Help Center> Graph Engine Service> User Guide (ME-Abu Dhabi Region)> Permissions Management> Policy Permissions> System-defined Policies
Updated on 2023-03-03 GMT+08:00
View PDF

System-defined Policies

Table 1 GES system-defined policies

Policy Name

Description

GES FullAccess

Administrator permissions for GES. Users granted these permissions can perform all operations on GES, including creating, deleting, accessing, and updating graphs.

NOTE:
  • Users with permissions of this policy must also be granted permissions of the Tenant Guest, Server Administrator, and VPC Administrator policies.
  • To bind or unbind an EIP, you need the Security Administrator permission to create agencies. The Security Administrator role has fairly high-level permissions. You can use the following custom policies to replace this role: "iam:agencies:listAgencies","iam:permissions:listRolesForAgency","iam:permissions:listRolesForAgencyOnProject","iam:permissions:listRolesForAgencyOnDomain".
  • To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.
  • When granting GES FullAccess to an enterprise project, you need to configure the following permissions policies in IAM:
    • ecs:availabilityZones:list
    • ecs:cloudServerNics:update

GES Development

Operator permissions for all operations except creating, deleting, resizing, and expanding graphs.

NOTE:
  • To bind or unbind an EIP, you must have the Security Administrator permission to create agencies. The Security Administrator role can be replaced by the following custom policies: "iam:agencies:listAgencies","iam:permissions:listRolesForAgency","iam:permissions:listRolesForAgencyOnProject","iam:permissions:listRolesForAgencyOnDomain".
  • To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.

GES ReadOnlyAccess

Read-only permissions for viewing resources, such as graphs, metadata, and backup data.

NOTE:

To use resources stored on OBS for other services, you need the OBS OperateAccess permission. OBS is a global service. You can find the corresponding OBS policy in the Global service project scope.

It takes about 13 minutes for an OBS role to take effect after being applied to a user or group. A policy takes about 5 minutes.

Table 2 Common operations supported by each system-defined policy

Operation

GES FullAccess

GES Development

GES ReadOnlyAccess

Resource

Querying the graph list

Yes

Yes

Yes

-

Querying graph details

Yes

Yes

Yes

graphName

Creating graphs

Yes

No

No

graphName

Accessing graphs

Yes

Yes

No

graphName

Stopping graphs

Yes

Yes

No

graphName

Starting graphs

Yes

Yes

No

graphName

Deleting graphs

Yes

No

No

graphName

Importing Incremental data to graphs

Yes

Yes

No

graphName

Exporting graphs

Yes

Yes

No

graphName

Clearing graphs

Yes

Yes

No

graphName

Upgrading graphs

Yes

Yes

No

graphName

Resizing a Graph

No

No

graphName

Expanding a Graph

No

No

graphName

Restarting a Graph

Yes

No

graphName

Binding EIPs

Yes

Yes

No

graphName

Unbinding an EIP

Yes

Yes

No

graphName

Querying backups of all graphs

Yes

Yes

Yes

-

Querying backups of a graph

Yes

Yes

Yes

-

Adding backups

Yes

Yes

No

backupName

Deleting a graph backup

Yes

Yes

No

backupName

Querying the metadata list

Yes

Yes

Yes

-

Querying metadata

Yes

Yes

Yes

metadataName

Verifying metadata

Yes

Yes

No

-

Adding metadata

Yes

Yes

No

metadataName

Deleting metadata

Yes

Yes

No

metadataName

Querying task statuses

Yes

Yes

Yes

-

Querying the task list

Yes

Yes

Yes

-
Parent topic: Policy Permissions