Help Center/Migration Center/User Guide/Permissions Management/Agency Permissions

Updated on 2025-07-10 GMT+08:00

Agency Permissions

Overview

To use some functions of MgC, you must delegate MgC the required permissions so that we can provide you with complete services. This section describes the scenarios where authorization is required and what custom permission policies will be created.

The system may create a new custom policy or update an existing policy during the authorization.

If there is no available custom policy, the system automatically creates a new one. For details about how to create a custom policy, see Creating a Custom Policy.
If there is an available custom policy but it does not contain required permissions, the system automatically updates the policy.

Creating a Cross-AZ Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a cross-AZ migration workflow	MgC	MgC AzMigrationAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) ecs:flavors:get (Querying ECS flavors) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServerQuotas:get (Querying quotas of a tenant) ecs:servers:list (Querying ECSs) ecs:cloudServers:list (Querying details about ECSs) ecs:servers:stop (Stopping an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS) ecs:availabilityZones:list (Listing AZs) ecs:servers:start (Starting an ECS) ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS) ecs:serverInterfaces:get (Querying ECS NICs) ecs:cloudServers:get (Querying details about an ECS) vpc:publicips:create (Creating an EIP) vpc:publicips:update (Updating an EIP) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:networks:get (Querying networks) vpc:publicips:list (Listing EIPs) vpc:publicips:get (Querying details about an EIP) vpc:ports:get (Querying ports or querying details about a port) vpc:ports:delete (Deleting a port) vpc:ports:update (Updating a port) vpc:ports:create (Creating a port) evs:types:get (Querying EVS disk types) evs:volumes:list (Querying EVS disks) cbr:vaults:get (Querying a specified vault) cbr:vaults:list (Querying vaults) cbr:vaults:create (Creating a vault) cbr:vaults:addResources (Associating resources) cbr:vaults:backup (Creating a restore point) cbr:backups:list (Querying backups) cbr:tasks:list (Querying tasks) cbr:tasks:get (Querying details about a task) cbr:backups:delete (Deleting a backup) cbr:backups:get (Querying a backup) cbr:vaults:delete (Deleting a vault) ims:wholeImages:create (Creating a full-ECS image) ims:images:list (Listing images) ims:images:delete (Deleting an image) ims:images:get (Querying details about an image) ims:serverImages:create (Creating an image)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a cross-AZ migration workflow

MgC

MgC AzMigrationAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:flavors:get (Querying ECS flavors)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

ecs:servers:list (Querying ECSs)

ecs:cloudServers:list (Querying details about ECSs)

ecs:servers:stop (Stopping an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerNics:update (Configuring a private IP address for a NIC of an ECS)

ecs:availabilityZones:list (Listing AZs)

ecs:servers:start (Starting an ECS)

ecs:cloudServers:changeNetworkInterface (Updating attributes of a specified NIC on an ECS)

ecs:serverInterfaces:get (Querying ECS NICs)

ecs:cloudServers:get (Querying details about an ECS)

vpc:publicips:create (Creating an EIP)

vpc:publicips:update (Updating an EIP)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:networks:get (Querying networks)

vpc:publicips:list (Listing EIPs)

vpc:publicips:get (Querying details about an EIP)

vpc:ports:get (Querying ports or querying details about a port)

vpc:ports:delete (Deleting a port)

vpc:ports:update (Updating a port)

vpc:ports:create (Creating a port)

evs:types:get (Querying EVS disk types)

evs:volumes:list (Querying EVS disks)

cbr:vaults:get (Querying a specified vault)

cbr:vaults:list (Querying vaults)

cbr:vaults:create (Creating a vault)

cbr:vaults:addResources (Associating resources)

cbr:vaults:backup (Creating a restore point)

cbr:backups:list (Querying backups)

cbr:tasks:list (Querying tasks)

cbr:tasks:get (Querying details about a task)

cbr:backups:delete (Deleting a backup)

cbr:backups:get (Querying a backup)

cbr:vaults:delete (Deleting a vault)

ims:wholeImages:create (Creating a full-ECS image)

ims:images:list (Listing images)

ims:images:delete (Deleting an image)

ims:images:get (Querying details about an image)

ims:serverImages:create (Creating an image)

Migration Cost Analysis

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a migration cost analysis task	MgC	MgC TcoAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) evs:types:get (Querying EVS disk types) ims::get (Querying details about an image) ims::list (Querying images)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a migration cost analysis task

MgC

MgC TcoAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

evs:types:get (Querying EVS disk types)

ims:*:get* (Querying details about an image)

ims:*:list* (Querying images)

Getting Target Recommendations

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Getting target recommendations	MgC	MgC ServerAssessAgencyPolicy	ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ims:images:list (Listing images) evs:types:get (Querying EVS disk types) deh:dedicatedHosts:get (Obtaining details about a DeH) deh:dedicatedHosts:list (Listing DeHs)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Getting target recommendations

