Updated on 2023-12-04 GMT+08:00

Entrustment Description

Workspace works closely with multiple cloud service resources, such as computing, network, and images. When you create a scheduled task for recomposing a system disk or create a desktop pool, Workspace automatically requests permissions to access the cloud services in the region. Specifically:

  • ECS permissions

    When you create a desktop, an ECS is created accordingly. Therefore, the permission to access ECS is required.

  • IMS permissions

    Workspace supports image creation. Therefore, the permission to access IMS is required.

  • Administrator permissions for related cloud services

    Workspace supports scheduled disk recomposing and auto scaling. Therefore, the tenant administrator permissions are required.

  • VPC service permissions

    Workspace allows created networks to run on VPCs. Therefore, the permission to access the VPC service is required.

  • OBS permissions

    Workspace supports scale-out and storage addition. Therefore, the permissions to access EVS disks, SFS, and OBS are required.

After the permission granting is approved, an agency named workspace_admin_trust will be created on IAM. To ensure normal service usage, do not delete or modify the workspace_admin_trust agency when performing scheduled tasks or using the desktop pool.

  • workspace_admin_trust agency description

    The workspace_admin_trust agency has the permissions as Tenant Administrator. Tenant Administrator has the permissions on all cloud services except IAM and can call the cloud services on which Workspace depends. The delegation takes effect only in the current region.

    To use Workspace in multiple regions, you need to request cloud resource permissions in each region. To view the delegation records of each region, go to the IAM console, choose Agencies, and click workspace_admin_trust.

    Workspace may malfunction if the Tenant Administrator role is not assigned. Therefore, do not delete or modify the workspace_admin_trust agency when using Workspace.

    The workspace_admin_trust agency may need to be delegated again in the following scenarios:
    • The permissions required by Workspace may change with the version. For example, if a new component requires new permissions, Workspace will update the expected permission list. In this case, you need to delegate the workspace_admin_trust agency again.
    • If you manually change the permissions of the workspace_admin_trust agency, and the new permissions of this agency are different from those expected by Workspace, a message is displayed asking you to grant the permissions. If you grant the new permissions, the previous permissions may become invalid.