade operations) on GES

GES Development

Operator permissions for all operations except creating and deleting graphs

GES ReadOnlyAccess

Read-only permissions for viewing resources, such as graphs, metadata, and backup data

Cloud Search Service (CSS)

(Project-level service)

Specific regions

Elasticsearch Administrator

Role

Full permissions for CSS

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Ingestion Service (DIS)

(Project-level service)

Specific regions

DIS Administrator

Role

Full permissions for DIS

DIS Operator

Permissions for managing streams, such as creating and deleting streams, but not for uploading and downloading data

DIS User

Permissions for uploading and downloading data, but not for managing streams

Cloud Stream Service (CS)

(Project-level service)

Specific regions

CS FullAccess

Policy

Full permissions for CS

CS CommonOperations

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS ReadOnlyAccess

Read-only permissions for CS. Users granted these permissions can only view CS jobs, templates, and exclusive clusters.

CS Tenant User

Role

Common user permissions for CS. Users granted these permissions can create, delete, and modify jobs and templates.

CS Tenant Admin

Administrator permissions for all operations on CS, including:

  • Creating, deleting, and modifying CS jobs, templates, and exclusive clusters
  • Allocating available clusters and quotas to users with permissions of the CS CommonOperations policy
  • Viewing all user jobs in exclusive clusters

CloudTable Service (CloudTable)

(Project-level service)

Specific regions

CloudTable

Administrator

Role

Full permissions for CloudTable

This role must be used together with the Tenant Guest and Server Administrator roles in the same project.

Data Lake Factory (DLF)

(Project-level service)

Specific regions

DLF Administrator

Role

Full permissions for DLF

This role must be used together with the Tenant Administrator role in the same project.

DLF FullAccess

Policy

Full permissions for DLF

DLF Development

Developer permissions for DLF. Users granted these permissions can use DLF to develop scripts and orchestrate jobs, but cannot create, delete, or modify workspaces.

DLF OperationAndMaintenanceAccess

O&M permissions for DLF. Users granted these permissions can maintain scripts, jobs, and other resources, but cannot create, delete, or modify any resources.

DLF ReadOnlyAccess

Read-only permissions for DLF. Users granted these permissions can only view DLF resources.

Recommender System (RES)

(Project-level service)

Specific regions

RES FullAccess

Policy

Full permissions for RES

RES ReadOnlyAccess

Read-only permissions for RES

Conversational Bot Service (CBS)

(Project-level service)

Specific regions

CBS Administrator

Role

Full permissions for CBS

CBS Guest

Read-only permissions for CBS

Enterprise Application

Service

Region

Role/Policy Name

Type

Description

ROMA

(Project-level service)

Specific regions

ROMA Administrator

Role

Administrator permissions for ROMA. Users granted these permissions can use all ROMA functions.

Cloud Communications

Service

Region

Role/Policy Name

Type

Description

Voice Call

Message & SMS

Private Number

(Project-level service)

Specific regions

RTC Administrator

Role

Full permissions for Voice Call, Message & SMS, and Private Number

Video

Service

Region

Role/Policy Name

Type

Description

Media Processing Center (MPC)

(Project-level service)

Specific regions

MPC Administrator

Role

Full permissions for MPC

Video on Demand (VOD)

(Project-level service)

Specific regions

VOD Administrator

Role

Full permissions for VOD. The operation object is all video content.

VOD Group Administrator

Permissions for VOD operations except global configuration. The operation object is the video content created by users in the current group.

VOD Group Operator

Permissions for VOD operations except content release, cancellation of content release, content deletion, and global configuration. The operation object is the video content created by users in the current group.

VOD Group Guest

Permissions only for querying video content. The operation object is the video content created by users in the current group.

User Support

Service

Region

Role/Policy Name

Type

Description

Business Support System (BSS)

(Project-level service)

Specific regions

NOTICE:

These are the regions where permissions of the policies supported by this service can be assigned.

BSS Administrator

Role

Full permissions for Billing Center, Resource Center, and My Account

BSS Operator

Query permissions for Billing Center and management permissions for Resource Center and My Account

BSS Finance

  • Topping up accounts, withdrawing money, and setting balance alerts
  • Viewing, paying, and exporting orders, and renewing resources
  • Viewing and exporting the expenditure summary, expenditure details, and income and expense details, and analyzing bills
  • Viewing and activating coupons, issuing invoices, applying for online contracts, and viewing commercial discounts

EnterpriseProject BSS FullAccess

Policy

Permissions for accounting management of enterprise projects

Enterprise Project Management Service (EPS)

(Global service)

Global

EPS FullAccess

Policy

  • Administrator permissions for Enterprise Management, including enterprise project and personnel management. For example, creating organizations, migrating resources, adding/removing user groups, and attaching policies to user groups. These permissions can be assigned by the administrator in the Global region on the IAM console.
  • Administrator permissions for a specific enterprise project, including modifying, enabling, disabling, and viewing the enterprise project. These permissions can be assigned by the administrator or an IAM user with EPS FullAccess permissions on the Enterprise Management console.

EPS ReadOnlyAccess

Read-only permissions for a specific or all enterprise projects

  • Read-only permissions for viewing all enterprise projects and user information. These permissions can be assigned by the administrator in the Global region on the IAM console.
  • Read-only permission for viewing a specific enterprise project. These permissions can be assigned by the administrator or an IAM user with EPS FullAccess permissions on the Enterprise Management console.

Service Ticket

(Global service)

Global

Ticket Administrator

Role

Full permissions for Service Ticket