Permissions Management

If you need to assign different permissions to employees in your enterprise to access your AOM resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your AOM resources.

With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific types of resources. For example, some software developers in your enterprise need to use AOM resources but must not delete them or perform any high-risk operations such as deleting application discovery rules. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using AOM resources.

If your account does not need individual IAM users for permissions management, you may skip over this chapter.

IAM can be used free of charge. You pay only for the resources in your account.

AOM Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on AOM.

AOM is a project-level service deployed and accessed in specific physical regions. To assign AOM permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing AOM, the users need to switch to a region where they have been authorized to use this service.

You can grant users permissions by using roles and policies.

Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant Elastic Cloud Server (ECS) users only the permissions for managing a certain type of ECSs.

Table 1 lists all the system permissions supported by AOM.

**Table 1** System permissions supported by AOM
Policy Name	Description	Type
AOM FullAccess	Administrator permissions for AOM. Users granted these permissions can operate and use AOM.	System-defined policy
AOM ReadOnlyAccess	Read-only permissions for AOM. Users granted these permissions can only view AOM data.	System-defined policy

Table 2 lists the common operations supported by each system-defined policy of AOM. Please choose proper system-defined policies according to this table.

**Table 2** Common operations supported by each system-defined policy of AOM
Operation	AOM FullAccess	AOM ReadOnlyAccess
Creating a threshold rule	√	x
Modifying a threshold rule	√	x
Deleting a threshold rule	√	x
Creating a threshold template	√	x
Modifying a threshold template	√	x
Deleting a threshold template	√	x
Creating a dashboard	√	x
Modifying a dashboard	√	x
Deleting a dashboard	√	x
Creating a notification rule	√	x
Modifying a notification rule	√	x
Deleting a notification rule	√	x
Creating an application discovery rule	√	x
Modifying an application discovery rule	√	x
Deleting an application discovery rule	√	x
Subscribing to threshold alarms	√	x
Exporting a monitoring report	√	√
Configuring a VM log collection path	√	x
Adding a log bucket	√	x
Modifying a log bucket	√	x
Deleting a log bucket	√	x
Adding an extraction rule	√	x
Viewing bucket logs	√	√
Adding a log dump	√	x
Modifying a log dump	√	x
Deleting a log dump	√	x
Starting periodical dump	√	x
Stopping periodical dump	√	x
Configuring a delimiter	√	x
Installing the ICAgent	√	√
Upgrading the ICAgent	√	x
Uninstalling the ICAgent	√	x