Updated on 2024-12-09 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise to control their access to your cloud resources, you can use the Identity and Access Management (IAM) for fine-grained permissions management. IAM provides functions such as identity authentication, permissions management, and access control.

On the IAM console, you can create IAM users and assign permissions to control their access to specific resources. For example, you can create IAM users for software developers and assign permissions to allow them to use enterprise router resources but disallow them from performing any high-risk operations such as deleting such resources.

IAM is free of charge.

For more information, see IAM Service Overview.

Enterprise Router Permissions

By default, new IAM users do not have any permissions assigned. You need to add them to one or more groups and attach policies or roles to these groups so that these users can inherit permissions from the groups and perform specified operations on cloud services.

An enterprise router is a project-level service deployed in a specific region. You need to select a project for which the permissions will be granted. If you select All projects, the permissions will be granted for all the projects. You need to switch to the authorized region before accessing an enterprise router.

Table 1 lists all the system-defined policies on enterprise routers.
Table 1 System-defined policies on enterprise routers

System Policy

Description

Type

Dependency

ER FullAccess

Administrator permissions for enterprise routers. Users with such permissions can operate and use all resources on enterprise routers.

System-defined policy

None

ER ReadOnlyAccess

Read-only permissions for enterprise routers. Users with such permissions can only view data on enterprise routers.

System-defined policy

None

Table 2 lists the common operations supported by each system-defined policy. You can select a proper one as required.
Table 2 Common operations supported by each system policy

Operation

Tenant Administrator

Tenant Guest

ER FullAccess

ER ReadOnlyAccess

Creating an enterprise router

x

x

Modifying an enterprise router

x

x

Viewing an enterprise router

Deleting an enterprise router

x

x

Adding a Virtual Private Cloud (VPC) to an enterprise router

x

x

Deleting a VPC attachment

x

x

Viewing attachments of all types

Creating a route table

x

x

Renaming a route table

x

x

Viewing a route table

Deleting a route table

x

x

Creating an association for an attachment in a route table

x

x

Viewing associations in a route table

Deleting an association from a route table

x

x

Creating a propagation for an attachment in the route table

x

x

Viewing a propagation in a route table

Deleting a propagation from a route table

x

x

Creating a static route

x

x

Modifying a static route

x

x

Viewing a route

Deleting a static route

x

x

Creating a flow log

x

x

Viewing a VPC flow log

Disabling a flow log

x

x

Enabling a flow log

x

x

Deleting a flow log

x

x

Adding a resource tag

x

x

Modifying a resource tag

x

x

Viewing a resource tag

Deleting a resource tag

x

x