MgC

MgC ServerAssessAgencyPolicy

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ims:images:list (Listing images)

evs:types:get (Querying EVS disk types)

deh:dedicatedHosts:get (Obtaining details about a DeH)

deh:dedicatedHosts:list (Listing DeHs)

Binding a Source Server to an Existing Target Server

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Binding a source server to an existing target server	MgC	MgC ServerBindTargetAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) evs:volumes:list (Querying EVS disks) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Binding a source server to an existing target server

MgC

MgC ServerBindTargetAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

evs:volumes:list (Querying EVS disks)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Creating a Server Migration Workflow

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a Server Migration Workflow	MgC	MgC ServerMigrationAgencyPolicy	ecs:cloudServers:showServer (Querying details about an ECS) ecs:cloudServers:createServers (Creating an ECS) sms:server:migrationServer (Migrating a source server) sms:server:queryServer (Querying source servers) ecs:cloudServers:list (Querying ECSs) ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS) ecs:cloudServerQuotas:get (Querying quotas of a tenant) vpc:publicips:create (Creating an EIP) ecs:cloudServers:get (Querying details about an ECS) ecs:cloudServers:changeVpc (Changing a VPC for an ECS) ecs:cloudServers:attach (Attaching a disk to an ECS) ecs:cloudServers:start (Starting ECSs in batches) ecs:cloudServers:detachVolume (Detaching a disk from a specified ECS) ecs:cloudServers:stop (Stopping ECSs in batches) ecs:servers:unlock (Unlocking an ECS) evs:volumes:delete (Deleting an EVS disk) evs:volumes:use (Attaching and detaching EVS disks) evs:volumes:get (Querying details about an EVS disk) vpc:privateIPs:list (Listing private IP addresses) ims:images:get (Querying details about an image)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a Server Migration Workflow

MgC

MgC ServerMigrationAgencyPolicy

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:cloudServers:createServers (Creating an ECS)

sms:server:migrationServer (Migrating a source server)

sms:server:queryServer (Querying source servers)

ecs:cloudServers:list (Querying ECSs)

ecs:cloudServers:listServerBlockDevices (Querying information about the disks attached to an ECS)

ecs:cloudServerQuotas:get (Querying quotas of a tenant)

vpc:publicips:create (Creating an EIP)

ecs:cloudServers:get (Querying details about an ECS)

ecs:cloudServers:changeVpc (Changing a VPC for an ECS)

ecs:cloudServers:attach (Attaching a disk to an ECS)

ecs:cloudServers:start (Starting ECSs in batches)

ecs:cloudServers:detachVolume (Detaching a disk from a specified ECS)

ecs:cloudServers:stop (Stopping ECSs in batches)

ecs:servers:unlock (Unlocking an ECS)

evs:volumes:delete (Deleting an EVS disk)

evs:volumes:use (Attaching and detaching EVS disks)

evs:volumes:get (Querying details about an EVS disk)

vpc:privateIPs:list (Listing private IP addresses)

ims:images:get (Querying details about an image)

Purchasing Resources

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Purchasing resources	MgC	MgC PurchaseAgencyPolicy	eps:resources:add (Adding resources to an enterprise project) ecs:cloudServers:createServers (Creating an ECS) evs:volumes:list (Querying EVS disks) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information) ecs:cloudServers:list (Querying details about ECSs) vpc:publicips:update (Updating an EIP) vpc:publicips:create (Creating an EIP)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Purchasing resources

MgC

MgC PurchaseAgencyPolicy

eps:resources:add (Adding resources to an enterprise project)

ecs:cloudServers:createServers (Creating an ECS)

evs:volumes:list (Querying EVS disks)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServers:list (Querying details about ECSs)

vpc:publicips:update (Updating an EIP)

vpc:publicips:create (Creating an EIP)

Configuring a Server Purchase Template

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Configuring a server purchase template	MgC	MgC PurchaseTemplateAgencyPolicy	iam:projects:listProjects (Querying projects) eps:enterpriseProjects:list (Listing enterprise projects) vpc:subnets:get (Querying subnets or querying details about a subnet) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:vpcs:get (Querying VPC details)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Configuring a server purchase template

MgC

MgC PurchaseTemplateAgencyPolicy

iam:projects:listProjects (Querying projects)

eps:enterpriseProjects:list (Listing enterprise projects)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:vpcs:get (Querying VPC details)

Creating Migration Plans

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a server migration plan (importing target server configurations from an OBS bucket)	MgC	MgC ImportTargetConfigurationAgencyPolicy	obs:object:GetObject (Obtaining object content and metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Listing buckets)
Creating a server migration plan (exporting target server configurations)	MgC ExportTargetConfigurationAgencyPolicy	ims:images:list (Listing images) ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)
Creating a batch object storage migration plan (configuring target buckets)	MgC ListObsBucketsAgencyPolicy	obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Listing buckets)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a server migration plan (importing target server configurations from an OBS bucket)

