Updated on 2024-08-23 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM allows you to control access to your Cloud Connect resources.

With IAM, you can create IAM users for certain employees in your enterprise and assign permissions to control their access to Cloud Connect resources. For example, you can assign permissions to software developers so that they use Cloud Connect but cannot delete Cloud Connect resources or perform any other high-risk operations.

Skip this part if you do not require individual IAM users for refined permissions management.

IAM is a free service. For more information about IAM, see the IAM Service Overview.

Cloud Connect Permissions

By default, new IAM users do not have permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups.

Cloud Connect is a global service for access from any region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.

You can grant permissions by using roles or policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions based on user responsibility. This mechanism provides only a limited number of service-level roles. When using roles to grant permissions, you may need to also assign other dependency roles. Roles are not an ideal choice for fine-grained authorization.
  • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, the administrator can grant Cloud Connect users only the permissions for managing cloud connections.
Table 1 lists the system-defined roles or policies supported by Cloud Connect.
Table 1 Cloud Connect system-defined roles or policies

System Role/Policy Name

Description

Type

Dependency

Cross Connect Administrator

Has all permissions for Cloud Connect resources. For permissions of this role to take effect, users must also have the Tenant Guest and VPC Administrator permissions.

System-defined role

Tenant Guest and VPC Administrator

  • VPC Administrator: project-level policy, which must be assigned for the same project
  • Tenant Guest: project-level policy, which must be assigned for the same project

CC FullAccess

All permissions on Cloud Connect.

System-defined policy

CC Network Depend QueryAccess

CC ReadOnlyAccess

Read-only permissions for Cloud Connect. Users who have these permissions can only view Cloud Connect resources.

System-defined policy

-

CC Network Depend QueryAccess

Read-only permissions required to access dependency resources when using Cloud Connect.

Users who have these permissions can view VPCs or virtual gateways.

System-defined policy

-

Table 2 lists common operations supported by each system-defined role.

When you configure system policies CC FullAccess and CC ReadOnlyAccess, select Global services for Scope. In this case, the two system policies can take effect for network instances, inter-domain bandwidths, and routes.

Table 2 Common operations supported by system-defined permissions

Operation

Cross Connect Administrator

CC FullAccess

CC ReadOnlyAccess

Creating a central network

×

×

Updating a central network

×

×

Deleting a central network

×

×

Querying details of a central network

×

Querying central networks

×

Adding a central network policy

×

×

Applying a central network policy

×

×

Deleting a central network policy

×

×

Querying central network policies

×

Querying policy changes

×

Querying central network connections

×

Updating a central network connection

×

×

Querying quotas

Querying the capabilities