Permissions Management

If you need to assign different permissions to employees in your enterprise to access your cloud resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud service resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific cloud service resources. For example, some software developers in your enterprise need to use VPN resources but should not be allowed to delete them or perform any high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using VPN resources.

If your account does not need individual IAM users for permissions management, skip this section.

IAM can be used free of charge. You pay only for the resources in your account.

For more information, see IAM Service Overview.

VPN Permissions

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

VPN is a project-level service deployed in specific physical regions. To assign VPN permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing VPN, the users need to switch to a region where they have been authorized to use this service.

Table 1 lists all system-defined roles supported by VPN.

**Table 1** System-defined roles supported by VPN
Role	Description	Dependencies
VPN Administrator	All operations on VPN resources. To be granted this permission, users must also have the Tenant Guest and VPC Administrator permissions.	Tenant Guest and VPC Administrator VPC Administrator: project-level policy, which must be assigned in the same project as the VPN Administrator Tenant Guest: project-level policy, which must be assigned in the same project as the VPN Administrator

Table 2 lists the common operations supported by each system-defined policy of VPN. Select the permissions as needed.

**Table 2** Common operations supported by **VPN Administrator**
Operation	VPN Administrator
Creating a VPN gateway	√
Viewing a VPN gateway	√
Modifying a VPN gateway	√
Deleting a VPN gateway	√
Creating a VPN connection	√
Viewing a VPN connection	√
Modifying a VPN connection	√
Deleting a VPN connection	√