MgC

MgC ImportTargetConfigurationAgencyPolicy

obs:object:GetObject (Obtaining object content and metadata)

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Listing buckets)

Creating a server migration plan (exporting target server configurations)

MgC ExportTargetConfigurationAgencyPolicy

ims:images:list (Listing images)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Creating a batch object storage migration plan (configuring target buckets)

MgC ListObsBucketsAgencyPolicy

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Listing buckets)

Creating a Migration Cluster

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Creating a migration cluster	OMS	OMS ObsMigrationAgencyPolicy	ecs:cloudServers:createServers (Creating an ECS) ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS) ecs:cloudServers:showServer (Querying details about an ECS) ecs:cloudServers:deleteServers (Deleting ECSs) nat:natGateways:create (Creating a NAT Gateway) nat:natGateways:get (Querying details about a NAT gateway) nat:natGateways:delete (Deleting a NAT gateway) nat:snatRules:create (Creating an SNAT rule) nat:snatRules:get (Querying details about an SNAT rule) nat:dnatRules:list (Querying DNAT rules) nat:snatRules:list (Querying SNAT rules) nat:snatRules:delete (Deleting an SNAT rule) nat:natGateways:list (Querying NAT gateways) vpc:securityGroups:create (Creating a security group) vpc:securityGroups:delete (Deleting a security group) vpc:securityGroups:get (Querying security groups or querying details about a security group) vpc:securityGroupRules:create (Creating a security group rule) vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule) vpc:securityGroupRules:delete (Deleting a security group rule) vpcep:epservices:create (Creating a VPC endpoint service) vpcep:epservices:get (Querying details about a VPC endpoint service) vpcep:epservices:delete (Deleting a VPC endpoint service) vpcep:connections:update (Accepting or rejecting a VPC endpoint) vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service) lts:topics:create (Creating a log topic) lts:topics:delete (Deleting a log topic) lts:groups:create (Creating a log group) lts:groups:get (Querying details about a log group) lts:groups:delete (Deleting a log group) ims:images:list (Listing images)
ECS	ECS ObsMigrationAgencyPolicy	apm:icmgr:* (Full permissions for the APM collection component)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Creating a migration cluster

OMS

OMS ObsMigrationAgencyPolicy

ecs:cloudServers:createServers (Creating an ECS)

ecs:cloudServers:listServerInterfaces (Querying NICs of an ECS)

ecs:cloudServers:showServer (Querying details about an ECS)

ecs:cloudServers:deleteServers (Deleting ECSs)

nat:natGateways:create (Creating a NAT Gateway)

nat:natGateways:get (Querying details about a NAT gateway)

nat:natGateways:delete (Deleting a NAT gateway)

nat:snatRules:create (Creating an SNAT rule)

nat:snatRules:get (Querying details about an SNAT rule)

nat:dnatRules:list (Querying DNAT rules)

nat:snatRules:list (Querying SNAT rules)

nat:snatRules:delete (Deleting an SNAT rule)

nat:natGateways:list (Querying NAT gateways)

vpc:securityGroups:create (Creating a security group)

vpc:securityGroups:delete (Deleting a security group)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

vpc:securityGroupRules:create (Creating a security group rule)

vpc:securityGroupRules:get (Querying security group rules or querying details about a security group rule)

vpc:securityGroupRules:delete (Deleting a security group rule)

vpcep:epservices:create (Creating a VPC endpoint service)

vpcep:epservices:get (Querying details about a VPC endpoint service)

vpcep:epservices:delete (Deleting a VPC endpoint service)

vpcep:connections:update (Accepting or rejecting a VPC endpoint)

vpcep:permissions:update (Batch adding or deleting whitelist records of a VPC endpoint service)

lts:topics:create (Creating a log topic)

lts:topics:delete (Deleting a log topic)

lts:groups:create (Creating a log group)

lts:groups:get (Querying details about a log group)

lts:groups:delete (Deleting a log group)

ims:images:list (Listing images)

ECS

ECS ObsMigrationAgencyPolicy

apm:icmgr:* (Full permissions for the APM collection component)

Importing RVTools Data

Scenario	Delegated Object	Custom Policy	Minimal Permissions
Importing RVTools data	MgC	MgC OfflineCollectionAgencyPolicy	obs:object:GetObject (Obtaining object content and metadata) obs:bucket:ListBucket (Listing objects in a bucket) obs:bucket:ListAllMyBuckets (Listing buckets)

Scenario

Delegated Object

Custom Policy

Minimal Permissions

Importing RVTools data

MgC

MgC OfflineCollectionAgencyPolicy

obs:object:GetObject (Obtaining object content and metadata)

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Listing buckets)

Parent Topic: Permissions Management

Previous topic: MgC Custom Policies