Permissions Management

If you need to set different access permissions for employees in an enterprise to isolate permissions of different employees, you can set different authorization policies when creating or modifying departments or individual cloud space in KooDrive. KooDrive provides identity authentication, permissions management, and access control, helping you efficiently manage access to your cloud resources.

With the business control service, you can create KooDrive accounts for employees and authorize employees to control their access to resources. For example, if your employee is a department administrator and you want the employee to have all permissions on the department space, such as uploading files to, downloading files from, and deleting files from the team space, you can set the role of the employee to department administrator. For another example, if your employee is a common user of a department and you want the employee to view files in the department space but not to perform other operations, such as deleting files, you can set the role of the employee to a common user.

For an individual space, the owner has all the permissions on the space.

KooDrive Permissions

An enterprise tenant who enables KooDrive on the Huawei Cloud console uses a Huawei Cloud account. After the KooDrive service is enabled, KooDrive creates a system administrator account using the Huawei Cloud account. After the account is used to log in to the KooDrive service application, organizations (departments and users) and space management can be performed. After a user is created by the system administrator, the user needs to be assigned a role so that the user can obtain the corresponding permission. This process is called authorization. After authorization, the user can perform operations on KooDrive resources based on the granted permissions.

KooDrive uses the role-based access control policy for permission management. Permissions are associated with roles. Users can obtain the permissions assigned to a role by becoming members of the role. Currently, KooDrive presets three system roles: system administrator, department administrator, and common user. For details about the permissions assigned to each role, see Table 1. Currently, roles cannot be customized.

**Table 1** KooDrive system-defined roles
Role Name	Permissions Assigned	Role Type
System administrator	The system administrator can perform operations on all KooDrive resources except the files in the personal space of other users. The detailed permission list is as follows: Organization management: Creates, queries, modifies, and deletes all departments in an organization. User management: Creates, queries, modifies, and deletes users in all departments of an organization. Space management: Creates, queries, modifies, and deletes all departments or individual spaces in an organization. Team space: Has all permissions over the files in all department space of the organization, such as creating files/directories, and copying and deleting files. Individual space: Operates the files in the individual space. Recycle bin: Has the permission to operate the personal recycle bin and all team recycle bins.	System-defined role
Department administrator	Department administrator. Users with this permission can perform operations in their own departments, such as managing department spaces and personal spaces of department members. The detailed permission list is as follows: Organization management: Queries the list and information of all departments under the organization. User management: Manages all users in the department, such as querying users and their details, and adding, deleting, and disabling users. Space management: Queries all department space of the organization and individual space of member in the current department, and allocates, modifies, disables, enables, and deletes the current department space and individual space of members in the current department. Team space: Has all permissions over the files in all department space of the organization, such as creating files/directories, and copying and deleting files. Individual space: Operates the files in the individual space. Recycle bin: Has all permissions over the individual and team recycle bins.	System-defined role
Common user	Common users have all operation permissions on files in their individual spaces and restricted operation permissions on their department spaces. The detailed permission list is as follows: Individual space: Operates the files in the individual space. Team space: Has all the permissions (excluding deletion) over the files in the team space. Recycle bin: Has all permissions over the individual recycle bin but does not have permissions over the team recycle bin.	System-defined role