Role Permissions

Updated on 2024-01-03 GMT+08:00

View PDF

Roles can be used for fairly coarse-grained permissions control. They grant service-level permissions based on user responsibilities. GES does not support custom roles. The following system roles are available.

**Table 1** System roles
Role Name	Description
Tenant Guest	Regular tenant users Permissions: querying GES resources Scope: project-level service
GES Administrator	GES administrator Permissions: performing any operations on GES resources Scope: project-level service NOTE: If you have the Tenant Guest, Server Administrator, and VPC Administrator permissions, you can perform any operations on GES resources. If you do not have the Tenant Guest or Server Administrator permission, you cannot use GES properly. If you need to bind or unbind an EIP, you need the Security Administrator permissions to create agencies. If GES needs to interact with OBS, for instance, when creating and importing data, OBS permissions are required. For details, see Common GES operations supported by each OBS policy. When granting OBS permissions, specify the permission scope as global service resources.
GES Manager	GES manager Permissions: performing any operations on GES resources other than creating, deleting graphs, resizing, and expanding graphs Scope: project-level service NOTE: If you have both Tenant Guest and Server Administrator permissions, you can perform any operations on GES resources except for creating and deleting graphs. If you do not have the Tenant Guest permission, you cannot use GES properly. If you need to bind or unbind an EIP, you need the Security Administrator and Server Administrator permissions. If GES needs to interact with OBS, for instance, when importing data, OBS permissions are required. For details, see Common GES operations supported by each OBS policy. When granting OBS permissions, specify the permission scope as global service resources.
GES Operator	Regular GES users Permissions: viewing and accessing GES resources Scope: project-level service NOTE: If you have both the GES Operator and Tenant Guest permissions, you can view and access GES resources. If you do not have the Tenant Guest permissions, you cannot view resources or access graphs. To interact with OBS, for instance, to view the metadata, you need the OBS permissions. For details, see Common GES operations supported by each OBS policy.

**Table 2** Common GES operations supported by each role
Operation	GES Administrator	GES Manager	GES Operator	Tenant Guest
Creating graphs	Yes	No	No	No
Deleting graphs	Yes	No	No	No
Querying graphs	Yes	Yes	Yes	Yes
Accessing graphs	Yes	Yes	Yes	No
Importing data	Yes	Yes	No	No
Creating metadata	Yes	Yes	No	No
Viewing metadata	Yes	Yes	Yes	Yes
Copying metadata	Yes	Yes	No	No
Editing metadata	Yes	Yes	No	No
Deleting metadata	Yes	Yes	No	No
Clearing data	Yes	Yes	No	No
Backing up graphs	Yes	Yes	No	No
Restoring graphs from backups	Yes	Yes	No	No
Deleting backups	Yes	Yes	No	No
Querying backups	Yes	Yes	Yes	Yes
Starting graphs	Yes	Yes	No	No
Stopping graphs	Yes	Yes	No	No
Upgrading graphs	Yes	Yes	No	No
Exporting graphs	Yes	Yes	No	No
Viewing results in the task center	Yes	Yes	Yes	Yes
Resizing a graph	√	No	No	×
Expanding a graph	√	No	No	×
Restarting a graph	√	Yes	No	×
Configuring fine-grained permissions	√	Yes	No	×
Configuring user groups	√	Yes	No	×
Importing IAM users	√	Yes	No	×
Viewing user details	√	Yes	Yes	√

**Table 3** Common GES operations supported by each OBS policy
GES Operation	Dependent OBS Permission
Viewing metadata	OBS Viewer policy or OBS Buckets Viewer role
Creating, importing, copying, editing, and deleting metadata	OBS Operator policy or Tenant Administrator role
Creating, importing, and exporting graphs	OBS Operator policy or Tenant Administrator role

**Table 4** Common GES operations supported by each IAM policy
GES Operation	Dependent IAM Permission
Importing IAM users	iam:users:listUsers (custom policy), IAM ReadOnlyAccess (system policy), or Server Administrator role
Creating or editing a user group	iam:users:listUsers (custom policy), IAM ReadOnlyAccess (system policy), or Server Administrator role