Permissions
If you need to assign different permissions to employees in your enterprise, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM allows you to control access to your Cloud Connect resources.
With IAM, you can create IAM users for certain employees in your enterprise and assign permissions to control their access to Cloud Connect resources. For example, you can assign permissions to software developers so that they use Cloud Connect but cannot delete Cloud Connect resources or perform any other high-risk operations.
Skip this part if you do not require individual IAM users for refined permissions management.
IAM is a free service. For more information about IAM, see the IAM Service Overview.
Cloud Connect Permissions
By default, new IAM users do not have permissions assigned. To assign permissions to these new users, add them to one or more groups and attach permissions policies or roles to these groups.
Cloud Connect is a global service for access from any region. You can assign IAM permissions to users in the global service project. In this way, users do not need to switch regions when they access IAM.
You can grant permissions by using roles or policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions based on user responsibility. This mechanism provides only a limited number of service-level roles. When using roles to grant permissions, you may need to also assign other dependency roles. Roles are not an ideal choice for fine-grained authorization.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, the administrator can grant Cloud Connect users only the permissions for managing cloud connections.
System Role/Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
Cross Connect Administrator |
Has all permissions for Cloud Connect resources. For permissions of this role to take effect, users must also have the Tenant Guest and VPC Administrator permissions. |
System-defined role |
Tenant Guest and VPC Administrator
|
CC FullAccess |
All permissions on Cloud Connect. |
System-defined policy |
CC Network Depend QueryAccess |
CC ReadOnlyAccess |
Read-only permissions for Cloud Connect. Users who have these permissions can only view Cloud Connect resources. |
System-defined policy |
- |
CC Network Depend QueryAccess |
Read-only permissions required to access dependency resources when using Cloud Connect. Users who have these permissions can view VPCs or virtual gateways. |
System-defined policy |
- |
Table 2 lists common operations supported by each system-defined role.
When you configure system policies CC FullAccess and CC ReadOnlyAccess, select Global services for Scope. In this case, the two system policies can take effect for network instances, inter-domain bandwidths, and routes.
Operation |
Cross Connect Administrator |
CC FullAccess |
CC ReadOnlyAccess |
---|---|---|---|
Creating a central network |
× |
√ |
× |
Updating a central network |
× |
√ |
× |
Deleting a central network |
× |
√ |
× |
Querying details of a central network |
× |
√ |
√ |
Querying central networks |
× |
√ |
√ |
Adding a central network policy |
× |
√ |
× |
Applying a central network policy |
× |
√ |
× |
Deleting a central network policy |
× |
√ |
× |
Querying central network policies |
× |
√ |
√ |
Querying policy changes |
× |
√ |
√ |
Querying central network connections |
× |
√ |
√ |
Updating a central network connection |
× |
√ |
× |
Querying quotas |
√ |
√ |
√ |
Querying the capabilities |
√ |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.