How Do I Limit Agency Permissions for Cross-Region Image Replication?

Scenarios

During cross-region image replication, an agency is required to verify cloud service permissions in the destination region. So, you need to create a cloud service agency before the replication. In the past, you might be required to assign the Tenant Administrator or IMS Administrator system-defined role to an agency, but the two roles provide more excessive permissions than the agency actually needs.

You can use fine-grained system-defined policies to limit the agency permissions.

Procedure

1. Log in to the console.
2. Hover the mouse pointer over the username in the upper right corner and select Identity and Access Management from the drop-down list.
3. In the navigation pane, choose Agencies.
4. Click the name of the agency you used for cross-region replication.
5. On the Permissions tab page, if the Tenant Administrator or IMS Administrator role is displayed, proceed with the following steps to limit the agency permissions.
6. Click Authorize. Select system-defined policies based on the image type. For details, see Table 1.
7. Click Next and set the minimum authorization scope.
8. Click OK.
9. Click Finish to return back to the permission list.
10. In the list, select the Tenant Administrator and IMS Administrator roles and click Delete.

    Table 1 Permissions required for cross-region image replication

    Scenario	System-defined Policy
    Cross-region replication of a system or data disk image	IMS CrossCopyAgencyPolicy
    Cross-region replication of a full-ECS image	IMS CrossCopyAgencyCBRPolicy